def testProcessSoftwareRunOnce(self): """Tests the Process function on a RunOnce key.""" test_file_entry = self._GetTestFileEntry([u'SOFTWARE-RunTests']) key_path = ( u'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\' u'RunOnce') win_registry = self._GetWinRegistryFromFileEntry(test_file_entry) registry_key = win_registry.GetKeyByPath(key_path) plugin_object = run.AutoRunsPlugin() storage_writer = self._ParseKeyWithPlugin(registry_key, plugin_object, file_entry=test_file_entry) self.assertEqual(len(storage_writer.events), 1) event_object = storage_writer.events[0] self.assertEqual(event_object.pathspec, test_file_entry.path_spec) # This should just be the plugin name, as we're invoking it directly, # and not through the parser. self.assertEqual(event_object.parser, plugin_object.plugin_name) expected_timestamp = timelib.Timestamp.CopyFromString( u'2012-04-06 14:07:27.750000') self.assertEqual(event_object.timestamp, expected_timestamp) expected_message = ( u'[{0:s}] *WerKernelReporting: %SYSTEMROOT%\\SYSTEM32\\WerFault.exe ' u'-k -rq').format(key_path) expected_short_message = u'{0:s}...'.format(expected_message[:77]) self._TestGetMessageStrings(event_object, expected_message, expected_short_message)
def testProcessNtuserRunOnce(self): """Tests the Process function on a Run key.""" test_file_entry = self._GetTestFileEntry([u'NTUSER-RunTests.DAT']) key_path = ( u'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\' u'RunOnce') win_registry = self._GetWinRegistryFromFileEntry(test_file_entry) registry_key = win_registry.GetKeyByPath(key_path) plugin_object = run.AutoRunsPlugin() storage_writer = self._ParseKeyWithPlugin(registry_key, plugin_object, file_entry=test_file_entry) self.assertEqual(len(storage_writer.events), 1) event_object = storage_writer.events[0] self.assertEqual(event_object.pathspec, test_file_entry.path_spec) # This should just be the plugin name, as we're invoking it directly, # and not through the parser. self.assertEqual(event_object.parser, plugin_object.plugin_name) expected_timestamp = timelib.Timestamp.CopyFromString( u'2012-04-05 17:03:53.992061') self.assertEqual(event_object.timestamp, expected_timestamp) expected_message = ( u'[{0:s}] mctadmin: C:\\Windows\\System32\\mctadmin.exe' ).format(key_path) expected_short_message = u'{0:s}...'.format(expected_message[:77]) self._TestGetMessageStrings(event_object, expected_message, expected_short_message)
def testProcessNtuserRun(self): """Tests the Process function on a Run key.""" test_file_entry = self._GetTestFileEntry([u'NTUSER-RunTests.DAT']) key_path = ( u'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\' u'Run') win_registry = self._GetWinRegistryFromFileEntry(test_file_entry) registry_key = win_registry.GetKeyByPath(key_path) plugin = run.AutoRunsPlugin() storage_writer = self._ParseKeyWithPlugin( registry_key, plugin, file_entry=test_file_entry) self.assertEqual(storage_writer.number_of_events, 1) events = list(storage_writer.GetEvents()) event = events[0] self.assertEqual(event.pathspec, test_file_entry.path_spec) # This should just be the plugin name, as we're invoking it directly, # and not through the parser. self.assertEqual(event.parser, plugin.plugin_name) # Timestamp is: 2012-04-05T17:03:53.992061+00:00 self.assertEqual(event.timestamp, 1333645433992061) expected_message = ( u'[{0:s}] Sidebar: %ProgramFiles%\\Windows Sidebar\\Sidebar.exe ' u'/autoRun').format(key_path) expected_short_message = u'{0:s}...'.format(expected_message[:77]) self._TestGetMessageStrings(event, expected_message, expected_short_message)
