def _CreateTestKey(self, key_path, time_string):
"""Creates Registry keys and values for testing.
Args:
key_path: the Windows Registry key path.
time_string: string containing the key last written date and time.
Returns:
A Windows Registry key (instance of dfwinreg.WinRegistryKey).
"""
filetime = dfwinreg_fake.Filetime()
filetime.CopyFromString(time_string)
registry_key = dfwinreg_fake.FakeWinRegistryKey(
u'Servers', key_path=key_path, last_written_time=filetime.timestamp,
offset=865)
server_subkey = dfwinreg_fake.FakeWinRegistryKey(
u'myserver.com', last_written_time=filetime.timestamp, offset=1456)
value_data = u'DOMAIN\\username'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'UsernameHint', data=value_data, data_type=dfwinreg_definitions.REG_SZ,
offset=1892)
server_subkey.AddValue(registry_value)
registry_key.AddSubkey(server_subkey)
return registry_key
def _CreateTestKey(self, key_path, time_string):
"""Creates Registry keys and values for testing.
Args:
key_path: the Windows Registry key path.
time_string: string containing the key last written date and time.
Returns:
A Windows Registry key (instance of dfwinreg.WinRegistryKey).
"""
filetime = dfwinreg_fake.Filetime()
filetime.CopyFromString(time_string)
registry_key = dfwinreg_fake.FakeWinRegistryKey(
u'Search', key_path=key_path, last_written_time=filetime.timestamp,
offset=1456)
value_name = (
u'C:\\Users\\username\\AppData\\Local\\Microsoft\\Outlook\\'
u'*****@*****.**')
value_data = b'\xcf\x2b\x37\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
value_name, data=value_data, data_type=dfwinreg_definitions.REG_DWORD,
offset=1892)
registry_key.AddValue(registry_value)
return registry_key
def _CreateTestKey(self, key_path, time_string):
"""Creates Registry keys and values for testing.
Args:
key_path: the Windows Registry key path.
time_string: string containing the key last written date and time.
Returns:
A Windows Registry key (instance of dfwinreg.WinRegistryKey).
"""
filetime = dfwinreg_fake.Filetime()
filetime.CopyFromString(time_string)
registry_key = dfwinreg_fake.FakeWinRegistryKey(
u'Default', key_path=key_path, last_written_time=filetime.timestamp,
offset=1456)
value_data = u'192.168.16.60'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'MRU0', data=value_data, data_type=dfwinreg_definitions.REG_SZ,
offset=1892)
registry_key.AddValue(registry_value)
value_data = u'computer.domain.com'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'MRU1', data=value_data, data_type=dfwinreg_definitions.REG_SZ,
offset=612)
registry_key.AddValue(registry_value)
return registry_key
def _CreateTestKey(self, key_path, time_string):
"""Creates Registry keys and values for testing.
Args:
key_path: the Windows Registry key path.
time_string: string containing the key last written date and time.
Returns:
A Windows Registry key (instance of dfwinreg.WinRegistryKey).
"""
filetime = dfwinreg_fake.Filetime()
filetime.CopyFromString(time_string)
registry_key = dfwinreg_fake.FakeWinRegistryKey(
u'BootVerificationProgram',
key_path=key_path,
last_written_time=filetime.timestamp,
offset=153)
value_data = u'C:\\WINDOWS\\system32\\googleupdater.exe'.encode(
u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'ImagePath',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=123)
registry_key.AddValue(registry_value)
return registry_key
def _CreateTestKey(self, key_path, time_string):
"""Creates Registry keys and values for testing.
Args:
key_path: the Windows Registry key path.
time_string: string containing the key last written date and time.
Returns:
A Windows Registry key (instance of dfwinreg.WinRegistryKey).
