def testProcess(self): """Tests the Process function.""" key_path = u'\\Software\\Microsoft\\Terminal Server Client\\Servers' values = [] values.append(winreg_test_lib.TestRegValue( 'UsernameHint', 'DOMAIN\\username'.encode('utf_16_le'), winreg_test_lib.TestRegValue.REG_SZ, offset=1892)) expected_timestamp = timelib_test.CopyStringToTimestamp( '2012-08-28 09:23:49.002031') server_key_path = ( u'\\Software\\Microsoft\\Terminal Server Client\\Servers\\myserver.com') server_key = winreg_test_lib.TestRegKey( server_key_path, expected_timestamp, values, offset=1456) winreg_key = winreg_test_lib.TestRegKey( key_path, expected_timestamp, None, offset=865, subkeys=[server_key]) event_generator = self._ParseKeyWithPlugin(self._plugin, winreg_key) event_objects = self._GetEventObjects(event_generator) self.assertEquals(len(event_objects), 1) event_object = event_objects[0] self.assertEquals(event_object.timestamp, expected_timestamp) expected_msg = u'[{0:s}] UsernameHint: DOMAIN\\username'.format(key_path) expected_msg_short = ( u'[{0:s}] UsernameHint: DOMAIN\\use...').format(key_path) self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testProcess(self): """Tests the Process function.""" key_path = u'\\Software\\Microsoft\\Terminal Server Client\\Servers' values = [] values.append( winreg_test_lib.TestRegValue( 'UsernameHint', 'DOMAIN\\username'.encode('utf_16_le'), winreg_test_lib.TestRegValue.REG_SZ, offset=1892)) expected_timestamp = timelib.Timestamp.CopyFromString( '2012-08-28 09:23:49.002031') server_key_path = ( u'\\Software\\Microsoft\\Terminal Server Client\\Servers\\myserver.com' ) server_key = winreg_test_lib.TestRegKey(server_key_path, expected_timestamp, values, offset=1456) winreg_key = winreg_test_lib.TestRegKey(key_path, expected_timestamp, None, offset=865, subkeys=[server_key]) event_queue_consumer = self._ParseKeyWithPlugin( self._plugin, winreg_key) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) self.assertEqual(len(event_objects), 1) event_object = event_objects[0] # This should just be the plugin name, as we're invoking it directly, # and not through the parser. self.assertEqual(event_object.parser, self._plugin.plugin_name) self.assertEqual(event_object.timestamp, expected_timestamp) expected_msg = u'[{0:s}] UsernameHint: DOMAIN\\username'.format( key_path) expected_msg_short = ( u'[{0:s}] UsernameHint: DOMAIN\\use...').format(key_path) self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testProcess(self): """Tests the Process function.""" key_path = u'\\Software\\Microsoft\\Office\\15.0\\Outlook\\Search' values = [] values.append(winreg_test_lib.TestRegValue( ('C:\\Users\\username\\AppData\\Local\\Microsoft\\Outlook\\' '*****@*****.**'), '\xcf\x2b\x37\x00', winreg_test_lib.TestRegValue.REG_DWORD, offset=1892)) winreg_key = winreg_test_lib.TestRegKey( key_path, 1346145829002031, values, 1456) event_queue_consumer = self._ParseKeyWithPlugin(self._plugin, winreg_key) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) expected_msg = ( u'[{0:s}] ' u'C:\\Users\\username\\AppData\\Local\\Microsoft\\Outlook\\' u'[email protected]: 0x00372bcf').format(key_path) expected_msg_short = u'[{0:s}] C:\\Users\\username\\AppData\\Lo...'.format( key_path) self.assertEqual(len(event_objects), 1) event_object = event_objects[0] # This should just be the plugin name, as we're invoking it directly, # and not through the parser. self.assertEqual(event_object.parser, self._plugin.plugin_name) self.assertEqual(event_object.timestamp, 1346145829002031) self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testProcess(self): """Tests the Process function.""" key_path = u'\\ControlSet001\\Control\\BootVerificationProgram' values = [] values.append( winreg_test_lib.TestRegValue( 'ImagePath', 'C:\\WINDOWS\\system32\\googleupdater.exe'.encode('utf_16_le'), 1, 123)) winreg_key = winreg_test_lib.TestRegKey(key_path, 1346445929000000, values, 153) event_generator = self._ParseKeyWithPlugin(self._plugin, winreg_key) event_objects = self._GetEventObjects(event_generator) self.assertEquals(len(event_objects), 1) event_object = event_objects[0] # Timestamp is: Fri, 31 Aug 2012 20:45:29 GMT self.assertEquals(event_object.timestamp, 1346445929000000) self.assertTrue(event_object.regalert) expected_msg = (u'[{0:s}] ' u'BootVerification: REGALERT ' u'ImagePath: C:\\WINDOWS\\system32\\googleupdater.exe' ).format(key_path) expected_msg_short = ( u'[{0:s}] BootVerification: REGALERT I...').format(key_path) self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testProcess(self): """Tests the Process function.""" key_path = u'\\Software\\Microsoft\\Office\\15.0\\Outlook\\Search' values = [] values.append(winreg_test_lib.TestRegValue( ('C:\\Users\\username\\AppData\\Local\\Microsoft\\Outlook\\' '*****@*****.