def testGetCachedFileByPath(self): """Tests the _GetCachedFileByPath function.""" test_path = self._GetTestFilePath(['SYSTEM']) self._SkipIfPathNotExists(test_path) win_registry = registry.WinRegistry() # Note that _GetCachedFileByPath expects the key path to be in # upper case. key_path = 'HKEY_LOCAL_MACHINE\\SYSTEM' key_path_prefix, registry_file = win_registry._GetCachedFileByPath( key_path) self.assertIsNone(key_path_prefix) self.assertIsNone(registry_file) win_registry = registry.WinRegistry( registry_file_reader=TestWinRegistryFileReader()) registry_file = win_registry._OpenFile(test_path) key_path_prefix = win_registry.GetRegistryFileMapping(registry_file) win_registry.MapFile(key_path_prefix, registry_file) key_path_prefix, registry_file = win_registry._GetCachedFileByPath( key_path) self.assertEqual(key_path_prefix, key_path) self.assertIsNotNone(registry_file)
def testGetCurrentControlSet(self): """Tests the _GetCurrentControlSet function.""" test_path = self._GetTestFilePath(['SYSTEM']) self._SkipIfPathNotExists(test_path) win_registry = registry.WinRegistry() registry_key = win_registry._GetCurrentControlSet('') self.assertIsNone(registry_key) win_registry = registry.WinRegistry( registry_file_reader=TestWinRegistryFileReader()) registry_file = win_registry._OpenFile(test_path) key_path_prefix = win_registry.GetRegistryFileMapping(registry_file) win_registry.MapFile(key_path_prefix, registry_file) registry_key = win_registry._GetCurrentControlSet('') self.assertIsNotNone(registry_key) expected_key_path = 'HKEY_LOCAL_MACHINE\\System\\ControlSet001' self.assertEqual(registry_key.path, expected_key_path) # Tests Current value is not an integer. win_registry = TestWinRegistry() registry_key = win_registry._GetCurrentControlSet('') self.assertIsNone(registry_key)
def testGetKeyByPathOnSystem(self): """Tests the GetKeyByPath function on a SYSTEM file.""" win_registry = registry.WinRegistry( registry_file_reader=TestWinRegistryFileReader()) test_path = self._GetTestFilePath([u'SYSTEM']) registry_file = win_registry._OpenFile(test_path) win_registry = registry.WinRegistry() key_path_prefix = win_registry.GetRegistryFileMapping(registry_file) win_registry.MapFile(key_path_prefix, registry_file) # Test an existing key. registry_key = win_registry.GetKeyByPath( u'HKEY_LOCAL_MACHINE\\System\\ControlSet001') self.assertIsNotNone(registry_key) # Test a virtual key. registry_key = win_registry.GetKeyByPath( u'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet') self.assertIsNotNone(registry_key) # Test a non-existing key. registry_key = win_registry.GetKeyByPath( u'HKEY_LOCAL_MACHINE\\System\\Bogus') self.assertIsNone(registry_key)
def testGetUsers(self): """Tests the _GetUsers function.""" ntuser_test_path = self._GetTestFilePath(['NTUSER.DAT']) self._SkipIfPathNotExists(ntuser_test_path) software_test_path = self._GetTestFilePath(['SOFTWARE']) self._SkipIfPathNotExists(software_test_path) win_registry = registry.WinRegistry() registry_key = win_registry._GetUsers('S-1-5-18') self.assertIsNone(registry_key) win_registry = registry.WinRegistry( registry_file_reader=TestWinRegistryFileReader()) registry_file = win_registry._OpenFile(ntuser_test_path) profile_path = '%SystemRoot%\\System32\\config\\systemprofile\\NTUSER.DAT' win_registry.MapUserFile(profile_path, registry_file) registry_file = win_registry._OpenFile(software_test_path) key_path_prefix = win_registry.GetRegistryFileMapping(registry_file) win_registry.MapFile(key_path_prefix, registry_file) registry_key = win_registry._GetUsers('S-1-5-18') self.assertIsNotNone(registry_key) expected_key_path = 'HKEY_USERS\\S-1-5-18' self.assertEqual(registry_key.path, expected_key_path) registry_key = win_registry._GetUsers('.DEFAULT') self.assertIsNotNone(registry_key) expected_key_path = 'HKEY_USERS\\.DEFAULT' self.assertEqual(registry_key.path, expected_key_path)