def testProcessNtuserRunOnce(self): """Tests the Process function on a Run key.""" test_file_entry = self._GetTestFileEntry(['NTUSER-RunTests.DAT']) key_path = ( 'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\' 'RunOnce') win_registry = self._GetWinRegistryFromFileEntry(test_file_entry) registry_key = win_registry.GetKeyByPath(key_path) plugin = run.AutoRunsPlugin() storage_writer = self._ParseKeyWithPlugin(registry_key, plugin, file_entry=test_file_entry) self.assertEqual(storage_writer.number_of_events, 1) self.assertEqual(storage_writer.number_of_extraction_warnings, 0) self.assertEqual(storage_writer.number_of_recovery_warnings, 0) events = list(storage_writer.GetEvents()) expected_event_values = { 'date_time': '2012-04-05 17:03:53.9920616', 'data_type': 'windows:registry:run', 'entries': ['mctadmin: C:\\Windows\\System32\\mctadmin.exe'], # This should just be the plugin name, as we're invoking it directly, # and not through the parser. 'parser': plugin.NAME } self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testProcessNtuserRunOnce(self): """Tests the Process function on a Run key.""" test_file_entry = self._GetTestFileEntry(['NTUSER-RunTests.DAT']) key_path = ( 'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\' 'RunOnce') win_registry = self._GetWinRegistryFromFileEntry(test_file_entry) registry_key = win_registry.GetKeyByPath(key_path) plugin = run.AutoRunsPlugin() storage_writer = self._ParseKeyWithPlugin( registry_key, plugin, file_entry=test_file_entry) self.assertEqual(storage_writer.number_of_errors, 0) self.assertEqual(storage_writer.number_of_events, 1) events = list(storage_writer.GetEvents()) event = events[0] self.assertEqual(event.pathspec, test_file_entry.path_spec) # This should just be the plugin name, as we're invoking it directly, # and not through the parser. self.assertEqual(event.parser, plugin.plugin_name) self.CheckTimestamp(event.timestamp, '2012-04-05 17:03:53.992062') expected_message = ( '[{0:s}] mctadmin: C:\\Windows\\System32\\mctadmin.exe').format( key_path) expected_short_message = '{0:s}...'.format(expected_message[:77]) self._TestGetMessageStrings(event, expected_message, expected_short_message)
def testProcessSoftwareRunOnce(self): """Tests the Process function on a RunOnce key.""" test_file_entry = self._GetTestFileEntry(['SOFTWARE-RunTests']) key_path = ( 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\' 'RunOnce') win_registry = self._GetWinRegistryFromFileEntry(test_file_entry) registry_key = win_registry.GetKeyByPath(key_path) plugin = run.AutoRunsPlugin() storage_writer = self._ParseKeyWithPlugin( registry_key, plugin, file_entry=test_file_entry) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 1) events = list(storage_writer.GetEvents()) expected_event_values = { 'data_type': 'windows:registry:run', 'entries': [ '*WerKernelReporting: %SYSTEMROOT%\\SYSTEM32\\WerFault.exe -k -rq'], # This should just be the plugin name, as we're invoking it directly, # and not through the parser. 'parser': plugin.plugin_name, 'timestamp': '2012-04-06 14:07:27.750000'} self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testProcessSoftwareRun(self): """Tests the Process function on a Run key.""" test_file_entry = self._GetTestFileEntry(['SOFTWARE-RunTests']) key_path = ( 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\' 'Run') win_registry = self._GetWinRegistryFromFileEntry(test_file_entry) registry_key = win_registry.GetKeyByPath(key_path) plugin = run.AutoRunsPlugin() storage_writer = self._ParseKeyWithPlugin( registry_key, plugin, file_entry=test_file_entry) self.assertEqual(storage_writer.number_of_events, 1) events = list(storage_writer.GetEvents()) expected_event_values = { 'data_type': 'windows:registry:run', 'entries': [ ('McAfee Host Intrusion Prevention Tray: "C:\\Program Files\\' 'McAfee\\Host Intrusion Prevention\\FireTray.exe"'), ('VMware Tools: "C:\\Program Files\\VMware\\VMware Tools\\' 'VMwareTray.exe"'), ('VMware User Process: "C:\\Program Files\\VMware\\VMware Tools\\' 'VMwareUser.exe"')], # This should just be the plugin name, as we're invoking it directly, # and not through the parser. 'parser': plugin.plugin_name, 'timestamp': '2011-09-16 20:57:09.067576'} self.CheckEventValues(storage_writer, events[0], expected_event_values)