**'), '\xcf\x2b\x37\x00', winreg_test_lib.TestRegValue.REG_DWORD, offset=1892)) winreg_key = winreg_test_lib.TestRegKey( key_path, 1346145829002031, values, 1456) event_generator = self._ParseKeyWithPlugin(self._plugin, winreg_key) event_objects = self._GetEventObjects(event_generator) expected_msg = ( u'[{0:s}] ' u'C:\\Users\\username\\AppData\\Local\\Microsoft\\Outlook\\' u'[email protected]: 0x00372bcf').format(key_path) expected_msg_short = u'[{0:s}] C:\\Users\\username\\AppData\\Lo...'.format( key_path) self.assertEquals(len(event_objects), 1) event_object = event_objects[0] self.assertEquals(event_object.timestamp, 1346145829002031) self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testProcess(self): """Tests the Process function on a virtual key.""" key_path = u'\\ControlSet001\\services\\TestDriver' values = [] values.append(winreg_test_lib.TestRegValue( 'Type', '\x02\x00\x00\x00', 4, 123)) values.append(winreg_test_lib.TestRegValue( 'Start', '\x02\x00\x00\x00', 4, 127)) values.append(winreg_test_lib.TestRegValue( 'ErrorControl', '\x01\x00\x00\x00', 4, 131)) values.append(winreg_test_lib.TestRegValue( 'Group', 'Pnp Filter'.encode('utf_16_le'), 1, 140)) values.append(winreg_test_lib.TestRegValue( 'DisplayName', 'Test Driver'.encode('utf_16_le'), 1, 160)) values.append(winreg_test_lib.TestRegValue( 'DriverPackageId', 'testdriver.inf_x86_neutral_dd39b6b0a45226c4'.encode('utf_16_le'), 1, 180)) values.append(winreg_test_lib.TestRegValue( 'ImagePath', 'C:\\Dell\\testdriver.sys'.encode('utf_16_le'), 1, 200)) timestamp = timelib_test.CopyStringToTimestamp( '2012-08-28 09:23:49.002031') winreg_key = winreg_test_lib.TestRegKey( key_path, timestamp, values, 1456) event_queue_consumer = self._ParseKeyWithPlugin(self._plugin, winreg_key) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) self.assertEquals(len(event_objects), 1) event_object = event_objects[0] expected_timestamp = timelib_test.CopyStringToTimestamp( '2012-08-28 09:23:49.002031') self.assertEquals(event_object.timestamp, expected_timestamp) # TODO: Remove RegAlert completely # self.assertTrue(event_object.regalert) expected_msg = ( u'[{0:s}] ' u'DisplayName: Test Driver ' u'DriverPackageId: testdriver.inf_x86_neutral_dd39b6b0a45226c4 ' u'ErrorControl: Normal (1) ' u'Group: Pnp Filter ' u'ImagePath: C:\\Dell\\testdriver.sys ' u'Start: Auto Start (2) ' # u'ImagePath: REGALERT Driver not in system32: ' # u'C:\\Dell\\testdriver.sys ' # u'Start: REGALERT Unusual Start for Driver: Auto Start (2) ' u'Type: File System Driver (0x2)').format(key_path) expected_msg_short = ( u'[{0:s}] ' u'DisplayName: Test Driver ' u'DriverPackageId...').format(key_path) self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testProcess(self): """Tests the Process function on a virtual key.""" key_path = u'\\ControlSet001\\services\\TestDriver' values = [] values.append( winreg_test_lib.TestRegValue('Type', '\x02\x00\x00\x00', 4, 123)) values.append( winreg_test_lib.TestRegValue('Start', '\x02\x00\x00\x00', 4, 127)) values.append( winreg_test_lib.TestRegValue('ErrorControl', '\x01\x00\x00\x00', 4, 131)) values.append( winreg_test_lib.TestRegValue('Group', 'Pnp Filter'.encode('utf_16_le'), 1, 140)) values.append( winreg_test_lib.TestRegValue('DisplayName', 'Test Driver'.encode('utf_16_le'), 1, 160)) values.append( winreg_test_lib.TestRegValue( 'DriverPackageId', 'testdriver.inf_x86_neutral_dd39b6b0a45226c4'.encode( 'utf_16_le'), 1, 180)) values.append( winreg_test_lib.TestRegValue( 'ImagePath', 'C:\\Dell\\testdriver.sys'.encode('utf_16_le'), 1, 200)) winreg_key = winreg_test_lib.TestRegKey(key_path, 1346145829002031, values, 1456) event_generator = self._ParseKeyWithPlugin(self._plugin, winreg_key) event_objects = self._GetEventObjects(event_generator) self.assertEquals(len(event_objects), 1) event_object = event_objects[0] # Timestamp is: Tue, 28 Aug 2012 09:23:49 GMT. self.assertEquals(event_object.timestamp, 1346145829002031) self.assertTrue(event_object.regalert) expected_msg = ( u'[{0:s}] ' u'DisplayName: Test Driver ' u'DriverPackageId: testdriver.inf_x86_neutral_dd39b6b0a45226c4 ' u'ErrorControl: Normal (1) ' u'Group: Pnp Filter ' u'ImagePath: REGALERT Driver not in system32: C:\\Dell\\testdriver.sys ' u'Start: REGALERT Unusual Start for Driver: Auto Start (2) ' u'Type: File System Driver (0x2)').format(key_path) expected_msg_short = (u'[{0:s}] ' u'DisplayName: Test Driver ' u'DriverPackageId...').format(key_path) self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testProcess(self): """Tests the Process function on a virtual key.""" key_path = u'\\ControlSet001\\services\\TestDriver' values = [] values.append(winreg_test_lib.TestRegValue( 'Type', '\x02\x00\x00\x00', 4, 123)) values.append(winreg_test_lib.TestRegValue( 'Start', '\x02\x00\x00\x00', 4, 127)) values.append(winreg_test_lib.TestRegValue( 'ErrorControl', '\x01\x00\x00\x00', 4, 131)) values.append(winreg_test_lib.TestRegValue( 'Group', 'Pnp Filter'.encode('utf_16_le'), 1, 140)) values.append(winreg_test_lib.TestRegValue( 'DisplayName', 'Test Driver'.encode('utf_16_le'), 1, 160)) values.append(winreg_test_lib.TestRegValue( 'DriverPackageId', 'testdriver.inf_x86_neutral_dd39b6b0a45226c4'.encode('utf_16_le'), 1, 180)) values.append(winreg_test_lib.TestRegValue( 'ImagePath', 'C:\\Dell\\testdriver.sys'.encode('utf_16_le'), 1, 200)) timestamp = timelib.Timestamp.CopyFromString( '2012-08-28 09:23:49.002031') winreg_key = winreg_test_lib.TestRegKey( key_path, timestamp, values, 1456) event_queue_consumer = self._ParseKeyWithPlugin(self._plugin, winreg_key) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) self.assertEqual(len(event_objects), 1) event_object = event_objects[0] # This should just be the plugin name, as we're invoking it directly, # and not through the parser. self.assertEqual(event_object.parser, self._plugin.plugin_name) expected_timestamp = timelib.Timestamp.CopyFromString( '2012-08-28 09:23:49.002031') self.assertEqual(event_object.timestamp, expected_timestamp) expected_msg = ( u'[{0:s}] ' u'DisplayName: Test Driver ' u'DriverPackageId: testdriver.inf_x86_neutral_dd39b6b0a45226c4 ' u'ErrorControl: Normal (1) ' u'Group: Pnp Filter ' u'ImagePath: C:\\Dell\\testdriver.sys ' u'Start: Auto Start (2) ' u'Type: File System Driver (0x2)').format(key_path) expected_msg_short = ( u'[{0:s}] ' u'DisplayName: Test Driver ' u'DriverPackageId...').format(key_path) self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testProcess(self): """Tests the Process function.""" key_path = u'\\Microsoft\\Some Windows\\InterestingApp\\MRU' values = [] values.append( winreg_test_lib.TestRegValue('MRUList', 'acb'.encode('utf_16_le'), winreg_test_lib.TestRegValue.REG_SZ, offset=123)) values.append( winreg_test_lib.TestRegValue( 'a', 'Some random text here'.encode('utf_16_le'), winreg_test_lib.TestRegValue.REG_SZ, offset=1892)) values.append( winreg_test_lib.TestRegValue( 'b', 'c:/evil.exe'.encode('utf_16_le'), winreg_test_lib.TestRegValue.REG_BINARY, offset=612)) values.append( winreg_test_lib.TestRegValue( 'c', 'C:/looks_legit.exe'.encode('utf_16_le'), winreg_test_lib.TestRegValue.REG_SZ, offset=1001)) timestamp = timelib_test.CopyStringToTimestamp( '2012-08-28 09:23:49.002031') winreg_key = winreg_test_lib.TestRegKey(key_path, timestamp, values, 1456) event_queue_consumer = self._ParseKeyWithPlugin( self._plugin, winreg_key) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) self.assertEquals(len(event_objects), 1) event_object = event_objects[0] expected_timestamp = timelib_test.CopyStringToTimestamp( '2012-08-28 09:23:49.002031') self.assertEquals(event_object.timestamp, expected_timestamp) expected_msg = (u'[{0:s}] ' u'Index: 1 [MRU Value a]: Some random text here ' u'Index: 2 [MRU Value c]: C:/looks_legit.exe ' u'Index: 3 [MRU Value b]: ').format(key_path) expected_msg_short = ( u'[{0:s}] Index: 1 [MRU Value a]: Some ran...').format(key_path) self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testProcess(self): """Tests