def testGetKeyByPathOnNTUserDat(self): """Tests the GetKeyByPath function on a NTUSER.DAT file.""" win_registry = registry.WinRegistry( registry_file_reader=TestWinRegistryFileReader()) test_path = self._GetTestFilePath(['NTUSER.DAT']) registry_file = win_registry._OpenFile(test_path) win_registry = registry.WinRegistry() key_path_prefix = win_registry.GetRegistryFileMapping(registry_file) win_registry.MapFile(key_path_prefix, registry_file) # Test an existing key. registry_key = win_registry.GetKeyByPath( 'HKEY_CURRENT_USER\\Software\\Microsoft') self.assertIsNotNone(registry_key) # Test a non-existing key. registry_key = win_registry.GetKeyByPath( 'HKEY_CURRENT_USER\\Software\\Bogus') self.assertIsNone(registry_key) # Test a non-existing root. with self.assertRaises(RuntimeError): win_registry.GetKeyByPath('HKEY_BOGUS\\Software\\Bogus') # Test a non-existing key outside the Registry file. registry_key = win_registry.GetKeyByPath( 'HKEY_LOCAL_MACHINE\\System\\ControlSet001') self.assertIsNone(registry_key)
def testMapUserFile(self): """Tests the MapUserFile function.""" win_registry = registry.WinRegistry( registry_file_reader=TestWinRegistryFileReader()) test_path = self._GetTestFilePath(['NTUSER.DAT']) registry_file = win_registry._OpenFile(test_path) win_registry = registry.WinRegistry() profile_path = '%SystemRoot%\\System32\\config\\systemprofile' win_registry.MapUserFile(profile_path, registry_file)
def testMapFile(self): """Tests the MapFile function.""" win_registry = registry.WinRegistry( registry_file_reader=TestWinRegistryFileReader()) test_path = self._GetTestFilePath(['SYSTEM']) registry_file = win_registry._OpenFile(test_path) win_registry = registry.WinRegistry() key_path_prefix = win_registry.GetRegistryFileMapping(registry_file) win_registry.MapFile(key_path_prefix, registry_file)
def _CreateTestRegistry(self): """Creates Registry keys and values for testing. Returns: dfwinreg.WinRegistry: Windows Registry for testing. """ key_path_prefix = 'HKEY_LOCAL_MACHINE\\SAM' registry_file = dfwinreg_fake.FakeWinRegistryFile( key_path_prefix=key_path_prefix) registry_key = dfwinreg_fake.FakeWinRegistryKey('Users') registry_file.AddKeyByPath('\\SAM\\Domains\\Account', registry_key) subkey = dfwinreg_fake.FakeWinRegistryKey(self._RID) registry_key.AddSubkey(self._RID, subkey) registry_value = dfwinreg_fake.FakeWinRegistryValue( 'F', data=_F_VALUE_DATA, data_type=dfwinreg_definitions.REG_BINARY) subkey.AddValue(registry_value) registry_value = dfwinreg_fake.FakeWinRegistryValue( 'V', data=_V_VALUE_DATA, data_type=dfwinreg_definitions.REG_BINARY) subkey.AddValue(registry_value) registry_file.Open(None) registry = dfwinreg_registry.WinRegistry() registry.MapFile(key_path_prefix, registry_file) return registry
def _CreateTestRegistry(self): """Creates Registry keys and values for testing. Returns: dfwinreg.WinRegistry: Windows Registry for testing. """ key_path_prefix = 'HKEY_LOCAL_MACHINE\\Software' registry_file = dfwinreg_fake.FakeWinRegistryFile( key_path_prefix=key_path_prefix) registry_key = dfwinreg_fake.FakeWinRegistryKey('ProfileList') registry_file.AddKeyByPath( '\\Microsoft\\Windows NT\\CurrentVersion', registry_key) subkey = dfwinreg_fake.FakeWinRegistryKey(self._SID) registry_key.AddSubkey(subkey) value_data = self._PROFILE_PATH.encode('utf-16-le') registry_value = dfwinreg_fake.FakeWinRegistryValue( 'ProfileImagePath', data=value_data, data_type=dfwinreg_definitions.REG_SZ) subkey.AddValue(registry_value) registry_file.Open(None) registry = dfwinreg_registry.WinRegistry() registry.MapFile(key_path_prefix, registry_file) return registry
