Esempi in Python per dd, esempi in Python per fibratus.common.dd

Esempio n. 1

0

Mostra file

def raw_handles():
    handles = {}
    handles[18446738026470543136] = dd(obj=18446738026470543136,
                                       handle=12,
                                       pid=3472,
                                       access_mask=1048608,
                                       obj_type_index=28)
    handles[18446738026474344592] = dd(obj=18446738026474344592,
                                       handle=16,
                                       pid=3472,
                                       access_mask=2031617,
                                       obj_type_index=36)
    handles[18446738026474569824] = dd(obj=18446738026474569824,
                                       handle=204,
                                       pid=920,
                                       access_mask=1048578,
                                       obj_type_index=17)
    handles[18446738026469227424] = dd(obj=18446738026469227424,
                                       handle=116,
                                       pid=920,
                                       access_mask=2031619,
                                       obj_type_index=12)
    handles[18446735964891181152] = dd(obj=18446735964891181152,
                                       handle=108,
                                       pid=1616,
                                       access_mask=983551,
                                       obj_type_index=5)
    return handles

Esempio n. 2

0

Mostra file

File: handle.py Progetto: CaineQT/fibratus

def raw_handles():
    handles = {}
    handles[18446738026470543136] = dd(obj=18446738026470543136, handle=12, pid=3472, access_mask=1048608, obj_type_index=28)
    handles[18446738026474344592] = dd(obj=18446738026474344592, handle=16, pid=3472, access_mask=2031617, obj_type_index=36)
    handles[18446738026474569824] = dd(obj=18446738026474569824, handle=204, pid=920, access_mask=1048578, obj_type_index=17)
    handles[18446738026469227424] = dd(obj=18446738026469227424, handle=116, pid=920, access_mask=2031619, obj_type_index=12)
    handles[18446735964891181152] = dd(obj=18446735964891181152, handle=108, pid=1616, access_mask=983551, obj_type_index=5)
    return handles

Esempio n. 3

0

Mostra file

def thread_registry(handle_repo_mock, image_meta_registry_mock):
    p1 = {
        "session_id": 0,
        "command_line": "C:\\Windows\\system32\\services.exe",
        "process_id": "0x1e4",
        "unique_process_key": 18446738026492816176,
        "exit_status": 259,
        "parent_id": "0x17c",
        "image_file_name": "services.exe",
        "directory_table_base": 4299976704,
        "user_sid": None
    }
    t1 = {
        "user_stack_base": 14483456,
        "io_priority": 2,
        "teb_base": 8796092874752,
        "process_id": "0x1e4",
        "stack_limit": 18446735827441688576,
        "t_thread_id": "0x238",
        "base_priority": 9,
        "win32_start_addr": 2009573488,
        "page_priority": 5,
        "stack_base": 18446735827441713152,
        "user_stack_limit": 14450688,
        "thread_flags": 0,
        "affinity": 15,
        "sub_process_tag": "0x0"
    }
    t2 = {
        "user_stack_base": 16580608,
        "io_priority": 2,
        "teb_base": 8796092669952,
        "process_id": "0x1e4",
        "stack_limit": 18446735827442425856,
        "t_thread_id": "0x254",
        "base_priority": 9,
        "win32_start_addr": 8791752742020,
        "page_priority": 5,
        "stack_base": 18446735827442450432,
        "user_stack_limit": 16547840,
        "thread_flags": 0,
        "affinity": 15,
        "sub_process_tag": "0x0"
    }

    thread_registry = ThreadRegistry(handle_repo_mock, [],
                                     image_meta_registry_mock)
    thread_registry.add_thread(ENUM_PROCESS, dd(p1))
    thread_registry.add_thread(ENUM_THREAD, dd(t1))
    thread_registry.add_thread(ENUM_THREAD, dd(t2))