the Process function.""" key_path = u'\\Software\\WinRAR\\ArcHistory' values = [] values.append( winreg_test_lib.TestRegValue( '0', 'C:\\Downloads\\The Sleeping Dragon CD1.iso'.encode( 'utf_16_le'), winreg_test_lib.TestRegValue.REG_SZ, offset=1892)) values.append( winreg_test_lib.TestRegValue( '1', 'C:\\Downloads\\plaso-static.rar'.encode('utf_16_le'), winreg_test_lib.TestRegValue.REG_SZ, offset=612)) expected_timestamp = timelib.Timestamp.CopyFromString( '2012-08-28 09:23:49.002031') winreg_key = winreg_test_lib.TestRegKey(key_path, expected_timestamp, values, offset=1456) event_queue_consumer = self._ParseKeyWithPlugin( self._plugin, winreg_key) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) self.assertEqual(len(event_objects), 2) event_object = event_objects[0] # This should just be the plugin name, as we're invoking it directly, # and not through the parser. self.assertEqual(event_object.parser, self._plugin.plugin_name) self.assertEqual(event_object.timestamp, expected_timestamp) expected_string = ( u'[{0:s}] 0: C:\\Downloads\\The Sleeping Dragon CD1.iso' ).format(key_path) self._TestGetMessageStrings(event_object, expected_string, expected_string) event_object = event_objects[1] self.assertEqual(event_object.timestamp, 0) expected_string = u'[{0:s}] 1: C:\\Downloads\\plaso-static.rar'.format( key_path) self._TestGetMessageStrings(event_object, expected_string, expected_string)
def testProcess(self): """Tests the Process function.""" key_path = u'\\Microsoft\\Some Windows\\InterestingApp\\MRU' values = [] values.append( winreg_test_lib.TestRegValue('MRUList', 'acb'.encode('utf_16_le'), winreg_test_lib.TestRegValue.REG_SZ, offset=123)) values.append( winreg_test_lib.TestRegValue( 'a', 'Some random text here'.encode('utf_16_le'), winreg_test_lib.TestRegValue.REG_SZ, offset=1892)) values.append( winreg_test_lib.TestRegValue( 'b', 'c:/evil.exe'.encode('utf_16_le'), winreg_test_lib.TestRegValue.REG_BINARY, offset=612)) values.append( winreg_test_lib.TestRegValue( 'c', 'C:/looks_legit.exe'.encode('utf_16_le'), winreg_test_lib.TestRegValue.REG_SZ, offset=1001)) winreg_key = winreg_test_lib.TestRegKey(key_path, 1346145829002031, values, 1456) event_generator = self._ParseKeyWithPlugin(self._plugin, winreg_key) event_objects = self._GetEventObjects(event_generator) self.assertEquals(len(event_objects), 1) event_object = event_objects[0] self.assertEquals(event_object.timestamp, 1346145829002031) expected_msg = ( u'[{0:s}] ' u'Index: 1 [MRU Value a]: Some random text here ' u'Index: 2 [MRU Value c]: C:/looks_legit.exe ' u'Index: 3 [MRU Value b]: REGALERT: Unsupported MRU value: b data ' u'type.').format(key_path) expected_msg_short = ( u'[{0:s}] Index: 1 [MRU Value a]: Some ran...').format(key_path) self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testProcess(self): """Tests the Process function.""" key_path = u'\\Microsoft\\Some Windows\\InterestingApp\\MRUlist' values = [] # The order is: 201 values.append( winreg_test_lib.TestRegValue( 'MRUListEx', '\x02\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00', winreg_interface.WinRegValue.REG_BINARY, 123)) values.append( winreg_test_lib.TestRegValue( '0', 'Some random text here'.encode('utf_16_le'), winreg_interface.WinRegValue.REG_SZ, 1892)) values.append( winreg_test_lib.TestRegValue( '1', 'c:\\evil.exe'.encode('utf_16_le'), winreg_interface.WinRegValue.REG_BINARY, 612)) values.append( winreg_test_lib.TestRegValue( '2', 'C:\\looks_legit.exe'.encode('utf_16_le'), winreg_interface.WinRegValue.REG_SZ, 1001)) winreg_key = winreg_test_lib.TestRegKey(key_path, 1346145829002031, values, 1456) event_queue_consumer = self._ParseKeyWithPlugin( self._plugin, winreg_key) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) self.assertEquals(len(event_objects), 1) # A MRUListEx event object. event_object = event_objects[0] expected_timestamp = timelib_test.CopyStringToTimestamp( '2012-08-28 09:23:49.002031') self.assertEquals(event_object.timestamp, expected_timestamp) expected_msg = ( u'[{0:s}] ' u'Index: 1 [MRU Value 2]: C:\\looks_legit.exe ' u'Index: 2 [MRU Value 0]: Some random text here ' u'Index: 3 [MRU Value 1]: c:\\evil.exe').format(key_path) expected_msg_short = ( u'[{0:s}] Index: 1 [MRU