def testProcess(self): """Tests the Process function on a virtual key.""" key_path = ( u'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\services\\TestDriver') time_string = u'2012-08-28 09:23:49.002031' registry_key = self._CreateTestKey(key_path, time_string) plugin = services.ServicesPlugin() storage_writer = self._ParseKeyWithPlugin(registry_key, plugin) self.assertEqual(storage_writer.number_of_events, 1) events = list(storage_writer.GetEvents()) event = events[0] # This should just be the plugin name, as we're invoking it directly, # and not through the parser. self.assertEqual(event.parser, plugin.plugin_name) expected_timestamp = timelib.Timestamp.CopyFromString(time_string) self.assertEqual(event.timestamp, expected_timestamp) expected_message = ( u'[{0:s}] ' u'DisplayName: Test Driver ' u'DriverPackageId: testdriver.inf_x86_neutral_dd39b6b0a45226c4 ' u'ErrorControl: Normal (1) ' u'Group: Pnp Filter ' u'ImagePath: C:\\Dell\\testdriver.sys ' u'Start: Auto Start (2) ' u'Type: File System Driver (0x2)').format(key_path) expected_short_message = u'{0:s}...'.format(expected_message[:77]) self._TestGetMessageStrings(event, expected_message, expected_short_message)
def setUp(self): """Sets up the needed objects used throughout the test.""" self._plugin = services.ServicesPlugin()
def setUp(self): """Makes preparations before running an individual test.""" self._plugin = services.ServicesPlugin()
def testProcessFile(self): """Tests the Process function on a key in a file.""" test_file_entry = self._GetTestFileEntry([u'SYSTEM']) key_path = u'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\services' win_registry = self._GetWinRegistryFromFileEntry(test_file_entry) registry_key = win_registry.GetKeyByPath(key_path) event_objects = [] # Select a few service subkeys to perform additional testing. bits_event_objects = None mc_task_manager_event_objects = None rdp_video_miniport_event_objects = None plugin_object = services.ServicesPlugin() for winreg_subkey in registry_key.GetSubkeys(): storage_writer = self._ParseKeyWithPlugin( winreg_subkey, plugin_object, file_entry=test_file_entry) event_objects.extend(storage_writer.events) if winreg_subkey.name == u'BITS': bits_event_objects = storage_writer.events elif winreg_subkey.name == u'McTaskManager': mc_task_manager_event_objects = storage_writer.events elif winreg_subkey.name == u'RdpVideoMiniport': rdp_video_miniport_event_objects = storage_writer.events self.assertEqual(len(event_objects), 416) # Test the BITS subkey event objects. self.assertEqual(len(bits_event_objects), 1) event_object = bits_event_objects[0] self.assertEqual(event_object.pathspec, test_file_entry.path_spec) # This should just be the plugin name, as we're invoking it directly, # and not through the parser. self.assertEqual(event_object.parser, plugin_object.plugin_name) expected_timestamp = timelib.Timestamp.CopyFromString( u'2012-04-06 20:43:27.639075') self.assertEqual(event_object.timestamp, expected_timestamp) self._TestRegvalue(event_object, u'Type', 0x20) self._TestRegvalue(event_object, u'Start', 3) self._TestRegvalue( event_object, u'ServiceDll', u'%SystemRoot%\\System32\\qmgr.dll') # Test the McTaskManager subkey event objects. self.assertEqual(len(mc_task_manager_event_objects), 1) event_object = mc_task_manager_event_objects[0] expected_timestamp = timelib.Timestamp.CopyFromString( u'2011-09-16 20:49:16.877415') self.assertEqual(event_object.timestamp, expected_timestamp) self._TestRegvalue(event_object, u'DisplayName', u'McAfee Task Manager') self._TestRegvalue(event_object, u'Type', 0x10) # Test the RdpVideoMiniport subkey event objects. self.assertEqual(len(rdp_video_miniport_event_objects), 1) event_object = rdp_video_miniport_event_objects[0] expected_timestamp = timelib.Timestamp.CopyFromString( u'2011-09-17 13:37:59.347157') self.assertEqual(event_object.timestamp, expected_timestamp) self._TestRegvalue(event_object, u'Start', 3) expected_value = u'System32\\drivers\\rdpvideominiport.sys' self._TestRegvalue(event_object, u'ImagePath', expected_value)