    return thread_registry

Esempio n. 4

0

Mostra file

File: registry.py Progetto: wwebb-r7/fibratus

def hive_parser(kevent_mock, thread_registry_mock):
    kcb1 = dd({
        "index":
        0,
        "process_id":
        1224,
        "status":
        0,
        "key_handle":
        18446735964840821928,
        "key_name":
        "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\"
        "{4a33e644-94a8-11e5-a0c5-806e6f6e6963}\\",
        "thread_id":
        1484,
        "initial_time":
        24218562806
    })
    kcb2 = dd({
        'initial_time': 0,
        'index': 0,
        'thread_id': 620,
        'status': 0,
        'key_handle': 18446735964896987168,
        'key_name':
        '\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\services\\HDAudBus',
        'process_id': 3820
    })
    kcb3 = dd({
        "index":
        0,
        "process_id":
        896,
        "status":
        0,
        "key_handle":
        18446735964812642928,
        "key_name":
        "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}"
        "\\InprocServer32",
        "thread_id":
        2916,
        "initial_time":
        0
    })
    hive_parser = HiveParser(kevent_mock, thread_registry_mock)
    hive_parser.add_kcb(kcb1)
    hive_parser.add_kcb(kcb2)
    hive_parser.add_kcb(kcb3)
    return hive_parser

Esempio n. 5

0

Mostra file

File: registry.py Progetto: CaineQT/fibratus

def hive_parser(kevent_mock, thread_registry_mock):
    kcb1 = dd({"index": 0, "process_id": 1224, "status": 0, "key_handle": 18446735964840821928,
              "key_name": "Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\"
                          "{4a33e644-94a8-11e5-a0c5-806e6f6e6963}\\",
              "thread_id": 1484, "initial_time": 24218562806})
    kcb2 = dd({'initial_time': 0, 'index': 0, 'thread_id': 620, 'status': 0, 'key_handle': 18446735964896987168,
               'key_name': '\\REGISTRY\\MACHINE\\SYSTEM\\ControlSet001\\services\\HDAudBus', 'process_id': 3820})
    kcb3 = dd({"index": 0, "process_id": 896, "status": 0, "key_handle": 18446735964812642928,
               "key_name": "\\REGISTRY\\MACHINE\\SOFTWARE\\Classes\\CLSID\\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}"
                           "\\InprocServer32", "thread_id": 2916, "initial_time": 0})
    hive_parser = HiveParser(kevent_mock, thread_registry_mock)
    hive_parser.add_kcb(kcb1)
    hive_parser.add_kcb(kcb2)
    hive_parser.add_kcb(kcb3)
    return hive_parser

Esempio n. 6

0

Mostra file

File: thread.py Progetto: CaineQT/fibratus

    def test_create_thread_registry_proc_lookup_failed_invalid_handle(self, get_last_error, close_handle_mock,
                                                                      open_process_mock,
                                                                      thread_registry, handle_repo_mock):

        kti = dd({"user_stack_base": 1835008, "io_priority": 2, "teb_base": 8796092878848,
                  "process_id": "0x4c8", "stack_limit": 18446735827446923264, "t_thread_id": "0x4dc",
                  "base_priority": 8, "win32_start_addr": 4286166856, "page_priority": 5,
                  "stack_base": 18446735827446964224,
                  "user_stack_limit": 1744896, "thread_flags": 0, "affinity": 15, "sub_process_tag": "0x0"})
        thread_id = int(kti.t_thread_id, 16)
        process_id = int(kti.process_id, 16)

        with patch('fibratus.thread.ThreadRegistry._query_process_info', return_value=dd(name='explorer.exe',
                   comm='C:\\Windows\\Explorer.EXE',
                   parent_pid=0x4c8)) as query_process_info_mock:
            thread_registry.add_thread(CREATE_THREAD, kti)
            assert get_last_error.call_count == 1
            open_process_mock.assert_called_with(PROCESS_QUERY_LIMITED_INFORMATION,
                                                 False, process_id)

            query_process_info_mock.assert_called_with(29, False)
            close_handle_mock.assert_called_with(29)

        handle_repo_mock.query_handles.assert_called_with(process_id)

        proc = thread_registry.get_thread(process_id)
        assert proc
        assert proc.name == 'explorer.exe'
        t = thread_registry.get_thread(thread_id)
        assert t
        assert t.name == 'explorer.exe'
        assert t.comm == 'C:\\Windows\\Explorer.EXE'