Value 2]: C:\\l...').format(key_path) self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testProcess(self): """Tests the Process function.""" key_path = u'\\Software\\Microsoft\\Terminal Server Client\\Default' values = [] values.append( winreg_test_lib.TestRegValue('MRU0', '192.168.16.60'.encode('utf_16_le'), winreg_test_lib.TestRegValue.REG_SZ, offset=1892)) values.append( winreg_test_lib.TestRegValue( 'MRU1', 'computer.domain.com'.encode('utf_16_le'), winreg_test_lib.TestRegValue.REG_SZ, 612)) expected_timestamp = timelib.Timestamp.CopyFromString( '2012-08-28 09:23:49.002031') winreg_key = winreg_test_lib.TestRegKey(key_path, expected_timestamp, values, 1456) event_queue_consumer = self._ParseKeyWithPlugin( self._plugin, winreg_key) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) self.assertEqual(len(event_objects), 2) event_object = event_objects[0] # This should just be the plugin name, as we're invoking it directly, # and not through the parser. self.assertEqual(event_object.parser, self._plugin.plugin_name) self.assertEqual(event_object.timestamp, expected_timestamp) expected_msg = u'[{0:s}] MRU0: 192.168.16.60'.format(key_path) expected_msg_short = u'[{0:s}] MRU0: 192.168.16.60'.format(key_path) self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short) event_object = event_objects[1] self.assertEqual(event_object.timestamp, 0) expected_msg = u'[{0:s}] MRU1: computer.domain.com'.format(key_path) expected_msg_short = u'[{0:s}] MRU1: computer.domain.com'.format( key_path) self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testWinVer(self): """Test the WinVer plugin.""" key_path = u'\\Microsoft\\Windows NT\\CurrentVersion' values = [] values.append( winreg_test_lib.TestRegValue('ProductName', 'MyTestOS'.encode('utf_16_le'), 1, 123)) values.append( winreg_test_lib.TestRegValue('CSDBuildNumber', '5'.encode('utf_16_le'), 1, 1892)) values.append( winreg_test_lib.TestRegValue( 'RegisteredOwner', 'A Concerned Citizen'.encode('utf_16_le'), 1, 612)) values.append( winreg_test_lib.TestRegValue('InstallDate', '\x13\x1aAP', 3, 1001)) winreg_key = winreg_test_lib.TestRegKey(key_path, 1346445929000000, values, 153) event_queue_consumer = self._ParseKeyWithPlugin( self._plugin, winreg_key) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) self.assertEqual(len(event_objects), 1) event_object = event_objects[0] # This should just be the plugin name, as we're invoking it directly, # and not through the parser. self.assertEqual(event_object.parser, self._plugin.plugin_name) expected_timestamp = timelib.Timestamp.CopyFromString( '2012-08-31 20:09:55') self.assertEqual(event_object.timestamp, expected_timestamp) # Note that the double spaces here are intentional. expected_msg = (u'[{0:s}] ' u'Windows Version Information: ' u'Owner: A Concerned Citizen ' u'Product name: MyTestOS sp: 5').format(key_path) expected_msg_short = (u'[{0:s}] ' u'Windows Version Information: ' u'Owner: ...').format(key_path) self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testProcess(self): """Tests the Process function.""" key_path = u'\\Software\\WinRAR\\ArcHistory' values = [] values.append( winreg_test_lib.TestRegValue( '0', 'C:\\Downloads\\The Sleeping Dragon CD1.iso'.encode( 'utf_16_le'), winreg_test_lib.TestRegValue.REG_SZ, offset=1892)) values.append( winreg_test_lib.TestRegValue( '1', 'C:\\Downloads\\plaso-static.rar'.encode('utf_16_le'), winreg_test_lib.TestRegValue.REG_SZ, offset=612)) expected_timestamp = timelib_test.CopyStringToTimestamp( '2012-08-28 09:23:49.002031') winreg_key = winreg_test_lib.TestRegKey(key_path, expected_timestamp, values, offset=1456) event_generator = self._ParseKeyWithPlugin(self._plugin, winreg_key) event_objects = self._GetEventObjects(event_generator) self.assertEquals(len(event_objects), 2) event_object = event_objects[0] self.assertEquals(event_object.timestamp, expected_timestamp) expected_string = ( u'[{0:s}] 0: C:\\Downloads\\The Sleeping Dragon CD1.iso' ).format(key_path) self._TestGetMessageStrings(event_object, expected_string, expected_string) event_object = event_objects[1] self.assertEquals(event_object.timestamp, 0) expected_string = u'[{0:s}] 1: C:\\Downloads\\plaso-static.rar'.format( key_path) self._TestGetMessageStrings(event_object, expected_string, expected_string)