def testBuildFindSpecsWithRegistry(self): """Tests the BuildFindSpecs function on Windows Registry sources.""" knowledge_base = knowledge_base_engine.KnowledgeBase() artifact_filter_names = ['TestRegistry', 'TestRegistryValue'] test_filters_helper = self._CreateTestArtifactDefinitionsFiltersHelper( knowledge_base) test_filters_helper.BuildFindSpecs(artifact_filter_names) # There should be 3 Windows Registry find specifications. self.assertEqual( len(test_filters_helper.included_file_system_find_specs), 0) self.assertEqual(len(test_filters_helper.registry_find_specs), 3) win_registry_reader = ( windows_registry_parser.FileObjectWinRegistryFileReader()) file_entry = self._GetTestFileEntry(['SYSTEM']) file_object = file_entry.GetFileObject() registry_file = win_registry_reader.Open(file_object) win_registry = dfwinreg_registry.WinRegistry() key_path_prefix = win_registry.GetRegistryFileMapping(registry_file) registry_file.SetKeyPathPrefix(key_path_prefix) win_registry.MapFile(key_path_prefix, registry_file) searcher = dfwinreg_registry_searcher.WinRegistrySearcher(win_registry) key_paths = list( searcher.Find(find_specs=test_filters_helper.registry_find_specs)) self.assertIsNotNone(key_paths) self.assertEqual(len(key_paths), 5)
def _CreateTestRegistry(self): """Creates Registry keys and values for testing. Returns: dfwinreg.WinRegistry: Windows Registry for testing. """ key_path_prefix = 'HKEY_LOCAL_MACHINE\\System' registry_file = dfwinreg_fake.FakeWinRegistryFile( key_path_prefix=key_path_prefix) registry_key = dfwinreg_fake.FakeWinRegistryKey('Services') registry_file.AddKeyByPath('\\CurrentControlSet', registry_key) subkey = dfwinreg_fake.FakeWinRegistryKey('WwanSvc') registry_key.AddSubkey('WwanSvc', subkey) value_data = self._DESCRIPTION.encode('utf-16-le') registry_value = dfwinreg_fake.FakeWinRegistryValue( 'Description', data=value_data, data_type=dfwinreg_definitions.REG_SZ) subkey.AddValue(registry_value) value_data = self._DISPLAY_NAME.encode('utf-16-le') registry_value = dfwinreg_fake.FakeWinRegistryValue( 'DisplayName', data=value_data, data_type=dfwinreg_definitions.REG_SZ) subkey.AddValue(registry_value) value_data = self._IMAGE_PATH.encode('utf-16-le') registry_value = dfwinreg_fake.FakeWinRegistryValue( 'ImagePath', data=value_data, data_type=dfwinreg_definitions.REG_SZ) subkey.AddValue(registry_value) value_data = self._OBJECT_NAME.encode('utf-16-le') registry_value = dfwinreg_fake.FakeWinRegistryValue( 'ObjectName', data=value_data, data_type=dfwinreg_definitions.REG_SZ) subkey.AddValue(registry_value) value_data = b'\x03\x00\x00\x00' registry_value = dfwinreg_fake.FakeWinRegistryValue( 'Start', data=value_data, data_type=dfwinreg_definitions.REG_DWORD) subkey.AddValue(registry_value) value_data = b'\x20\x00\x00\x00' registry_value = dfwinreg_fake.FakeWinRegistryValue( 'Type', data=value_data, data_type=dfwinreg_definitions.REG_DWORD) subkey.AddValue(registry_value) registry_file.Open(None) registry = dfwinreg_registry.WinRegistry() registry.MapFile(key_path_prefix, registry_file) return registry
def _CreateTestRegistry(self): """Creates Registry keys and values for testing. Returns: dfwinreg.WinRegistry: Windows Registry for testing. """ key_path_prefix = 'HKEY_LOCAL_MACHINE\\System' registry_file = dfwinreg_fake.FakeWinRegistryFile( key_path_prefix=key_path_prefix) registry_key = dfwinreg_fake.FakeWinRegistryKey('Environment') registry_file.AddKeyByPath( '\\CurrentControlSet\\Control\\Session Manager', registry_key) value_data = '%SystemRoot%\\TEMP'.encode('utf-16-le') registry_value = dfwinreg_fake.FakeWinRegistryValue( 'TEMP', data=value_data, data_type=dfwinreg_definitions.REG_SZ) registry_key.AddValue(registry_value) registry_file.Open(None) registry = dfwinreg_registry.WinRegistry() registry.MapFile(key_path_prefix, registry_file) return registry