def testProcessFile(self): """Tests the Process function on a key in a file.""" test_file_entry = self._GetTestFileEntry(['SYSTEM']) key_path = 'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\services' win_registry = self._GetWinRegistryFromFileEntry(test_file_entry) registry_key = win_registry.GetKeyByPath(key_path) events = [] # Select a few service subkeys to perform additional testing. bits_events = None mc_task_manager_events = None rdp_video_miniport_events = None plugin = services.ServicesPlugin() for winreg_subkey in registry_key.GetSubkeys(): storage_writer = self._ParseKeyWithPlugin( winreg_subkey, plugin, file_entry=test_file_entry) events_subkey = list(storage_writer.GetEvents()) events.extend(list(events_subkey)) if winreg_subkey.name == 'BITS': bits_events = events_subkey elif winreg_subkey.name == 'McTaskManager': mc_task_manager_events = events_subkey elif winreg_subkey.name == 'RdpVideoMiniport': rdp_video_miniport_events = events_subkey self.assertEqual(len(events), 416) # Test the BITS subkey events. self.assertEqual(len(bits_events), 1) event = bits_events[0] self.assertEqual(event.pathspec, test_file_entry.path_spec) # This should just be the plugin name, as we're invoking it directly, # and not through the parser. self.assertEqual(event.parser, plugin.plugin_name) self.CheckTimestamp(event.timestamp, '2012-04-06 20:43:27.639075') self.assertEqual(event.data_type, 'windows:registry:service') self.assertEqual(event.service_type, 0x20) self.assertEqual(event.start_type, 3) self.assertEqual(event.service_dll, '%SystemRoot%\\System32\\qmgr.dll') # Test the McTaskManager subkey events. self.assertEqual(len(mc_task_manager_events), 1) event = mc_task_manager_events[0] self.CheckTimestamp(event.timestamp, '2011-09-16 20:49:16.877416') self.assertEqual(event.data_type, 'windows:registry:service') self.assertEqual(event.service_type, 0x10) self.assertTrue( 'DisplayName: [REG_SZ] McAfee Task Manager' in event.values) # Test the RdpVideoMiniport subkey events. self.assertEqual(len(rdp_video_miniport_events), 1) event = rdp_video_miniport_events[0] self.CheckTimestamp(event.timestamp, '2011-09-17 13:37:59.347158') self.assertEqual(event.data_type, 'windows:registry:service') self.assertEqual(event.start_type, 3) self.assertEqual(event.image_path, 'System32\\drivers\\rdpvideominiport.sys')
def testProcessFile(self): """Tests the Process function on a key in a file.""" test_file_entry = self._GetTestFileEntry(['SYSTEM']) key_path = 'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\services' win_registry = self._GetWinRegistryFromFileEntry(test_file_entry) registry_key = win_registry.GetKeyByPath(key_path) plugin = services.ServicesPlugin() events = [] for winreg_subkey in registry_key.GetSubkeys(): storage_writer = self._ParseKeyWithPlugin( winreg_subkey, plugin, file_entry=test_file_entry) events_subkey = list(storage_writer.GetEvents()) events.extend(events_subkey) self.assertEqual(len(events), 416) # Test the BITS subkey events. winreg_subkey = registry_key.GetSubkeyByName('BITS') bits_storage_writer = self._ParseKeyWithPlugin( winreg_subkey, plugin, file_entry=test_file_entry) bits_events = list(bits_storage_writer.GetEvents()) self.assertEqual(len(bits_events), 1) expected_event_values = { 'date_time': '2012-04-06 20:43:27.6390752', 'data_type': 'windows:registry:service', # This should just be the plugin name, as we're invoking it directly, # and not through the parser. 'parser': plugin.NAME, 'service_dll': '%SystemRoot%\\System32\\qmgr.dll', 'service_type': 0x20, 'start_type': 3 } self.CheckEventValues(bits_storage_writer, bits_events[0], expected_event_values) # Test the McTaskManager subkey events. winreg_subkey = registry_key.GetSubkeyByName('McTaskManager') mc_task_manager_storage_writer = self._ParseKeyWithPlugin( winreg_subkey, plugin, file_entry=test_file_entry) mc_task_manager_events = list( mc_task_manager_storage_writer.GetEvents()) self.assertEqual(len(mc_task_manager_events), 1) expected_event_values = { 'date_time': '2011-09-16 20:49:16.8774156', 'data_type': 'windows:registry:service', 'service_type': 0x10 } self.CheckEventValues(mc_task_manager_storage_writer, mc_task_manager_events[0], expected_event_values) event_data = self._GetEventDataOfEvent(mc_task_manager_storage_writer, mc_task_manager_events[0]) self.assertTrue( 'DisplayName: [REG_SZ] McAfee Task Manager' in event_data.values) # Test the RdpVideoMiniport subkey events. winreg_subkey = registry_key.GetSubkeyByName('RdpVideoMiniport') rdp_video_miniport_storage_writer = self._ParseKeyWithPlugin( winreg_subkey, plugin, file_entry=test_file_entry) rdp_video_miniport_events = list( rdp_video_miniport_storage_writer.GetEvents()) self.assertEqual(len(rdp_video_miniport_events), 1) expected_event_values = { 'date_time': '2011-09-17 13:37:59.3471577', 'data_type': 'windows:registry:service', 'image_path': 'System32\\drivers\\rdpvideominiport.sys', 'start_type': 3 } self.CheckEventValues(rdp_video_miniport_storage_writer, rdp_video_miniport_events[0], expected_event_values)