def testProcessSoftwareRun(self): """Tests the Process function on a Run key.""" test_file_entry = self._GetTestFileEntry(['SOFTWARE-RunTests']) key_path = ( 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\' 'Run') win_registry = self._GetWinRegistryFromFileEntry(test_file_entry) registry_key = win_registry.GetKeyByPath(key_path) plugin = run.AutoRunsPlugin() storage_writer = self._ParseKeyWithPlugin(registry_key, plugin, file_entry=test_file_entry) self.assertEqual(storage_writer.number_of_events, 1) events = list(storage_writer.GetEvents()) event = events[0] self.CheckTimestamp(event.timestamp, '2011-09-16 20:57:09.067576') event_data = self._GetEventDataOfEvent(storage_writer, event) # This should just be the plugin name, as we're invoking it directly, # and not through the parser. self.assertEqual(event_data.parser, plugin.plugin_name) self.assertEqual(event_data.data_type, 'windows:registry:run') self.assertEqual(event_data.pathspec, test_file_entry.path_spec) expected_entries = ( 'McAfee Host Intrusion Prevention Tray: "C:\\Program Files\\McAfee\\' 'Host Intrusion Prevention\\FireTray.exe" VMware Tools: "C:\\Program ' 'Files\\VMware\\VMware Tools\\VMwareTray.exe" VMware User Process: ' '"C:\\Program Files\\VMware\\VMware Tools\\VMwareUser.exe"') self.assertEqual(event_data.entries, expected_entries) expected_message = ( '[{0:s}] ' 'McAfee Host Intrusion Prevention Tray: "C:\\Program Files\\McAfee\\' 'Host Intrusion Prevention\\FireTray.exe" ' 'VMware Tools: "C:\\Program Files\\VMware\\VMware Tools\\' 'VMwareTray.exe" ' 'VMware User Process: "C:\\Program Files\\VMware\\VMware Tools\\' 'VMwareUser.exe"').format(key_path) expected_short_message = '{0:s}...'.format(expected_message[:77]) self._TestGetMessageStrings(event_data, expected_message, expected_short_message)
def testProcessSoftwareRunOnce(self): """Tests the Process function on a RunOnce key.""" test_file_entry = self._GetTestFileEntry(['SOFTWARE-RunTests']) key_path = ( 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\' 'RunOnce') win_registry = self._GetWinRegistryFromFileEntry(test_file_entry) registry_key = win_registry.GetKeyByPath(key_path) plugin = run.AutoRunsPlugin() storage_writer = self._ParseKeyWithPlugin(registry_key, plugin, file_entry=test_file_entry) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 1) events = list(storage_writer.GetEvents()) event = events[0] self.CheckTimestamp(event.timestamp, '2012-04-06 14:07:27.750000') event_data = self._GetEventDataOfEvent(storage_writer, event) # This should just be the plugin name, as we're invoking it directly, # and not through the parser. self.assertEqual(event_data.parser, plugin.plugin_name) self.assertEqual(event_data.data_type, 'windows:registry:run') self.assertEqual(event_data.pathspec, test_file_entry.path_spec) expected_entries = ( '*WerKernelReporting: %SYSTEMROOT%\\SYSTEM32\\WerFault.exe -k -rq') self.assertEqual(event_data.entries, expected_entries) expected_message = ( '[{0:s}] *WerKernelReporting: %SYSTEMROOT%\\SYSTEM32\\WerFault.exe ' '-k -rq').format(key_path) expected_short_message = '{0:s}...'.format(expected_message[:77]) self._TestGetMessageStrings(event_data, expected_message, expected_short_message)