def testProcess(self): """Tests the Process function.""" key_path = u'\\Microsoft\\Some Windows\\InterestingApp\\MRU' values = [] values.append( winreg_test_lib.TestRegValue('MRUList', 'acb'.encode('utf_16_le'), 1, 123)) values.append( winreg_test_lib.TestRegValue( 'a', 'Some random text here'.encode('utf_16_le'), 1, 1892)) values.append( winreg_test_lib.TestRegValue('b', 'c:/evil.exe'.encode('utf_16_le'), 3, 612)) values.append( winreg_test_lib.TestRegValue( 'c', 'C:/looks_legit.exe'.encode('utf_16_le'), 1, 1001)) winreg_key = winreg_test_lib.TestRegKey(key_path, 1346145829002031, values, 1456) event_queue_consumer = self._ParseKeyWithPlugin( self._plugin, winreg_key) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) self.assertEqual(len(event_objects), 1) event_object = event_objects[0] # This should just be the plugin name, as we're invoking it directly, # and not through the parser. self.assertEqual(event_object.parser, self._plugin.plugin_name) self.assertEqual(event_object.timestamp, 1346145829002031) expected_msg = (u'[{0:s}] ' u'MRUList: [REG_SZ] acb ' u'a: [REG_SZ] Some random text here ' u'b: [REG_BINARY] ' u'c: [REG_SZ] C:/looks_legit.exe').format(key_path) expected_msg_short = ( u'[{0:s}] MRUList: [REG_SZ] acb a: [REG_SZ...').format(key_path) self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testProcess(self): """Tests the Process function.""" key_path = u'\\Microsoft\\Some Windows\\InterestingApp\\MRUlist' values = [] # The order is: 201 values.append( winreg_test_lib.TestRegValue( 'MRUListEx', '\x02\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00', 3, 123)) values.append( winreg_test_lib.TestRegValue( '0', 'Some random text here'.encode('utf_16_le'), 1, 1892)) values.append( winreg_test_lib.TestRegValue('1', 'c:/evil.exe'.encode('utf_16_le'), 3, 612)) values.append( winreg_test_lib.TestRegValue( '2', 'C:/looks_legit.exe'.encode('utf_16_le'), 1, 1001)) winreg_key = winreg_test_lib.TestRegKey(key_path, 1346145829002031, values, 1456) event_generator = self._ParseKeyWithPlugin(self._plugin, winreg_key) event_objects = self._GetEventObjects(event_generator) self.assertEquals(len(event_objects), 1) event_object = event_objects[0] self.assertEquals(event_object.timestamp, 1346145829002031) expected_msg = ( u'[{0:s}] ' u'Index: 1 [MRU Value 2]: C:/looks_legit.exe ' u'Index: 2 [MRU Value 0]: Some random text here ' u'Index: 3 [MRU Value 1]: c:/evil.exe').format(key_path) expected_msg_short = ( u'[{0:s}] Index: 1 [MRU Value 2]: C:/l...').format(key_path) self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testProcess(self): """Tests the Process function.""" key_path = u'\\ControlSet001\\Control\\BootVerificationProgram' values = [] values.append( winreg_test_lib.TestRegValue( 'ImagePath', 'C:\\WINDOWS\\system32\\googleupdater.exe'.encode('utf_16_le'), 1, 123)) timestamp = timelib.Timestamp.CopyFromString('2012-08-31 20:45:29') winreg_key = winreg_test_lib.TestRegKey(key_path, timestamp, values, 153) event_queue_consumer = self._ParseKeyWithPlugin( self._plugin, winreg_key) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) self.assertEqual(len(event_objects), 1) event_object = event_objects[0] # This should just be the plugin name, as we're invoking it directly, # and not through the parser. self.assertEqual(event_object.parser, self._plugin.plugin_name) expected_timestamp = timelib.Timestamp.CopyFromString( '2012-08-31 20:45:29') self.assertEqual(event_object.timestamp, expected_timestamp) expected_msg = (u'[{0:s}] ' u'ImagePath: C:\\WINDOWS\\system32\\googleupdater.exe' ).format(key_path) expected_msg_short = ( u'[{0:s}] ImagePath: C:\\WINDOWS\\system...').format(key_path) self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testProcess(self): """Tests the Process function.""" key_path = u'\\Software\\Microsoft\\Terminal Server Client\\Default' values = [] values.append(winreg_test_lib.TestRegValue( 'MRU0', '192.168.16.60'.encode('utf_16_le'), winreg_test_lib.TestRegValue.REG_SZ, offset=1892)) values.append(winreg_test_lib.TestRegValue( 'MRU1', 'computer.domain.com'.encode('utf_16_le'), winreg_test_lib.TestRegValue.REG_SZ, 612)) expected_timestamp = timelib_test.CopyStringToTimestamp( '2012-08-28 