"""
filetime = dfwinreg_fake.Filetime()
filetime.CopyFromString(time_string)
registry_key = dfwinreg_fake.FakeWinRegistryKey(
u'CurrentVersion',
key_path=key_path,
last_written_time=filetime.timestamp,
offset=153)
value_data = u'Service Pack 1'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'CSDVersion',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=1892)
registry_key.AddValue(registry_value)
value_data = u'5.1'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'CurrentVersion',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=1121)
registry_key.AddValue(registry_value)
value_data = b'\x13\x1aAP'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'InstallDate',
data=value_data,
data_type=dfwinreg_definitions.REG_DWORD_LITTLE_ENDIAN,
offset=1001)
registry_key.AddValue(registry_value)
value_data = u'MyTestOS'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'ProductName',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=123)
registry_key.AddValue(registry_value)
value_data = u'A Concerned Citizen'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'RegisteredOwner',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=612)
registry_key.AddValue(registry_value)
return registry_key
def _CreateTestKey(self, key_path, time_string):
"""Creates Registry keys and values for testing.
Args:
key_path: the Windows Registry key path.
time_string: string containing the key last written date and time.
Returns:
A Windows Registry key (instance of dfwinreg.WinRegistryKey).
"""
filetime = dfwinreg_fake.Filetime()
filetime.CopyFromString(time_string)
registry_key = dfwinreg_fake.FakeWinRegistryKey(
u'TimeZoneInformation',
key_path=key_path,
last_written_time=filetime.timestamp,
offset=1456)
value_data = u'acb'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'MRUList',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=123)
registry_key.AddValue(registry_value)
value_data = u'Some random text here'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'a',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=1892)
registry_key.AddValue(registry_value)
value_data = u'c:/evil.exe'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'b',
data=value_data,
data_type=dfwinreg_definitions.REG_BINARY,
offset=612)
registry_key.AddValue(registry_value)
value_data = u'C:/looks_legit.exe'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'c',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=1001)
registry_key.AddValue(registry_value)
return registry_key
def _CreateTestKey(self, key_path, time_string):
"""Creates MRUList Registry keys and values for testing.
Args:
key_path: the Windows Registry key path.
time_string: string containing the key last written date and time.
Returns:
A Windows Registry key (instance of dfwinreg.WinRegistryKey).
"""
filetime = dfwinreg_fake.Filetime()
filetime.CopyFromString(time_string)
registry_key = dfwinreg_fake.FakeWinRegistryKey(
u'DesktopStreamMRU', key_path=key_path,
last_written_time=filetime.timestamp, offset=1456)
value_data = u'a'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'MRUList', data=value_data, data_type=dfwinreg_definitions.REG_SZ,
offset=123)
registry_key.AddValue(registry_value)
value_data = b''.join(map(chr, [
0x14, 0x00, 0x1f, 0x00, 0xe0, 0x4f, 0xd0, 0x20, 0xea, 0x3a, 0x69, 0x10,
0xa2, 0xd8, 0x08, 0x00, 0x2b, 0x30, 0x30, 0x9d, 0x19, 0x00, 0x23, 0x43,
0x3a, 0x5c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0xee, 0x15, 0x00, 0x31,
0x00, 0x00, 0x00, 0x00, 0x00, 0x2e, 0x3e, 0x7a, 0x60, 0x10, 0x80, 0x57,
0x69, 0x6e, 0x6e, 0x74, 0x00, 0x00, 0x18, 0x00, 0x31, 0x00, 0x00, 0x00,
0x00, 0x00, 0x2e, 0x3e, 0xe4, 0x62, 0x10, 0x00, 0x50, 0x72, 0x6f, 0x66,
0x69, 0x6c, 0x65, 0x73, 0x00, 0x00, 0x25, 0x00, 0x31, 0x00, 0x00, 0x00,
0x00, 0x00, 0x2e, 0x3e, 0xe4, 0x62, 0x10, 0x00, 0x41, 0x64, 0x6d, 0x69,
0x6e, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x00, 0x41, 0x44,
0x4d, 0x49, 0x4e, 0x49, 0x7e, 0x31, 0x00, 0x17, 0x00, 0x31, 0x00, 0x00,
0x00, 0x00, 0x00, 0x2e, 0x3e, 0xe4, 0x62, 0x10, 0x00, 0x44, 0x65, 0x73,
0x6b, 0x74, 0x6f, 0x70, 0x00, 0x00, 0x00, 0x00]))
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'a', data=value_data, data_type=dfwinreg_definitions.REG_BINARY,
offset=612)
registry_key.AddValue(registry_value)
return registry_key
def _CreateTestKey(self, time_string, binary_data):
"""Creates Registry keys and values for testing.
