def testFindsKeyWithLiteralAndModificaitonTimeConditions(self):
modification_time = rdfvalue.FileFinderModificationTimeCondition(
min_last_modified_time=rdfvalue.RDFDatetime().FromSecondsFromEpoch(
1247546054 - 1),
max_last_modified_time=rdfvalue.RDFDatetime().FromSecondsFromEpoch(
1247546054 + 1))
value_literal_match = rdfvalue.FileFinderContentsLiteralMatchCondition(
literal="Windows Sidebar\\Sidebar.exe")
self.RunFlow([
"HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/CurrentVersion/Run/*"
], [
rdfvalue.RegistryFinderCondition(
condition_type=rdfvalue.RegistryFinderCondition.Type.
MODIFICATION_TIME,
modification_time=modification_time),
rdfvalue.RegistryFinderCondition(
condition_type=rdfvalue.RegistryFinderCondition.Type.
VALUE_LITERAL_MATCH,
value_literal_match=value_literal_match)
])
results = self.GetResults()
self.assertEqual(len(results), 1)
# We expect Sidebar and MctAdmin keys here (see
# test_data/client_fixture.py).
self.assertEqual(
results[0].stat_entry.aff4path,
"aff4:/C.1000000000000000/registry/HKEY_USERS/S-1-5-20/"
"Software/Microsoft/Windows/CurrentVersion/Run/Sidebar")
def testFindsKeysIfModificationTimeConditionMatches(self):
modification_time = rdfvalue.FileFinderModificationTimeCondition(
min_last_modified_time=rdfvalue.RDFDatetime().FromSecondsFromEpoch(
1247546054 - 1),
max_last_modified_time=rdfvalue.RDFDatetime().FromSecondsFromEpoch(
1247546054 + 1))
self.RunFlow([
"HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/CurrentVersion/Run/*"
], [
rdfvalue.RegistryFinderCondition(
condition_type=rdfvalue.RegistryFinderCondition.Type.
MODIFICATION_TIME,
modification_time=modification_time)
])
results = self.GetResults()
self.assertEqual(len(results), 2)
# We expect Sidebar and MctAdmin keys here (see
# test_data/client_fixture.py).
self.assertTrue([
r for r in results if r.stat_entry.aff4path.Basename() == "Sidebar"
])
self.assertTrue([
r for r in results
if r.stat_entry.aff4path.Basename() == "MctAdmin"
])
def testFindsKeyIfItMatchesRegexMatchCondition(self):
value_regex_match = rdfvalue.FileFinderContentsRegexMatchCondition(
regex="Windows.+\\.exe")
self.RunFlow([
"HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/CurrentVersion/Run/*"
], [
rdfvalue.RegistryFinderCondition(
condition_type=rdfvalue.RegistryFinderCondition.Type.
VALUE_REGEX_MATCH,
value_regex_match=value_regex_match)
])
results = self.GetResults()
self.assertEqual(len(results), 1)
self.assertEqual(len(results[0].matches), 1)
self.assertEqual(results[0].matches[0].offset, 15)
self.assertEqual(results[0].matches[0].data,
"ramFiles%\\Windows Sidebar\\Sidebar.exe /autoRun")
self.assertEqual(
results[0].stat_entry.aff4path,
"aff4:/C.1000000000000000/registry/HKEY_USERS/S-1-5-20/"
"Software/Microsoft/Windows/CurrentVersion/Run/Sidebar")
self.assertEqual(
results[0].stat_entry.pathspec.path,
"/HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/"
"CurrentVersion/Run/Sidebar")
self.assertEqual(results[0].stat_entry.pathspec.pathtype,
rdfvalue.PathSpec.PathType.REGISTRY)
def testSizeCondition(self):
# There are two values, one is 20 bytes, the other 53.
self.RunFlow([
"HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/CurrentVersion/Run/*"
], [
rdfvalue.RegistryFinderCondition(
condition_type=rdfvalue.RegistryFinderCondition.Type.SIZE,
size=rdfvalue.FileFinderSizeCondition(min_file_size=50))
])
results = self.GetResults()
self.assertEqual(len(results), 1)
self.assertGreater(results[0].stat_entry.st_size, 50)
def testFindsNothingIfRegexMatchesNothing(self):
value_regex_match = rdfvalue.FileFinderContentsRegexMatchCondition(
regex=".*CanNotFindMe.*")
self.RunFlow([
"HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/CurrentVersion/Run/*"
], [
rdfvalue.RegistryFinderCondition(
condition_type=rdfvalue.RegistryFinderCondition.Type.
VALUE_REGEX_MATCH,
value_regex_match=value_regex_match)
])
self.AssertNoResults()
def testFindsNothingIfNothingMatchesLiteralMatchCondition(self):
value_literal_match = rdfvalue.FileFinderContentsLiteralMatchCondition(
literal="CanNotFindMe")
self.RunFlow([
"HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/CurrentVersion/Run/*"
], [
rdfvalue.RegistryFinderCondition(
condition_type=rdfvalue.RegistryFinderCondition.Type.
VALUE_LITERAL_MATCH,
value_literal_match=value_literal_match)
])
self.AssertNoResults()
def testFindsNothingIfModiciationTimeConditionMatchesNothing(self):
modification_time = rdfvalue.FileFinderModificationTimeCondition(
min_last_modified_time=rdfvalue.RDFDatetime().FromSecondsFromEpoch(
0),
max_last_modified_time=rdfvalue.RDFDatetime().FromSecondsFromEpoch(
1))
self.RunFlow([
"HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/CurrentVersion/Run/*"
], [
rdfvalue.RegistryFinderCondition(
condition_type=rdfvalue.RegistryFinderCondition.Type.
MODIFICATION_TIME,
modification_time=modification_time)
])
self.AssertNoResults()
