def testRealEventsYAML(self): """Test the plugin with YAML output against real events from the parser.""" parser = winreg.WinRegistryParser() # We could remove the non-Services plugins, but testing shows that the # performance gain is negligible. knowledge_base = self._SetUpKnowledgeBase() test_path = self._GetTestFilePath([u'SYSTEM']) event_queue = self._ParseFile(parser, test_path, knowledge_base) # Run the analysis plugin. analysis_plugin = windows_services.WindowsServicesPlugin(event_queue) analysis_plugin.SetOutputFormat(u'yaml') analysis_report_queue_consumer = self._RunAnalysisPlugin( analysis_plugin, knowledge_base) analysis_reports = self._GetAnalysisReportsFromQueue( analysis_report_queue_consumer) report = analysis_reports[0] text = report.text # We'll check that a few strings are in the report, like they're supposed # to be, rather than checking for the exact content of the string, # as that's dependent on the full path to the test files. test_strings = [ windows_services.WindowsService.yaml_tag, u'1394ohci', u'WwanSvc', u'ControlSet001', u'ControlSet002' ] for string in test_strings: self.assertTrue(string in text, u'{0:s} not found in report text'.format(string))
def testExamineEventAndCompileReportOnSystemFile(self): """Tests the ExamineEvent and CompileReport functions on a SYSTEM file.""" # We could remove the non-Services plugins, but testing shows that the # performance gain is negligible. parser = winreg.WinRegistryParser() plugin = windows_services.WindowsServicesAnalysisPlugin() storage_writer = self._ParseAndAnalyzeFile([u'SYSTEM'], parser, plugin) self.assertEqual(len(storage_writer.events), 31436) self.assertEqual(len(storage_writer.analysis_reports), 1) analysis_report = storage_writer.analysis_reports[0] # We'll check that a few strings are in the report, like they're supposed # to be, rather than checking for the exact content of the string, # as that's dependent on the full path to the test files. test_strings = [ u'1394ohci', u'WwanSvc', u'Sources:', u'ControlSet001', u'ControlSet002'] for string in test_strings: self.assertIn(string, analysis_report.text)
def testParseNoRootKey(self): """Test the parse function on a Registry file with no root key.""" parser = winreg.WinRegistryParser() storage_writer = self._ParseFile(['ntuser.dat.LOG'], parser) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 0)
def testParseSystem(self): """Tests the Parse function on a SYSTEM file.""" parser = winreg.WinRegistryParser() storage_writer = self._ParseFile([u'SYSTEM'], parser) events = list(storage_writer.GetEvents()) parser_chains = self._GetParserChains(events) # Check the existence of few known plugins, see if they # are being properly picked up and are parsed. plugin_names = [ u'windows_usbstor_devices', u'windows_boot_execute', u'windows_services' ] for plugin in plugin_names: expected_parser_chain = self._PluginNameToParserChain(plugin) self.assertTrue( expected_parser_chain in parser_chains, u'Chain {0:s} not found in events.'.format( expected_parser_chain)) # Check that the number of events produced by each plugin are correct. parser_chain = self._PluginNameToParserChain( u'windows_usbstor_devices') self.assertEqual(parser_chains.get(parser_chain, 0), 10) parser_chain = self._PluginNameToParserChain(u'windows_boot_execute') self.assertEqual(parser_chains.get(parser_chain, 0), 4) parser_chain = self._PluginNameToParserChain(u'windows_services') self.assertEqual(parser_chains.get(parser_chain, 0), 831)