Esempio n. 7

0

Mostra file

File: thread.py Progetto: CaineQT/fibratus

    def test_create_thread_registry_proc_lookup_failed(self, close_handle_mock, open_process_mock,
                                                       thread_registry, handle_repo_mock):

        kti = dd({"user_stack_base": 10289152, "io_priority": 2, "teb_base": 8796092874752,
                  "process_id": "0x330", "stack_limit": 18446735827443150848, "t_thread_id": "0x338",
                  "base_priority": 8, "win32_start_addr": 2009573488,
                  "page_priority": 5, "stack_base": 18446735827443175424, "user_stack_limit": 10256384,
                  "thread_flags": 0, "affinity": 15, "sub_process_tag": "0x0"})
        thread_id = int(kti.t_thread_id, 16)
        process_id = int(kti.process_id, 16)

        with patch('fibratus.thread.ThreadRegistry._query_process_info', return_value=dd(name='Dwm.exe',
                   comm='C:\\Windows\\system32\\Dwm.exe',
                   parent_pid=0x748)) as query_process_info_mock:
            thread_registry.add_thread(CREATE_THREAD, kti)
            open_process_mock.assert_called_with(PROCESS_QUERY_INFORMATION |
                                                 PROCESS_QUERY_LIMITED_INFORMATION | PROCESS_VM_READ,
                                                 False, process_id)
            query_process_info_mock.assert_called_with(13)
            close_handle_mock.assert_called_with(13)

        handle_repo_mock.query_handles.assert_called_with(process_id)

        proc = thread_registry.get_thread(process_id)
        assert proc
        assert proc.name == 'dwm.exe'
        t = thread_registry.get_thread(thread_id)
        assert t
        assert t.name == 'dwm.exe'

Esempio n. 8

0

Mostra file

 def test_write_file(self, fsio, kevent):
     kfsio = dd({"file_object": 18446738026474426144, "process_id": 859, "io_flags": 0, "io_size": 8296,
                 "offset": 75279, "ttid": 1956})
     fsio.parse_fsio(WRITE_FILE, kfsio)
     assert kevent.params.tid == kfsio.ttid
     assert kevent.params.file == NA
     assert kevent.params.io_size == kfsio.io_size / 1024

Esempio n. 9

0

Mostra file

    def test_enum_process(self, thread_registry, handle_repo_mock):

        kti = dd({
            "session_id": 0,
            "command_line": "C:\\Windows\\system32\\svchost.exe -k RPCSS",
            "process_id": "0x2d8",
            "unique_process_key": 18446738026496154416,
            "exit_status": 259,
            "user_sid": None,
            "parent_id": "0x1e4",
            "image_file_name": "svchost.exe",
            "directory_table_base": 3716534272
        })
        thread_registry.add_thread(ENUM_PROCESS, kti)
        process_id = int(kti.process_id, 16)

        handle_repo_mock.query_handles.assert_not_called()

        t = thread_registry.get_thread(process_id)
        assert t

        assert t.pid == process_id
        assert t.ppid == int(kti.parent_id, 16)
        assert t.name == kti.image_file_name
        assert t.exe == 'C:\\Windows\\system32\\svchost.exe'
        assert t.comm == kti.command_line
        assert len(t.args) > 0
        assert ['-k', 'RPCSS'] == t.args
        assert '-k' in t.args
        assert 'RPCSS' in t.args

Esempio n. 10

0

Mostra file

    def test_create_process(self, thread_registry, handle_repo_mock):

        kti = dd({
            "session_id": 4294967295,
            "command_line": "\\SystemRoot\\System32\\smss.exe",
            "process_id": "0xfc",
            "unique_process_key": 18446738026484345648,
            "exit_status": 259,
            "user_sid": None,
            "parent_id": "0x4",
            "image_file_name": "smss.exe",
            "directory_table_base": 4508921856
        })
        thread_registry.add_thread(CREATE_PROCESS, kti)
        process_id = int(kti.process_id, 16)

        t = thread_registry.get_thread(process_id)
        sys_root = os.path.expandvars("%SystemRoot%")
        assert t
        assert t.pid == process_id
        assert t.ppid == int(kti.parent_id, 16)
        assert t.name == kti.image_file_name
        assert t.exe == '%s\\System32\\smss.exe' % sys_root
        assert t.comm == kti.command_line
        assert len(t.args) == 0