Args:
time_string: string containing the key last written date and time.
binary_data: the binary data of the AppCompatCache Registry value.
Returns:
A Windows Registry key (instance of dfwinreg.WinRegistryKey).
"""
key_path = u'\\ControlSet001\\Control\\Session Manager\\AppCompatCache'
filetime = dfwinreg_fake.Filetime()
filetime.CopyFromString(time_string)
registry_key = dfwinreg_fake.FakeWinRegistryKey(
u'AppCompatCache', key_path=key_path,
last_written_time=filetime.timestamp, offset=1456)
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'AppCompatCache', data=binary_data,
data_type=dfwinreg_definitions.REG_BINARY)
registry_key.AddValue(registry_value)
return registry_key
def _CreateTestKey(self, key_path, time_string):
"""Creates WinRAR ArcHistory Registry keys and values for testing.
Args:
key_path: the Windows Registry key path.
time_string: string containing the key last written date and time.
Returns:
A Windows Registry key (instance of dfwinreg.WinRegistryKey).
"""
filetime = dfwinreg_fake.Filetime()
filetime.CopyFromString(time_string)
registry_key = dfwinreg_fake.FakeWinRegistryKey(
u'ArcHistory',
key_path=key_path,
last_written_time=filetime.timestamp,
offset=1456)
value_data = u'C:\\Downloads\\The Sleeping Dragon CD1.iso'.encode(
u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'0',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=1892)
registry_key.AddValue(registry_value)
value_data = u'C:\\Downloads\\plaso-static.rar'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'1',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=612)
registry_key.AddValue(registry_value)
return registry_key
def _CreateTestKey(self, key_path, time_string):
"""Creates Registry keys and values for testing.
Args:
key_path: the Windows Registry key path.
time_string: string containing the key last written date and time.
Returns:
A Windows Registry key (instance of dfwinreg.WinRegistryKey).
"""
filetime = dfwinreg_fake.Filetime()
filetime.CopyFromString(time_string)
registry_key = dfwinreg_fake.FakeWinRegistryKey(
u'TimeZoneInformation', key_path=key_path,
last_written_time=filetime.timestamp, offset=153)
value_data = u'C:\\Downloads\\plaso-static.rar'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'1', data=value_data, data_type=dfwinreg_definitions.REG_SZ,
offset=612)
registry_key.AddValue(registry_value)
value_data = b'\xff\xff\xff\xc4'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'ActiveTimeBias', data=value_data,
data_type=dfwinreg_definitions.REG_DWORD_BIG_ENDIAN)
registry_key.AddValue(registry_value)
value_data = b'\xff\xff\xff\xc4'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'Bias', data=value_data,
data_type=dfwinreg_definitions.REG_DWORD_BIG_ENDIAN)
registry_key.AddValue(registry_value)
value_data = b'\xff\xff\xff\xc4'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'DaylightBias', data=value_data,
data_type=dfwinreg_definitions.REG_DWORD_BIG_ENDIAN)
registry_key.AddValue(registry_value)
value_data = u'@tzres.dll,-321'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'DaylightName', data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
value_data = (
b'\x00\x00\x03\x00\x05\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'DaylightStart', data=value_data,
data_type=dfwinreg_definitions.REG_BINARY)
registry_key.AddValue(registry_value)
value_data = b'\x00\x00\x00\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'DynamicDaylightTimeDisabled', data=value_data,
data_type=dfwinreg_definitions.REG_DWORD_BIG_ENDIAN)
registry_key.AddValue(registry_value)
value_data = b'\x00\x00\x00\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'StandardBias', data=value_data,
data_type=dfwinreg_definitions.REG_DWORD_BIG_ENDIAN)
registry_key.AddValue(registry_value)
value_data = u'@tzres.dll,-322'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'StandardName', data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
value_data = (
b'\x00\x00\x0A\x00\x05\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'StandardStart', data=value_data,
data_type=dfwinreg_definitions.REG_BINARY)
registry_key.AddValue(registry_value)
value_data = u'W. Europe Standard Time'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'TimeZoneKeyName', data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
return registry_key
def _CreateTestKey(self, key_path, time_string):
"""Creates Registry keys and values for testing.