def testParseSystemWithArtifactFilters(self): """Tests the Parse function on a SYSTEM file with artifact filters.""" parser = winreg.WinRegistryParser() knowledge_base = knowledge_base_engine.KnowledgeBase() artifact_filter_names = ['TestRegistryKey', 'TestRegistryValue'] registry = artifacts_registry.ArtifactDefinitionsRegistry() reader = artifacts_reader.YamlArtifactsReader() registry.ReadFromDirectory(reader, self._GetTestFilePath(['artifacts'])) artifacts_filter_helper = artifact_filters.ArtifactDefinitionsFilterHelper( registry, knowledge_base) artifacts_filter_helper.BuildFindSpecs(artifact_filter_names, environment_variables=None) storage_writer = self._ParseFile( ['SYSTEM'], parser, artifacts_filter_helper=artifacts_filter_helper) events = list(storage_writer.GetEvents()) parser_chains = self._GetParserChains(events) # Check the existence of few known plugins, see if they # are being properly picked up and are parsed. plugin_names = [ 'windows_usbstor_devices', 'windows_boot_execute', 'windows_services' ] for plugin in plugin_names: expected_parser_chain = self._PluginNameToParserChain(plugin) self.assertTrue( expected_parser_chain in parser_chains, 'Chain {0:s} not found in events.'.format( expected_parser_chain)) # Check that the number of events produced by each plugin are correct. # There will be 5 usbstor chains for currentcontrolset: # 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USBSTOR' parser_chain = self._PluginNameToParserChain('windows_usbstor_devices') self.assertEqual(parser_chains.get(parser_chain, 0), 5) # There will be 4 Windows boot execute chains for key_value pairs: # {key: 'HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager', # value: 'BootExecute'} # {key: 'HKEY_LOCAL_MACHINE\System\ControlSet002\Control\Session Manager', # value: 'BootExecute'} parser_chain = self._PluginNameToParserChain('windows_boot_execute') self.assertEqual(parser_chains.get(parser_chain, 0), 4) # There will be 831 windows services chains for keys: # 'HKEY_LOCAL_MACHINE\System\ControlSet001\services\**' # 'HKEY_LOCAL_MACHINE\System\ControlSet002\services\**' parser_chain = self._PluginNameToParserChain('windows_services') self.assertEqual(parser_chains.get(parser_chain, 0), 831)
def testEnablePlugins(self): """Tests the EnablePlugins function.""" parser = winreg.WinRegistryParser() parser.EnablePlugins([u'appcompatcache']) self.assertIsNotNone(parser) self.assertIsNotNone(parser._default_plugin) self.assertNotEqual(parser._plugins, []) self.assertEqual(len(parser._plugins), 1)
def testParseNoRootKey(self): """Test the parse function on a Registry file with no root key.""" parser_object = winreg.WinRegistryParser() test_file = self._GetTestFilePath([u'ntuser.dat.LOG']) event_queue_consumer = self._ParseFile(parser_object, test_file) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) self.assertEqual(len(event_objects), 0)
def testParseNTUserDat(self): """Tests the Parse function on a NTUSER.DAT file.""" parser_object = winreg.WinRegistryParser() storage_writer = self._ParseFile([u'NTUSER.DAT'], parser_object) parser_chains = self._GetParserChains(storage_writer.events) expected_parser_chain = self._PluginNameToParserChain(u'userassist') self.assertTrue(expected_parser_chain in parser_chains) self.assertEqual(parser_chains[expected_parser_chain], 14)
def testParseNTUserDat(self): """Tests the Parse function on a NTUSER.DAT file.""" parser_object = winreg.WinRegistryParser() test_file = self._GetTestFilePath([u'NTUSER.DAT']) event_queue_consumer = self._ParseFile(parser_object, test_file) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) parser_chains = self._GetParserChains(event_objects) expected_parser_chain = self._PluginNameToParserChain(u'userassist') self.assertTrue(expected_parser_chain in parser_chains) self.assertEqual(parser_chains[expected_parser_chain], 14)
def setUp(self): """Sets up the needed objects used throughout the test.""" self._parser = winreg.WinRegistryParser()
def testParseNoRootKey(self): """Test the parse function on a Registry file with no root key.""" parser_object = winreg.WinRegistryParser() storage_writer = self._ParseFile([u'ntuser.dat.LOG'], parser_object) self.assertEqual(len(storage_writer.events), 0)
def setUp(self): """Makes preparations before running an individual test.""" self._parser = winreg.WinRegistryParser()
def setUp(self): """Sets up the needed objects used throughout the test.""" pre_obj = event.PreprocessObject() pre_obj.current_control_set = 'ControlSet001' self._parser = winreg.WinRegistryParser(pre_obj)