def ParseFileObject(self, parser_mediator, file_object, **kwargs): """Parses a Windows Registry file-like object. Args: parser_mediator (ParserMediator): parser mediator. file_object (dfvfs.FileIO): a file-like object. """ win_registry_reader = FileObjectWinRegistryFileReader() try: registry_file = win_registry_reader.Open(file_object) except IOError as exception: parser_mediator.ProduceExtractionError( 'unable to open Windows Registry file with error: {0!s}'.format( exception)) return win_registry = dfwinreg_registry.WinRegistry() key_path_prefix = win_registry.GetRegistryFileMapping(registry_file) registry_file.SetKeyPathPrefix(key_path_prefix) root_key = registry_file.GetRootKey() if not root_key: return try: self._ParseRecurseKeys(parser_mediator, root_key) except IOError as exception: parser_mediator.ProduceExtractionError('{0:s}'.format(exception))
def _CreateTestRegistry(self): """Creates Registry keys and values for testing. Returns: dfwinreg.WinRegistry: Windows Registry for testing. """ key_path_prefix = 'HKEY_LOCAL_MACHINE\\Software' registry_file = dfwinreg_fake.FakeWinRegistryFile( key_path_prefix=key_path_prefix) registry_key = dfwinreg_fake.FakeWinRegistryKey(self._GUID1) registry_file.AddKeyByPath('\\Classes\\TypeLib', registry_key) subkey = dfwinreg_fake.FakeWinRegistryKey(self._VERSION1) registry_key.AddSubkey(self._VERSION1, subkey) value_data = self._DESCRIPTION1.encode('utf-16-le') registry_value = dfwinreg_fake.FakeWinRegistryValue( '', data=value_data, data_type=dfwinreg_definitions.REG_SZ) subkey.AddValue(registry_value) language_key = dfwinreg_fake.FakeWinRegistryKey('409') subkey.AddSubkey('409', language_key) platform_key = dfwinreg_fake.FakeWinRegistryKey('Win32') language_key.AddSubkey('Win32', platform_key) value_data = self._FILENAME1.encode('utf-16-le') registry_value = dfwinreg_fake.FakeWinRegistryValue( '', data=value_data, data_type=dfwinreg_definitions.REG_SZ) platform_key.AddValue(registry_value) registry_key = dfwinreg_fake.FakeWinRegistryKey(self._GUID2) registry_file.AddKeyByPath('\\Classes\\TypeLib', registry_key) subkey = dfwinreg_fake.FakeWinRegistryKey(self._VERSION2) registry_key.AddSubkey(self._VERSION2, subkey) value_data = self._DESCRIPTION1.encode('utf-16-le') registry_value = dfwinreg_fake.FakeWinRegistryValue( '', data=value_data, data_type=dfwinreg_definitions.REG_SZ) subkey.AddValue(registry_value) language_key = dfwinreg_fake.FakeWinRegistryKey('0') subkey.AddSubkey('0', language_key) platform_key = dfwinreg_fake.FakeWinRegistryKey('x64') language_key.AddSubkey('x64', platform_key) value_data = self._FILENAME1.encode('utf-16-le') registry_value = dfwinreg_fake.FakeWinRegistryValue( '', data=value_data, data_type=dfwinreg_definitions.REG_SZ) platform_key.AddValue(registry_value) registry_file.Open(None) registry = dfwinreg_registry.WinRegistry() registry.MapFile(key_path_prefix, registry_file) return registry
def _GetWinRegistryFromFileEntry(self, file_entry): """Retrieves a Windows Registry from a file entry. Args: file_entry: A file entry object (instance of dfvfs.FileEntry) that references a test file. Returns: A Windows Registry object (instance of dfwinreg.WinRegistry) or None. """ file_object = file_entry.GetFileObject() if not file_object: return win_registry_reader = winreg.FileObjectWinRegistryFileReader() registry_file = win_registry_reader.Open(file_object) if not registry_file: file_object.close() return win_registry = dfwinreg_registry.WinRegistry() key_path_prefix = win_registry.GetRegistryFileMapping(registry_file) win_registry.MapFile(key_path_prefix, registry_file) return win_registry
