def testProcess(self):
"""Tests the Process function."""
key_path = ('HKEY_CURRENT_USER\\Software\\Microsoft\\Some Windows\\'
'InterestingApp\\MRUlist')
time_string = '2012-08-28 09:23:49.002031'
registry_key = self._CreateTestKey(key_path, time_string)
plugin = mrulistex.MRUListExStringWindowsRegistryPlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key, plugin)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 1)
events = list(storage_writer.GetEvents())
# A MRUListEx event.
event = events[0]
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event.parser, plugin.plugin_name)
self.CheckTimestamp(event.timestamp, '2012-08-28 09:23:49.002031')
expected_message = (
'[{0:s}] '
'Index: 1 [MRU Value 2]: C:\\looks_legit.exe '
'Index: 2 [MRU Value 0]: Some random text here '
'Index: 3 [MRU Value 1]: c:\\evil.exe').format(key_path)
expected_short_message = '{0:s}...'.format(expected_message[:77])
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
def testFilters(self):
"""Tests the FILTERS class attribute."""
plugin = mrulistex.MRUListExStringWindowsRegistryPlugin()
key_path = ('HKEY_CURRENT_USER\\Software\\Microsoft\\Some Windows\\'
'InterestingApp\\MRUlist')
registry_key = dfwinreg_fake.FakeWinRegistryKey('MRUlist',
key_path=key_path)
result = self._CheckFiltersOnKeyPath(plugin, registry_key)
self.assertFalse(result)
registry_value = dfwinreg_fake.FakeWinRegistryValue('MRUListEx')
registry_key.AddValue(registry_value)
registry_value = dfwinreg_fake.FakeWinRegistryValue('0')
registry_key.AddValue(registry_value)
result = self._CheckFiltersOnKeyPath(plugin, registry_key)
self.assertTrue(result)
self._AssertNotFiltersOnKeyPath(plugin, 'HKEY_LOCAL_MACHINE\\Bogus')
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\Shell\\BagMRU')
self._AssertNotFiltersOnKeyPath(plugin, key_path)
key_path = (
'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\'
'Explorer\\ComDlg32\\OpenSavePidlMRU')
self._AssertNotFiltersOnKeyPath(plugin, key_path)
def testProcess(self):
"""Tests the Process function."""
key_path = ('HKEY_CURRENT_USER\\Software\\Microsoft\\Some Windows\\'
'InterestingApp\\MRUlist')
registry_key = self._CreateTestKey(key_path,
'2012-08-28 09:23:49.002031')
plugin = mrulistex.MRUListExStringWindowsRegistryPlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key, plugin)
self.assertEqual(storage_writer.number_of_events, 1)
self.assertEqual(storage_writer.number_of_extraction_warnings, 0)
self.assertEqual(storage_writer.number_of_recovery_warnings, 0)
events = list(storage_writer.GetEvents())
# A MRUListEx event.
expected_entries = ('Index: 1 [MRU Value 2]: C:\\looks_legit.exe '
'Index: 2 [MRU Value 0]: Some random text here '
'Index: 3 [MRU Value 1]: c:\\evil.exe')
expected_event_values = {
'date_time': '2012-08-28 09:23:49.0020310',
'data_type': 'windows:registry:mrulistex',
'entries': expected_entries,
'key_path': key_path,
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
'parser': plugin.NAME
}
self.CheckEventValues(storage_writer, events[0], expected_event_values)