Esempio n. 11

0

Mostra file

File: registry.py Progetto: wwebb-r7/fibratus

    def test_parse_hive_delete_value(self, hive_parser, kevent_mock):
        regkevt = dd({
            "index":
            0,
            "process_id":
            1224,
            "status":
            3221225524,
            "key_handle":
            0,
            "key_name":
            "\\Registry\\Machine\\Software\\Classes\\Applications\\Explorer.exe"
            "\\Drives\\C\\DefaultIcon",
            "thread_id":
            2164,
            "initial_time":
            24218563385
        })

        hive_parser.parse_hive(REG_DELETE_VALUE, regkevt)

        kparams = kevent_mock.params

        assert kparams['hive'] == 'REGISTRY_MACHINE_SOFTWARE'
        assert kparams[
            'key'] == 'SOFTWARE\\Classes\\Applications\\Explorer.exe\\Drives\\C\\DefaultIcon'
        assert kparams['status'] == regkevt.status
        assert kparams['pid'] == regkevt.process_id
        assert kparams['tid'] == regkevt.thread_id

Esempio n. 12

0

Mostra file

    def test_terminate_thread(self, thread_registry):

        kti = dd({
            "user_stack_base": 18874368,
            "io_priority": 2,
            "teb_base": 8796092882944,
            "process_id": "0x1e4",
            "stack_limit": 18446735827462836224,
            "t_thread_id": "0x57c",
            "base_priority": 9,
            "win32_start_addr": 2009592544,
            "page_priority": 5,
            "stack_base": 18446735827462860800,
            "user_stack_limit": 18841600,
            "thread_flags": 0,
            "affinity": 15,
            "sub_process_tag": "0x0"
        })

        thread_id = int(kti.t_thread_id, 16)
        process_id = int(kti.process_id, 16)
        proc = thread_registry.get_thread(process_id)

        child_count = proc.child_count
        t = thread_registry.get_thread(thread_id)
        assert t
        thread_registry.remove_thread(TERMINATE_THREAD, kti)

        t = thread_registry.get_thread(thread_id)
        assert t is None
        assert proc.child_count == child_count - 1

Esempio n. 13

0

Mostra file

    def test_create_thread(self, thread_registry):

        kti = dd({
            "user_stack_base": 18874368,
            "io_priority": 2,
            "teb_base": 8796092882944,
            "process_id": "0x1e4",
            "stack_limit": 18446735827462836224,
            "t_thread_id": "0x57c",
            "base_priority": 9,
            "win32_start_addr": 2009592544,
            "page_priority": 5,
            "stack_base": 18446735827462860800,
            "user_stack_limit": 18841600,
            "thread_flags": 0,
            "affinity": 15,
            "sub_process_tag": "0x0"
        })
        thread_registry.add_thread(CREATE_THREAD, kti)
        thread_id = int(kti.t_thread_id, 16)
        t = thread_registry.get_thread(thread_id)
        assert t
        assert t.tid == thread_id
        assert t.pid == t.ppid == int(kti.process_id, 16)
        assert t.kstack_base == hex(kti.stack_base)
        assert t.ustack_base == hex(kti.user_stack_base)
        assert t.base_priority == kti.base_priority
        assert t.io_priority == kti.io_priority
        assert t.child_count == 0

Esempio n. 14

0

Mostra file

    def test_parse_connect(self, tcpip_parser, kevent_mock):
        ktcpip = dd({
            'connid': 0,
            'sndwinscale': 0,
            'rcvwinscale': 0,
            'saddr': '10.0.2.15',
            'sport': 49804,
            'rcvwin': 64240,
            'tsopt': 0,
            'pid': 1380,
            'seqnum': 0,
            'daddr': '216.58.211.206',
            'size': 0,
            'mss': 1460,
            'dport': 443,
            'wsopt': 0,
            'sackopt': 0
        })

        tcpip_parser.parse_tcpip(CONNECT_SOCKET_TCPV4, ktcpip)
        kparams = kevent_mock.params

        assert kparams['pid'] == ktcpip.pid
        assert kparams['ip_src'] == ktcpip.saddr
        assert kparams['ip_dst'] == ktcpip.daddr
        assert kparams['sport'] == ktcpip.sport
        assert kparams['dport'] == ktcpip.dport
        assert kparams['rwin'] == ktcpip.rcvwin
        assert kparams['protocol'] == 'https'

