def testCollectWithProgramData(self): """Tests the Collect function with the %ProgramData% variable.""" plugin = windows.WindowsAllUsersAppDataKnowledgeBasePlugin() session = sessions.Session() storage_writer = self._CreateTestStorageWriter() test_knowledge_base = knowledge_base.KnowledgeBase() test_mediator = mediator.PreprocessMediator(session, storage_writer, test_knowledge_base) environment_variable = artifacts.EnvironmentVariableArtifact( case_sensitive=False, name='programdata', value='%SystemDrive%\\ProgramData') test_mediator.knowledge_base.AddEnvironmentVariable( environment_variable) plugin.Collect(test_mediator) self.assertEqual(storage_writer.number_of_preprocessing_warnings, 0) environment_variable = test_mediator.knowledge_base.GetEnvironmentVariable( 'allusersappdata') self.assertIsNotNone(environment_variable) self.assertEqual(environment_variable.value, '%SystemDrive%\\ProgramData')
def testCollectWithAllUsersProfile(self): """Tests the Collect function with the %AllUsersProfile% variable.""" plugin = windows.WindowsAllUsersAppProfileKnowledgeBasePlugin() session = sessions.Session() storage_writer = self._CreateTestStorageWriter() test_knowledge_base = knowledge_base.KnowledgeBase() test_mediator = mediator.PreprocessMediator(session, storage_writer, test_knowledge_base) environment_variable = artifacts.EnvironmentVariableArtifact( case_sensitive=False, name='allusersprofile', value='C:\\Documents and Settings\\All Users') test_mediator.knowledge_base.AddEnvironmentVariable( environment_variable) plugin.Collect(test_mediator) self.assertEqual(storage_writer.number_of_preprocessing_warnings, 0) environment_variable = test_mediator.knowledge_base.GetEnvironmentVariable( 'allusersprofile') self.assertIsNotNone(environment_variable) self.assertEqual(environment_variable.value, 'C:\\Documents and Settings\\All Users')
def _RunPreprocessorPluginOnFileSystem(self, file_system, mount_point, storage_writer, plugin): """Runs a preprocessor plugin on a file system. Args: file_system (dfvfs.FileSystem): file system to be preprocessed. mount_point (dfvfs.PathSpec): mount point path specification that refers to the base location of the file system. storage_writer (StorageWriter): storage writer. plugin (ArtifactPreprocessorPlugin): preprocessor plugin. Return: PreprocessMediator: preprocess mediator. """ artifact_definition = self._artifacts_registry.GetDefinitionByName( plugin.ARTIFACT_DEFINITION_NAME) self.assertIsNotNone(artifact_definition) session = sessions.Session() test_knowledge_base = knowledge_base.KnowledgeBase() test_mediator = mediator.PreprocessMediator(session, storage_writer, test_knowledge_base) searcher = file_system_searcher.FileSystemSearcher( file_system, mount_point) plugin.Collect(test_mediator, artifact_definition, searcher, file_system) return test_mediator
def testCollect(self): """Tests the Collect function.""" file_system_builder = fake_file_system_builder.FakeFileSystemBuilder() test_file_path = shared_test_lib.GetTestFilePath(['SOFTWARE']) file_system_builder.AddFileReadData( '/Windows/System32/config/SOFTWARE', test_file_path) test_file_path = shared_test_lib.GetTestFilePath(['SYSTEM']) file_system_builder.AddFileReadData('/Windows/System32/config/SYSTEM', test_file_path) session = sessions.Session() test_knowledge_base = knowledge_base.KnowledgeBase() storage_writer = fake_writer.FakeStorageWriter() test_mediator = mediator.PreprocessMediator(session, storage_writer, test_knowledge_base) mount_point = fake_path_spec.FakePathSpec(location='/') searcher = file_system_searcher.FileSystemSearcher( file_system_builder.file_system, mount_point) plugin = generic.DetermineOperatingSystemPlugin() storage_writer.Open() try: plugin.Collect(test_mediator, None, searcher, file_system_builder.file_system) finally: storage_writer.Close() operating_system = test_mediator.knowledge_base.GetValue( 'operating_system') self.assertEqual(operating_system, 'Windows NT')
def testProducePreprocessingWarning(self): """Tests the ProducePreprocessingWarning method.""" session = sessions.Session() storage_writer = fake_writer.FakeStorageWriter() knowledge_base_object = knowledge_base.KnowledgeBase() parser_mediator = mediator.PreprocessMediator(session, storage_writer, knowledge_base_object) storage_writer.Open() parser_mediator.ProducePreprocessingWarning('test_plugin', 'test message')