def _RunPreprocessorPluginOnWindowsRegistryValue(self, file_system, mount_point, plugin): """Runs a preprocessor plugin on a Windows Registry value. Args: file_system (dfvfs.FileSystem): file system to be preprocessed. mount_point (dfvfs.PathSpec): mount point path specification that refers to the base location of the file system. plugin (ArtifactPreprocessorPlugin): preprocessor plugin. Return: KnowledgeBase: knowledge base filled with preprocessing information. """ artifact_definition = self._artifacts_registry.GetDefinitionByName( plugin.ARTIFACT_DEFINITION_NAME) self.assertIsNotNone(artifact_definition) environment_variable = artifacts.EnvironmentVariableArtifact( case_sensitive=False, name='SystemRoot', value='C:\\Windows') registry_file_reader = manager.FileSystemWinRegistryFileReader( file_system, mount_point, environment_variables=[environment_variable]) win_registry = dfwinreg_registry.WinRegistry( registry_file_reader=registry_file_reader) knowledge_base_object = knowledge_base.KnowledgeBase() searcher = registry_searcher.WinRegistrySearcher(win_registry) plugin.Collect(knowledge_base_object, artifact_definition, searcher) return knowledge_base_object
def testGetRegistryFileMappingOnNTUserDat(self): """Tests the GetRegistryFileMapping function on a NTUSER.DAT file.""" dat_test_path = self._GetTestFilePath(['NTUSER.DAT']) self._SkipIfPathNotExists(dat_test_path) log_test_path = self._GetTestFilePath(['NTUSER.DAT.LOG']) self._SkipIfPathNotExists(log_test_path) win_registry = registry.WinRegistry( registry_file_reader=TestWinRegistryFileReader()) registry_file = win_registry._OpenFile(dat_test_path) key_path_prefix = win_registry.GetRegistryFileMapping(registry_file) self.assertEqual(key_path_prefix, 'HKEY_CURRENT_USER') registry_file.Close() registry_file = win_registry._OpenFile(log_test_path) key_path_prefix = win_registry.GetRegistryFileMapping(registry_file) self.assertEqual(key_path_prefix, '') registry_file.Close() key_path_prefix = win_registry.GetRegistryFileMapping(None) self.assertEqual(key_path_prefix, '')
def _CreateTestRegistry(self): """Creates Registry keys and values for testing. Returns: dfwinreg.WinRegistry: Windows Registry for testing. """ key_path_prefix = 'HKEY_LOCAL_MACHINE\\System' registry_file = dfwinreg_fake.FakeWinRegistryFile( key_path_prefix=key_path_prefix) registry_key = dfwinreg_fake.FakeWinRegistryKey('Select') registry_file.AddKeyByPath('\\', registry_key) value_data = b'\x01\x00\x00\x00' registry_value = dfwinreg_fake.FakeWinRegistryValue( 'Current', data=value_data, data_type=dfwinreg_definitions.REG_DWORD) registry_key.AddValue(registry_value) registry_key = dfwinreg_fake.FakeWinRegistryKey('AppCompatibility') registry_file.AddKeyByPath( '\\ControlSet001\\Control\\Session Manager', registry_key) registry_value = dfwinreg_fake.FakeWinRegistryValue( 'AppCompatCache', data=_CACHE_DATA_WINDOWS_XP, data_type=dfwinreg_definitions.REG_BINARY) registry_key.AddValue(registry_value) registry_file.Open(None) registry = dfwinreg_registry.WinRegistry() registry.MapFile(key_path_prefix, registry_file) return registry
def _RunWindowsRegistryPlugin(self, file_system, mount_point, plugin): """Runs a Windows Registry preprocess plugin. Args: file_system (dfvfs.FileSystem): file system to be preprocessed. mount_point (dfvfs.PathSpec): mount point path specification that refers to the base location of the file system. plugin (PreprocessPlugin): preprocess plugin. Return: KnowledgeBase: knowledge base filled with preprocessing information. """ environment_variable = artifacts.EnvironmentVariableArtifact( case_sensitive=False, name=u'SystemRoot', value=u'C:\\Windows') registry_file_reader = manager.FileSystemWinRegistryFileReader( file_system, mount_point, environment_variables=[environment_variable]) win_registry = dfwinreg_registry.WinRegistry( registry_file_reader=registry_file_reader) knowledge_base_object = knowledge_base.KnowledgeBase() plugin.Run(win_registry, knowledge_base_object) return knowledge_base_object