Esempio n. 15

0

Mostra file

File: registry.py Progetto: wwebb-r7/fibratus

    def test_parse_hive_key_handles_lookup(self, hive_parser, kevent_mock,
                                           thread_registry_mock):
        regkevt = dd({
            "index": 0,
            "process_id": 896,
            "status": 3221225524,
            "key_handle": 18446735964819421216,
            "key_name":
            "Bags\\59\\Shell\\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}",
            "thread_id": 2916,
            "initial_time": 24219715717
        })
        hive_parser.parse_hive(REG_OPEN_KEY, regkevt)

        thread_registry_mock.get_thread.assert_called_with(regkevt.process_id)

        kcb = hive_parser.kcblocks[regkevt.key_handle]
        assert kcb and isinstance(kcb, Kcb)

        assert kcb.key == "\\REGISTRY\\USER\\S-1-5-21-2945379629-2233710143-2353048178-1000_CLASSES\\Local Settings" \
                          "\\Software\Microsoft\\Windows\\Shell\\Bags\\59" \
                          "\\Shell\\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}"
        assert kevent_mock.params[
            'hive'] == 'REGISTRY_USER_S-1-5-21-2945379629-2233710143-2353048178-1000_CLASSES'
        assert kevent_mock.params['key'] == "S-1-5-21-2945379629-2233710143-2353048178-1000_CLASSES\\Local Settings" \
                                            "\\Software\Microsoft\\Windows\\Shell\\Bags\\59" \
                                            "\\Shell\\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}"

Esempio n. 16

0

Mostra file

 def test_set_file_information(self, fsio, kevent):
     kfsio = dd(
         {"file_object": 18446738023471035392, "ttid": 1956, "info_class": 20, "process_id": 859,
          "irp_ptr": 18446738026471032392})
     fsio.parse_fsio(SET_FILE_INFORMATION, kfsio)
     assert kevent.params.tid == kfsio.ttid
     assert kevent.params.info_class == 20
     assert kevent.params.file == '\\Device\\HarddiskVolume2\\Windows\\system32\\rpcss.dll'

Esempio n. 17

0

Mostra file

File: registry.py Progetto: CaineQT/fibratus

    def test_parse_hive_na(self, hive_parser, kevent_mock):
        regkevt = dd({"index": 2, "process_id": 896, "status": 0, "key_handle": 19446735964812642920,
                      "key_name": "ThreadingModel", "thread_id": 2916, "initial_time": 24219715376})
        hive_parser.parse_hive(REG_OPEN_KEY, regkevt)
        kparams = kevent_mock.params

        assert kparams['hive'] == NA
        assert kparams['key'] == '..\\ThreadingModel'

Esempio n. 18

0

Mostra file

    def test_create_thread_registry_proc_lookup_failed_invalid_handle(
            self, get_last_error, close_handle_mock, open_process_mock,
            thread_registry, handle_repo_mock):

        kti = dd({
            "user_stack_base": 1835008,
            "io_priority": 2,
            "teb_base": 8796092878848,
            "process_id": "0x4c8",
            "stack_limit": 18446735827446923264,
            "t_thread_id": "0x4dc",
            "base_priority": 8,
            "win32_start_addr": 4286166856,
            "page_priority": 5,
            "stack_base": 18446735827446964224,
            "user_stack_limit": 1744896,
            "thread_flags": 0,
            "affinity": 15,
            "sub_process_tag": "0x0"
        })
        thread_id = int(kti.t_thread_id, 16)
        process_id = int(kti.process_id, 16)

        with patch('fibratus.thread.ThreadRegistry._query_process_info',
                   return_value=dd(
                       name='explorer.exe',
                       comm='C:\\Windows\\Explorer.EXE',
                       parent_pid=0x4c8)) as query_process_info_mock:
            thread_registry.add_thread(CREATE_THREAD, kti)
            assert get_last_error.call_count == 1
            open_process_mock.assert_called_with(
                PROCESS_QUERY_LIMITED_INFORMATION, False, process_id)

            query_process_info_mock.assert_called_with(29, False)
            close_handle_mock.assert_called_with(29)

        handle_repo_mock.query_handles.assert_called_with(process_id)

        proc = thread_registry.get_thread(process_id)
        assert proc
        assert proc.name == 'explorer.exe'
        t = thread_registry.get_thread(thread_id)
        assert t
        assert t.name == 'explorer.exe'
        assert t.comm == 'C:\\Windows\\Explorer.EXE'