09:23:49.002031') winreg_key = winreg_test_lib.TestRegKey( key_path, expected_timestamp, values, 1456) event_generator = self._ParseKeyWithPlugin(self._plugin, winreg_key) event_objects = self._GetEventObjects(event_generator) self.assertEquals(len(event_objects), 2) event_object = event_objects[0] self.assertEquals(event_object.timestamp, expected_timestamp) expected_msg = u'[{0:s}] MRU0: 192.168.16.60'.format(key_path) expected_msg_short = u'[{0:s}] MRU0: 192.168.16.60'.format(key_path) self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short) event_object = event_objects[1] self.assertEquals(event_object.timestamp, 0) expected_msg = u'[{0:s}] MRU1: computer.domain.com'.format(key_path) expected_msg_short = u'[{0:s}] MRU1: computer.domain.com'.format(key_path) self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testProcess(self): """Tests the Process function.""" key_path = ( u'\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\' u'DesktopStreamMRU') values = [] data = ''.join( map(chr, [ 0x14, 0x00, 0x1f, 0x00, 0xe0, 0x4f, 0xd0, 0x20, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xd8, 0x08, 0x00, 0x2b, 0x30, 0x30, 0x9d, 0x19, 0x00, 0x23, 0x43, 0x3a, 0x5c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0xee, 0x15, 0x00, 0x31, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2e, 0x3e, 0x7a, 0x60, 0x10, 0x80, 0x57, 0x69, 0x6e, 0x6e, 0x74, 0x00, 0x00, 0x18, 0x00, 0x31, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2e, 0x3e, 0xe4, 0x62, 0x10, 0x00, 0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x00, 0x00, 0x25, 0x00, 0x31, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2e, 0x3e, 0xe4, 0x62, 0x10, 0x00, 0x41, 0x64, 0x6d, 0x69, 0x6e, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x00, 0x41, 0x44, 0x4d, 0x49, 0x4e, 0x49, 0x7e, 0x31, 0x00, 0x17, 0x00, 0x31, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2e, 0x3e, 0xe4, 0x62, 0x10, 0x00, 0x44, 0x65, 0x73, 0x6b, 0x74, 0x6f, 0x70, 0x00, 0x00, 0x00, 0x00 ])) values.append( winreg_test_lib.TestRegValue('MRUList', 'a'.encode('utf_16_le'), winreg_test_lib.TestRegValue.REG_SZ, offset=123)) values.append( winreg_test_lib.TestRegValue( 'a', data, winreg_test_lib.TestRegValue.REG_BINARY, offset=612)) timestamp = timelib.Timestamp.CopyFromString( u'2012-08-28 09:23:49.002031') winreg_key = winreg_test_lib.TestRegKey(key_path, timestamp, values, 1456) event_queue_consumer = self._ParseKeyWithPlugin( self._plugin, winreg_key) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) self.assertEqual(len(event_objects), 5) # A MRUList event object. event_object = event_objects[4] # This should just be the plugin name, as we're invoking it directly, # and not through the parser. self.assertEqual(event_object.parser, self._plugin.plugin_name) expected_timestamp = timelib.Timestamp.CopyFromString( u'2012-08-28 09:23:49.002031') self.assertEqual(event_object.timestamp, expected_timestamp) expected_msg = ( u'[{0:s}] ' u'Index: 1 [MRU Value a]: Shell item path: ' u'<My Computer> C:\\Winnt\\Profiles\\Administrator\\Desktop' ).format(key_path) expected_msg_short = u'[{0:s}] Index:...'.format(key_path) self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short) # A shell item event object. event_object = event_objects[0] expected_timestamp = timelib.Timestamp.CopyFromString( u'2011-01-14 12:03:52') self.assertEqual(event_object.timestamp, expected_timestamp) expected_msg = (u'Name: Winnt ' u'Shell item path: <My Computer> C:\\Winnt ' u'Origin: {0:s}').format(key_path) expected_msg_short = ( u'Name: Winnt ' u'Origin: \\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\' u'Deskt...') self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testProcess(self): """Tests the Process function.""" key_path = u'\\ControlSet001\\Control\\Session Manager' values = [] values.append( winreg_test_lib.TestRegValue( 'BootExecute', 'autocheck autochk *\x00'.encode('utf_16_le'), 7, 123)) values.append( winreg_test_lib.TestRegValue('CriticalSectionTimeout', '2592000'.encode('utf_16_le'), 1, 153)) values.append( winreg_test_lib.TestRegValue('ExcludeFromKnownDlls', '\x00'.encode('utf_16_le'), 7, 163)) values.append( winreg_test_lib.TestRegValue('GlobalFlag', '0'.encode('utf_16_le'), 1, 