def _CreateTestKeyWithMappedRegistry(self): """Creates a virtual Windows Registry key with a mapped registry. Returns: VirtualWinRegistryKey: virtual Windows Registry key. """ test_path = self._GetTestFilePath(['SYSTEM']) self._SkipIfPathNotExists(test_path) registry_key = virtual.VirtualWinRegistryKey( 'HKEY_LOCAL_MACHINE', key_path='HKEY_LOCAL_MACHINE') win_registry = registry.WinRegistry( registry_file_reader=test_registry.TestWinRegistryFileReader()) registry_file = win_registry._OpenFile(test_path) key_path_prefix = win_registry.GetRegistryFileMapping(registry_file) win_registry.MapFile(key_path_prefix, registry_file) sub_registry_key = virtual.VirtualWinRegistryKey('System', registry=win_registry) registry_key.AddSubkey(sub_registry_key) return registry_key
def _CreateTestRegistry(self): """Creates Registry keys and values for testing. Returns: dfwinreg.WinRegistry: Windows Registry for testing. """ key_path_prefix = 'HKEY_LOCAL_MACHINE\\Software' registry_file = dfwinreg_fake.FakeWinRegistryFile( key_path_prefix=key_path_prefix) registry_key = dfwinreg_fake.FakeWinRegistryKey('CurrentVersion') registry_file.AddKeyByPath('\\Microsoft\\Windows NT', registry_key) value_data = self._CSD_VERSION.encode('utf-16-le') registry_value = dfwinreg_fake.FakeWinRegistryValue( 'CSDVersion', data=value_data, data_type=dfwinreg_definitions.REG_SZ) registry_key.AddValue(registry_value) value_data = self._CURRENT_BUILD_NUMBER.encode('utf-16-le') registry_value = dfwinreg_fake.FakeWinRegistryValue( 'CurrentBuildNumber', data=value_data, data_type=dfwinreg_definitions.REG_SZ) registry_key.AddValue(registry_value) value_data = self._CURRENT_TYPE.encode('utf-16-le') registry_value = dfwinreg_fake.FakeWinRegistryValue( 'CurrentType', data=value_data, data_type=dfwinreg_definitions.REG_SZ) registry_key.AddValue(registry_value) value_data = self._CURRENT_VERSION.encode('utf-16-le') registry_value = dfwinreg_fake.FakeWinRegistryValue( 'CurrentVersion', data=value_data, data_type=dfwinreg_definitions.REG_SZ) registry_key.AddValue(registry_value) value_data = b'\x47\xc8\xda\x4c' registry_value = dfwinreg_fake.FakeWinRegistryValue( 'InstallDate', data=value_data, data_type=dfwinreg_definitions.REG_DWORD) registry_key.AddValue(registry_value) value_data = self._PRODUCT_IDENTIFIER.encode('utf-16-le') registry_value = dfwinreg_fake.FakeWinRegistryValue( 'ProductId', data=value_data, data_type=dfwinreg_definitions.REG_SZ) registry_key.AddValue(registry_value) value_data = self._PRODUCT_NAME.encode('utf-16-le') registry_value = dfwinreg_fake.FakeWinRegistryValue( 'ProductName', data=value_data, data_type=dfwinreg_definitions.REG_SZ) registry_key.AddValue(registry_value) # TODO: add more values. registry_file.Open(None) registry = dfwinreg_registry.WinRegistry() registry.MapFile(key_path_prefix, registry_file) return registry
def testCollect(self): """Tests the Collect function.""" test_path = self._GetTestFilePath(['SOFTWARE']) self._SkipIfPathNotExists(test_path) registry = dfwinreg_registry.WinRegistry() with open(test_path, 'rb') as file_object: registry_file = dfwinreg_regf.REGFWinRegistryFile( ascii_codepage='cp1252') registry_file.Open(file_object) key_path_prefix = registry.GetRegistryFileMapping(registry_file) registry_file.SetKeyPathPrefix(key_path_prefix) registry.MapFile(key_path_prefix, registry_file) collector_object = msie_zone_info.MSIEZoneInformationCollector() test_results = list(collector_object.Collect(registry)) self.assertEqual(len(test_results), 1724) zone_information = test_results[0] self.assertEqual(zone_information.zone, '0') self.assertEqual(zone_information.zone_name, 'Computer') self.assertEqual(zone_information.control, '1809') self.assertEqual(zone_information.control_value, 3)