Esempio n. 19

0

Mostra file

File: fs.py Progetto: wwebb-r7/fibratus

 def test_delete_file(self, fsio, kevent):
     kfsio = dd({
         "file_object": 18446738026474426144,
         "ttid": 1956,
         "irp_ptr": 18446738026471032392
     })
     fsio.parse_fsio(DELETE_FILE, kfsio)
     assert kevent.params.tid == kfsio.ttid
     assert kevent.params.file == '\\Device\\HarddiskVolume2\\fibratus.log'

Esempio n. 20

0

Mostra file

File: fs.py Progetto: wwebb-r7/fibratus

 def test_rename_file(self, fsio, kevent):
     kfsio = dd({
         "file_object": 18446738023471035392,
         "ttid": 1956,
         "irp_ptr": 18446738026471032392
     })
     fsio.parse_fsio(RENAME_FILE, kfsio)
     assert kevent.params.tid == kfsio.ttid
     assert kevent.params.file == '\\Device\\HarddiskVolume2\\Windows\\system32\\rpcss.dll'

Esempio n. 21

0

Mostra file

    def test_create_thread_registry_proc_lookup_failed(self, close_handle_mock,
                                                       open_process_mock,
                                                       thread_registry,
                                                       handle_repo_mock):

        kti = dd({
            "user_stack_base": 10289152,
            "io_priority": 2,
            "teb_base": 8796092874752,
            "process_id": "0x330",
            "stack_limit": 18446735827443150848,
            "t_thread_id": "0x338",
            "base_priority": 8,
            "win32_start_addr": 2009573488,
            "page_priority": 5,
            "stack_base": 18446735827443175424,
            "user_stack_limit": 10256384,
            "thread_flags": 0,
            "affinity": 15,
            "sub_process_tag": "0x0"
        })
        thread_id = int(kti.t_thread_id, 16)
        process_id = int(kti.process_id, 16)

        with patch('fibratus.thread.ThreadRegistry._query_process_info',
                   return_value=dd(
                       name='Dwm.exe',
                       comm='C:\\Windows\\system32\\Dwm.exe',
                       parent_pid=0x748)) as query_process_info_mock:
            thread_registry.add_thread(CREATE_THREAD, kti)
            open_process_mock.assert_called_with(
                PROCESS_QUERY_INFORMATION | PROCESS_QUERY_LIMITED_INFORMATION
                | PROCESS_VM_READ, False, process_id)
            query_process_info_mock.assert_called_with(13)
            close_handle_mock.assert_called_with(13)

        handle_repo_mock.query_handles.assert_called_with(process_id)

        proc = thread_registry.get_thread(process_id)
        assert proc
        assert proc.name == 'dwm.exe'
        t = thread_registry.get_thread(thread_id)
        assert t
        assert t.name == 'dwm.exe'

Esempio n. 22

0

Mostra file

File: registry.py Progetto: CaineQT/fibratus

    def test_add_kcb(self, hive_parser):
        kcb = dd({'initial_time': 0, 'index': 0, 'thread_id': 620,
                  'status': 0, 'key_handle': 18446735964879434920,
                  'key_name': '\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM', 'process_id': 3820})
        hive_parser.add_kcb(kcb)
        assert kcb.key_handle in hive_parser.kcblocks

        kcblock = hive_parser.kcblocks[kcb.key_handle]
        assert isinstance(kcblock, Kcb)
        assert kcblock.key == kcb.key_name

Esempio n. 23

0

Mostra file

File: registry.py Progetto: wwebb-r7/fibratus

 def test_remove_kcb(self, hive_parser):
     kcb = dd({
         'initial_time': 0,
         'index': 0,
         'thread_id': 620,
         'status': 0,
         'key_handle': 18446735964879434920,
         'key_name': '\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM',
         'process_id': 3820
     })
     hive_parser.remove_kcb(kcb.key_handle)
     assert kcb.key_handle not in hive_parser.kcblocks