173)) values.append( winreg_test_lib.TestRegValue('HeapDeCommitFreeBlockThreshold', '0'.encode('utf_16_le'), 1, 183)) values.append( winreg_test_lib.TestRegValue('HeapDeCommitTotalFreeThreshold', '0'.encode('utf_16_le'), 1, 203)) values.append( winreg_test_lib.TestRegValue('HeapSegmentCommit', '0'.encode('utf_16_le'), 1, 213)) values.append( winreg_test_lib.TestRegValue('HeapSegmentReserve', '0'.encode('utf_16_le'), 1, 223)) values.append( winreg_test_lib.TestRegValue('NumberOfInitialSessions', '2'.encode('utf_16_le'), 1, 243)) timestamp = timelib_test.CopyStringToTimestamp('2012-08-31 20:45:29') winreg_key = winreg_test_lib.TestRegKey(key_path, timestamp, values, 153) event_queue_consumer = self._ParseKeyWithPlugin( self._plugin, winreg_key) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) self.assertEquals(len(event_objects), 2) event_object = event_objects[0] expected_timestamp = timelib_test.CopyStringToTimestamp( '2012-08-31 20:45:29') self.assertEquals(event_object.timestamp, expected_timestamp) expected_string = ( u'[{0:s}] BootExecute: autocheck autochk *').format(key_path) self._TestGetMessageStrings(event_object, expected_string, expected_string) event_object = event_objects[1] expected_msg = (u'[{0:s}] ' u'CriticalSectionTimeout: 2592000 ' u'ExcludeFromKnownDlls: [] ' u'GlobalFlag: 0 ' u'HeapDeCommitFreeBlockThreshold: 0 ' u'HeapDeCommitTotalFreeThreshold: 0 ' u'HeapSegmentCommit: 0 ' u'HeapSegmentReserve: 0 ' u'NumberOfInitialSessions: 2').format(key_path) expected_msg_short = ( u'[{0:s}] CriticalSectionTimeout: 2592000 Excl...' ).format(key_path) self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testProcessMock(self): """Tests the Process function on created key.""" knowledge_base_values = {'current_control_set': u'ControlSet001'} key_path = u'\\ControlSet001\\Control\\TimeZoneInformation' values = [] values.append( winreg_test_lib.TestRegValue( 'ActiveTimeBias', '\xFF\xFF\xFF\xC4', winreg_test_lib.TestRegValue.REG_DWORD_BIG_ENDIAN)) values.append( winreg_test_lib.TestRegValue( 'Bias', '\xFF\xFF\xFF\xC4', winreg_test_lib.TestRegValue.REG_DWORD_BIG_ENDIAN)) values.append( winreg_test_lib.TestRegValue( 'DaylightBias', '\xFF\xFF\xFF\xC4', winreg_test_lib.TestRegValue.REG_DWORD_BIG_ENDIAN)) values.append( winreg_test_lib.TestRegValue('DaylightName', '@tzres.dll,-321'.encode('utf_16_le'), winreg_test_lib.TestRegValue.REG_SZ)) values.append( winreg_test_lib.TestRegValue( 'DaylightStart', '\x00\x00\x03\x00\x05\x00\x02\x00' '\x00\x00\x00\x00\x00\x00\x00\x00', winreg_test_lib.TestRegValue.REG_BINARY)) values.append( winreg_test_lib.TestRegValue( 'DynamicDaylightTimeDisabled', '\x00\x00\x00\x00', winreg_test_lib.TestRegValue.REG_DWORD_BIG_ENDIAN)) values.append( winreg_test_lib.TestRegValue( 'StandardBias', '\x00\x00\x00\x00', winreg_test_lib.TestRegValue.REG_DWORD_BIG_ENDIAN)) values.append( winreg_test_lib.TestRegValue('StandardName', '@tzres.dll,-322'.encode('utf_16_le'), winreg_test_lib.TestRegValue.REG_SZ)) values.append( winreg_test_lib.TestRegValue( 'StandardStart', '\x00\x00\x0A\x00\x05\x00\x03\x00' '\x00\x00\x00\x00\x00\x00\x00\x00', winreg_test_lib.TestRegValue.REG_BINARY)) values.append( winreg_test_lib.TestRegValue( 'TimeZoneKeyName', 'W. Europe Standard Time'.encode('utf_16_le'), winreg_test_lib.TestRegValue.REG_SZ)) # expr `date -u -d "2013-01-30 10:47:57" +"%s%N"` \/ 1000 winreg_key = winreg_test_lib.TestRegKey(key_path, 1359542877000000, values, 153) event_queue_consumer = self._ParseKeyWithPlugin( self._plugin, winreg_key, knowledge_base_values=knowledge_base_values) event_objects = self._GetEventObjectsFromQueue(event_queue_consumer) self.assertEqual(len(event_objects), 1) expected_timestamp = timelib.Timestamp.CopyFromString( '2013-01-30 10:47:57.000000') self.assertEqual(event_objects[0].timestamp, expected_timestamp) expected_msg = ( u'[{0:s}] ' u'ActiveTimeBias: -60 ' u'Bias: -60 ' u'DaylightBias: -60 ' u'DaylightName: @tzres.dll,-321 ' u'DynamicDaylightTimeDisabled: 0 ' u'StandardBias: 0 ' u'StandardName: @tzres.dll,-322 ' u'TimeZoneKeyName: W. Europe Standard Time').format(key_path) expected_msg_short = (u'[{0:s}] ' u'ActiveTimeBias: -60 ' u'Bias: -60 ' u'Da...').format(key_path) self._TestGetMessageStrings(event_objects[0], expected_msg, expected_msg_short)