def testBuildFindSpecsWithRegistry(self): """Tests the BuildFindSpecs function on Windows Registry artifacts.""" knowledge_base = knowledge_base_engine.KnowledgeBase() test_filter_file = self._CreateTestArtifactDefinitionsFilterHelper( ['TestRegistry'], knowledge_base) test_filter_file.BuildFindSpecs(environment_variables=None) find_specs_per_source_type = knowledge_base.GetValue( test_filter_file.KNOWLEDGE_BASE_VALUE) find_specs = find_specs_per_source_type.get( artifact_types.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY, []) self.assertEqual(len(find_specs), 1) win_registry_reader = ( windows_registry_parser.FileObjectWinRegistryFileReader()) file_entry = self._GetTestFileEntry(['SYSTEM']) file_object = file_entry.GetFileObject() registry_file = win_registry_reader.Open(file_object) win_registry = dfwinreg_registry.WinRegistry() key_path_prefix = win_registry.GetRegistryFileMapping(registry_file) registry_file.SetKeyPathPrefix(key_path_prefix) win_registry.MapFile(key_path_prefix, registry_file) searcher = dfwinreg_registry_searcher.WinRegistrySearcher(win_registry) key_paths = list(searcher.Find(find_specs=find_specs)) self.assertIsNotNone(key_paths) # Three key paths found. self.assertEqual(len(key_paths), 3)
def _CreateTestRegistry(self): """Creates Registry keys and values for testing. Returns: dfwinreg.WinRegistry: Windows Registry for testing. """ key_path_prefix = 'HKEY_LOCAL_MACHINE\\System' registry_file = dfwinreg_fake.FakeWinRegistryFile( key_path_prefix=key_path_prefix) registry_key = dfwinreg_fake.FakeWinRegistryKey('MountedDevices') registry_file.AddKeyByPath('\\', registry_key) value_data = b'\x78\x56\x34\x12\x00\x10\x00\x00\x00\x00\x00\x00' registry_value = dfwinreg_fake.FakeWinRegistryValue( '\\DosDevices\\C:', data=value_data, data_type=dfwinreg_definitions.REG_BINARY) registry_key.AddValue(registry_value) registry_file.Open(None) registry = dfwinreg_registry.WinRegistry() registry.MapFile(key_path_prefix, registry_file) return registry
def _CreateTestRegistry(self): """Creates Registry keys and values for testing. Returns: dfwinreg.WinRegistry: Windows Registry for testing. """ key_path_prefix = 'HKEY_CURRENT_USER' registry_file = dfwinreg_fake.FakeWinRegistryFile( key_path_prefix=key_path_prefix) registry_key = dfwinreg_fake.FakeWinRegistryKey('RecentDocs') registry_file.AddKeyByPath( '\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer', registry_key) value_data = b'a\x00\x00\x00' registry_value = dfwinreg_fake.FakeWinRegistryValue( 'MRUList', data=value_data, data_type=dfwinreg_definitions.REG_BINARY) registry_key.AddValue(registry_value) value_data = 'MyFile.txt\x00'.encode('utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( 'a', data=value_data, data_type=dfwinreg_definitions.REG_BINARY) registry_key.AddValue(registry_value) registry_file.Open(None) registry = dfwinreg_registry.WinRegistry() registry.MapFile(key_path_prefix, registry_file) return registry
def _CreateTestRegistry(self): """Creates Registry keys and values for testing. Returns: dfwinreg.WinRegistry: Windows Registry for testing. """ key_path_prefix = 'HKEY_LOCAL_MACHINE\\Software' registry_file = dfwinreg_fake.FakeWinRegistryFile( key_path_prefix=key_path_prefix) registry_key = dfwinreg_fake.FakeWinRegistryKey( '{fd6c8b29-e936-4a61-8da6-b0c12ad3ba00}') registry_file.AddKeyByPath('\\Classes\\AppID', registry_key) value_data = 'Wordpad'.encode('utf-16-le') registry_value = dfwinreg_fake.FakeWinRegistryValue( '', data=value_data, data_type=dfwinreg_definitions.REG_SZ) registry_key.AddValue(registry_value) registry_file.Open(None) registry = dfwinreg_registry.WinRegistry() registry.MapFile(key_path_prefix, registry_file) return registry