def testProcessNtuserRun(self): """Tests the Process function on a Run key.""" test_file_entry = self._GetTestFileEntry(['NTUSER-RunTests.DAT']) key_path = ( 'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\' 'Run') win_registry = self._GetWinRegistryFromFileEntry(test_file_entry) registry_key = win_registry.GetKeyByPath(key_path) plugin = run.AutoRunsPlugin() storage_writer = self._ParseKeyWithPlugin(registry_key, plugin, file_entry=test_file_entry) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 1) events = list(storage_writer.GetEvents()) event = events[0] self.CheckTimestamp(event.timestamp, '2012-04-05 17:03:53.992062') event_data = self._GetEventDataOfEvent(storage_writer, event) # This should just be the plugin name, as we're invoking it directly, # and not through the parser. self.assertEqual(event_data.parser, plugin.plugin_name) self.assertEqual(event_data.data_type, 'windows:registry:run') expected_entries = ( 'Sidebar: %ProgramFiles%\\Windows Sidebar\\Sidebar.exe /autoRun') self.assertEqual(event_data.entries, expected_entries) expected_message = ( '[{0:s}] Sidebar: %ProgramFiles%\\Windows Sidebar\\Sidebar.exe ' '/autoRun').format(key_path) expected_short_message = '{0:s}...'.format(expected_message[:77]) self._TestGetMessageStrings(event_data, expected_message, expected_short_message)
def testProcessSoftwareRun(self): """Tests the Process function on a Run key.""" test_file_entry = self._GetTestFileEntry([u'SOFTWARE-RunTests']) key_path = ( u'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\' u'Run') win_registry = self._GetWinRegistryFromFileEntry(test_file_entry) registry_key = win_registry.GetKeyByPath(key_path) plugin_object = run.AutoRunsPlugin() storage_writer = self._ParseKeyWithPlugin(registry_key, plugin_object, file_entry=test_file_entry) self.assertEqual(len(storage_writer.events), 1) event_object = storage_writer.events[0] self.assertEqual(event_object.pathspec, test_file_entry.path_spec) # This should just be the plugin name, as we're invoking it directly, # and not through the parser. self.assertEqual(event_object.parser, plugin_object.plugin_name) expected_timestamp = timelib.Timestamp.CopyFromString( u'2011-09-16 20:57:09.067575') self.assertEqual(event_object.timestamp, expected_timestamp) expected_message = ( u'[{0:s}] ' u'McAfee Host Intrusion Prevention Tray: "C:\\Program Files\\McAfee\\' u'Host Intrusion Prevention\\FireTray.exe" ' u'VMware Tools: "C:\\Program Files\\VMware\\VMware Tools\\' u'VMwareTray.exe" ' u'VMware User Process: "C:\\Program Files\\VMware\\VMware Tools\\' u'VMwareUser.exe"').format(key_path) expected_short_message = u'{0:s}...'.format(expected_message[:77]) self._TestGetMessageStrings(event_object, expected_message, expected_short_message)
def testFilters(self): """Tests the FILTERS class attribute.""" plugin = run.AutoRunsPlugin() key_path = ( 'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\' 'Run') self._AssertFiltersOnKeyPath(plugin, key_path) key_path = ( 'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\' 'RunOnce') self._AssertFiltersOnKeyPath(plugin, key_path) key_path = ( 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\' 'Run') self._AssertFiltersOnKeyPath(plugin, key_path) key_path = ( 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\' 'RunOnce') self._AssertFiltersOnKeyPath(plugin, key_path) key_path = ( 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\' 'RunOnce\\Setup') self._AssertFiltersOnKeyPath(plugin, key_path) key_path = ( 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\' 'RunServices') self._AssertFiltersOnKeyPath(plugin, key_path) key_path = ( 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\' 'RunServicesOnce') self._AssertFiltersOnKeyPath(plugin, key_path) self._AssertNotFiltersOnKeyPath(plugin, 'HKEY_LOCAL_MACHINE\\Bogus')
def setUp(self): """Sets up the needed objects used throughout the test.""" self._plugin = run.AutoRunsPlugin()
def setUp(self): """Makes preparations before running an individual test.""" self._plugin = run.AutoRunsPlugin()