Args:
key_path: the Windows Registry key path.
time_string: string containing the key last written date and time.
Returns:
A Windows Registry key (instance of dfwinreg.WinRegistryKey).
"""
filetime = dfwinreg_fake.Filetime()
filetime.CopyFromString(time_string)
registry_key = dfwinreg_fake.FakeWinRegistryKey(
u'TestDriver',
key_path=key_path,
last_written_time=filetime.timestamp,
offset=1456)
value_data = b'\x02\x00\x00\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'Type',
data=value_data,
data_type=dfwinreg_definitions.REG_DWORD,
offset=123)
registry_key.AddValue(registry_value)
value_data = b'\x02\x00\x00\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'Start',
data=value_data,
data_type=dfwinreg_definitions.REG_DWORD,
offset=127)
registry_key.AddValue(registry_value)
value_data = b'\x01\x00\x00\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'ErrorControl',
data=value_data,
data_type=dfwinreg_definitions.REG_DWORD,
offset=131)
registry_key.AddValue(registry_value)
value_data = u'Pnp Filter'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'Group',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=140)
registry_key.AddValue(registry_value)
value_data = u'Test Driver'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'DisplayName',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=160)
registry_key.AddValue(registry_value)
value_data = u'testdriver.inf_x86_neutral_dd39b6b0a45226c4'.encode(
u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'DriverPackageId',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=180)
registry_key.AddValue(registry_value)
value_data = u'C:\\Dell\\testdriver.sys'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'ImagePath',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=200)
registry_key.AddValue(registry_value)
return registry_key
def _CreateTestKey(self, key_path, time_string):
"""Creates Registry keys and values for testing.
Args:
key_path: the Windows Registry key path.
time_string: string containing the key last written date and time.
Returns:
A Windows Registry key (instance of dfwinreg.WinRegistryKey).
"""
filetime = dfwinreg_fake.Filetime()
filetime.CopyFromString(time_string)
registry_key = dfwinreg_fake.FakeWinRegistryKey(
u'Session Manager',
key_path=key_path,
last_written_time=filetime.timestamp,
offset=153)
value_data = u'autocheck autochk *\x00'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'BootExecute',
data=value_data,
data_type=dfwinreg_definitions.REG_MULTI_SZ,
offset=123)
registry_key.AddValue(registry_value)
value_data = u'2592000'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'CriticalSectionTimeout',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=153)
registry_key.AddValue(registry_value)
value_data = u'\x00'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'ExcludeFromKnownDlls',
data=value_data,
data_type=dfwinreg_definitions.REG_MULTI_SZ,
offset=163)
registry_key.AddValue(registry_value)
value_data = u'0'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'GlobalFlag',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=173)
registry_key.AddValue(registry_value)
value_data = u'0'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'HeapDeCommitFreeBlockThreshold',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=183)
registry_key.AddValue(registry_value)
value_data = u'0'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'HeapDeCommitTotalFreeThreshold',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=203)
registry_key.AddValue(registry_value)
value_data = u'0'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'HeapSegmentCommit',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=213)
registry_key.AddValue(registry_value)
value_data = u'0'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'HeapSegmentReserve',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=223)
registry_key.AddValue(registry_value)
value_data = u'2'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'NumberOfInitialSessions',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=243)
registry_key.AddValue(registry_value)
return registry_key