def testCollect(self): """Tests the Collect function.""" test_path = self._GetTestFilePath(['NTUSER.DAT']) self._SkipIfPathNotExists(test_path) registry = dfwinreg_registry.WinRegistry() with open(test_path, 'rb') as file_object: registry_file = dfwinreg_regf.REGFWinRegistryFile( ascii_codepage='cp1252') registry_file.Open(file_object) key_path_prefix = registry.GetRegistryFileMapping(registry_file) registry_file.SetKeyPathPrefix(key_path_prefix) registry.MapFile(key_path_prefix, registry_file) test_output_writer = test_lib.TestOutputWriter() collector_object = programscache.ProgramsCacheCollector( output_writer=test_output_writer) result = collector_object.Collect(registry) self.assertTrue(result) test_output_writer.Close()
def RunPlugins(cls, artifacts_registry, file_system, mount_point, knowledge_base): searcher = file_system_searcher.FileSystemSearcher( file_system, mount_point) cls.CollectFromFileSystem(artifacts_registry, knowledge_base, searcher, file_system) environment_variables = None if knowledge_base: environment_variables = knowledge_base.GetEnvironmentVariables() registry_file_reader = FileSystemWinRegistryFileReader( file_system, mount_point, environment_variables=environment_variables) win_registry = dfwinreg_registry.WinRegistry( registry_file_reader=registry_file_reader) searcher = registry_searcher.WinRegistrySearcher(win_registry) cls.CollectFromWindowsRegistry(artifacts_registry, knowledge_base, searcher) cls.CollectFromKnowledgeBase(knowledge_base) if not knowledge_base.HasUserAccounts(): logger.warning('Unable to find any user accounts on the system.')
def _CreateTestRegistry(self): """Creates Registry keys and values for testing. Returns: dfwinreg.WinRegistry: Windows Registry for testing. """ key_path_prefix = 'HKEY_LOCAL_MACHINE\\Software' registry_file = dfwinreg_fake.FakeWinRegistryFile( key_path_prefix=key_path_prefix) registry_key = dfwinreg_fake.FakeWinRegistryKey('FolderDescriptions') registry_file.AddKeyByPath( '\\Microsoft\\Windows\\CurrentVersion\\Explorer', registry_key) subkey = dfwinreg_fake.FakeWinRegistryKey(self._GUID) registry_key.AddSubkey(self._GUID, subkey) value_data = self._NAME.encode('utf-16-le') registry_value = dfwinreg_fake.FakeWinRegistryValue( 'Name', data=value_data, data_type=dfwinreg_definitions.REG_SZ) subkey.AddValue(registry_value) value_data = self._LOCALIZED_NAME.encode('utf-16-le') registry_value = dfwinreg_fake.FakeWinRegistryValue( 'LocalizedName', data=value_data, data_type=dfwinreg_definitions.REG_SZ) subkey.AddValue(registry_value) registry_file.Open(None) registry = dfwinreg_registry.WinRegistry() registry.MapFile(key_path_prefix, registry_file) return registry
def testGetKeyByPathOnSystem(self): """Tests the GetKeyByPath function on a SYSTEM file.""" win_registry = registry.WinRegistry( registry_file_reader=TestWinRegistryFileReaderMapped()) # Test an existing key. registry_key = win_registry.GetKeyByPath( 'HKEY_LOCAL_MACHINE\\System\\ControlSet001') self.assertIsNotNone(registry_key) # Test a virtual key. registry_key = win_registry.GetKeyByPath( 'HKEY_LOCAL_MACHINE\\System\\CurrentControlSet') self.assertIsNotNone(registry_key) # Test a non-existing key. registry_key = win_registry.GetKeyByPath( 'HKEY_LOCAL_MACHINE\\System\\Bogus') self.assertIsNone(registry_key) # Tests Current value is not an integer. win_registry = TestWinRegistryKeyPathPrefixMismatch( registry_file_reader=TestWinRegistryFileReaderMapped()) with self.assertRaises(RuntimeError): win_registry.GetKeyByPath( 'HKEY_LOCAL_MACHINE\\System\\ControlSet001')