def PreprocessSources( self, artifact_definitions_path, custom_artifacts_path, source_path_specs, session, storage_writer, resolver_context=None): """Preprocesses the sources. Args: artifact_definitions_path (str): path to artifact definitions directory or file. custom_artifacts_path (str): path to custom artifact definitions directory or file. source_path_specs (list[dfvfs.PathSpec]): path specifications of the sources to process. session (Session): session the preprocessing is part of. storage_writer (StorageWriter): storage writer. resolver_context (Optional[dfvfs.Context]): resolver context. """ artifacts_registry_object = self._BuildArtifactsRegistry( artifact_definitions_path, custom_artifacts_path) mediator = preprocess_mediator.PreprocessMediator( session, storage_writer, self.knowledge_base) detected_operating_systems = [] for source_path_spec in source_path_specs: try: file_system, mount_point = self.GetSourceFileSystem( source_path_spec, resolver_context=resolver_context) except (RuntimeError, dfvfs_errors.BackEndError) as exception: logger.error(exception) continue searcher = file_system_searcher.FileSystemSearcher( file_system, mount_point) try: operating_system = self._DetermineOperatingSystem(searcher) except (ValueError, dfvfs_errors.PathSpecError) as exception: logger.error(exception) continue if operating_system != definitions.OPERATING_SYSTEM_FAMILY_UNKNOWN: preprocess_manager.PreprocessPluginsManager.RunPlugins( artifacts_registry_object, file_system, mount_point, mediator) detected_operating_systems.append(operating_system) if detected_operating_systems: logger.info('Preprocessing detected operating systems: {0:s}'.format( ', '.join(detected_operating_systems))) self.knowledge_base.SetValue( 'operating_system', detected_operating_systems[0])
def testCollect(self): """Tests the Collect function.""" plugin = windows.WindowsProgramDataKnowledgeBasePlugin() session = sessions.Session() storage_writer = self._CreateTestStorageWriter() test_knowledge_base = knowledge_base.KnowledgeBase() test_mediator = mediator.PreprocessMediator(session, storage_writer, test_knowledge_base) plugin.Collect(test_mediator) self.assertEqual(storage_writer.number_of_preprocessing_warnings, 0) environment_variable = test_mediator.knowledge_base.GetEnvironmentVariable( 'programdata') self.assertIsNone(environment_variable)
def testCollect(self): """Tests the Collect function.""" plugin = windows.WindowsAllUsersAppDataKnowledgeBasePlugin() session = sessions.Session() storage_writer = self._CreateTestStorageWriter() test_knowledge_base = knowledge_base.KnowledgeBase() test_mediator = mediator.PreprocessMediator(session, storage_writer, test_knowledge_base) plugin.Collect(test_mediator) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'preprocessing_warning') self.assertEqual(number_of_warnings, 0) environment_variable = test_mediator.knowledge_base.GetEnvironmentVariable( 'allusersappdata') self.assertIsNone(environment_variable)
def _RunPreprocessorPluginOnWindowsRegistryValue(self, file_system, mount_point, storage_writer, plugin): """Runs a preprocessor plugin on a Windows Registry value. Args: file_system (dfvfs.FileSystem): file system to be preprocessed. mount_point (dfvfs.PathSpec): mount point path specification that refers to the base location of the file system. storage_writer (StorageWriter): storage writer. plugin (ArtifactPreprocessorPlugin): preprocessor plugin. Return: PreprocessMediator: preprocess mediator. """ artifact_definition = self._artifacts_registry.GetDefinitionByName( plugin.ARTIFACT_DEFINITION_NAME) self.assertIsNotNone(artifact_definition) environment_variable = artifacts.EnvironmentVariableArtifact( case_sensitive=False, name='SystemRoot', value='C:\\Windows') registry_file_reader = manager.FileSystemWinRegistryFileReader( file_system, mount_point, environment_variables=[environment_variable]) win_registry = dfwinreg_registry.WinRegistry( registry_file_reader=registry_file_reader) session = sessions.Session() test_knowledge_base = knowledge_base.KnowledgeBase() test_mediator = mediator.PreprocessMediator(session, storage_writer, test_knowledge_base) searcher = registry_searcher.WinRegistrySearcher(win_registry) plugin.Collect(test_mediator, artifact_definition, searcher) return test_mediator