Esempio n. 24

0

Mostra file

File: registry.py Progetto: CaineQT/fibratus

    def test_parse_hive_key_kevent_full_node_name(self, kevent_type, hive_parser, kevent_mock):
        regkevt = dd({"index": 0, "process_id": 1224, "status": 3221225524, "key_handle": 0,
                      "key_name": "\\Registry\\Machine\\Software\\Classes\\Applications\\Explorer.exe"
                                  "\\Drives\\C\\DefaultIcon", "thread_id": 2164, "initial_time": 24218563385})
        hive_parser.parse_hive(kevent_type, regkevt)
        kparams = kevent_mock.params

        assert kparams['hive'] == 'REGISTRY_MACHINE_SOFTWARE'
        assert kparams['key'] == 'SOFTWARE\\Classes\\Applications\\Explorer.exe\\Drives\\C\\DefaultIcon'
        assert kparams['status'] == regkevt.status
        assert kparams['pid'] == regkevt.process_id
        assert kparams['tid'] == regkevt.thread_id

Esempio n. 25

0

Mostra file

File: registry.py Progetto: CaineQT/fibratus

    def test_parse_hive_key_kevent_kcb_lookup_match(self, kevent_type, hive_parser, kevent_mock):
        regkevt = dd({"index": 2, "process_id": 896, "status": 0, "key_handle": 18446735964812642928,
                      "key_name": "ThreadingModel", "thread_id": 2916, "initial_time": 24219715376})
        hive_parser.parse_hive(kevent_type, regkevt)
        kparams = kevent_mock.params

        assert kparams['hive'] == 'REGISTRY_MACHINE_SOFTWARE'
        assert kparams['key'] == 'SOFTWARE\\Classes\\CLSID\\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}' \
                                  '\\InprocServer32\\ThreadingModel'
        assert kparams['status'] == regkevt.status
        assert kparams['pid'] == regkevt.process_id
        assert kparams['tid'] == regkevt.thread_id

Esempio n. 26

0

Mostra file

File: tcpip.py Progetto: rabbitstack/fibratus

    def test_parse_reconnect(self, tcpip_parser, kevent_mock):
        ktcpip = dd({'connid': 0, 'saddr': '10.0.2.15',
                     'sport': 49804, 'pid': 1380,
                     'daddr': '216.58.211.206', 'dport': 443,})

        tcpip_parser.parse_tcpip(RECONNECT_SOCKET_TCPV4, ktcpip)
        kparams = kevent_mock.params

        assert kparams['pid'] == ktcpip.pid
        assert kparams['ip_src'] == ktcpip.saddr
        assert kparams['ip_dst'] == ktcpip.daddr
        assert kparams['sport'] == ktcpip.sport
        assert kparams['dport'] == ktcpip.dport

Esempio n. 27

0

Mostra file

    def test_parse_reconnect(self, tcpip_parser, kevent_mock):
        ktcpip = dd({'connid': 0, 'saddr': '10.0.2.15',
                     'sport': 49804, 'pid': 1380,
                     'daddr': '216.58.211.206', 'dport': 443,})

        tcpip_parser.parse_tcpip(RECONNECT_SOCKET_TCPV4, ktcpip)
        kparams = kevent_mock.params

        assert kparams['pid'] == ktcpip.pid
        assert kparams['ip_src'] == ktcpip.saddr
        assert kparams['ip_dst'] == ktcpip.daddr
        assert kparams['sport'] == ktcpip.sport
        assert kparams['dport'] == ktcpip.dport

Esempio n. 28

0

Mostra file

File: thread.py Progetto: CaineQT/fibratus

 def test_terminate_process(self, thread_registry):
     kti = dd({"session_id": 0, "command_line": "C:\\Windows\\system32\\services.exe", "process_id": "0x1e4",
               "unique_process_key": 18446738026492816176, "exit_status": 259,
               "parent_id": "0x17c",
               "image_file_name": "services.exe",
               "directory_table_base": 4299976704,
               "user_sid": None})
     process_id = int(kti.process_id, 16)
     proc = thread_registry.get_thread(process_id)
     assert proc
     thread_registry.remove_thread(TERMINATE_PROCESS, kti)
     proc = thread_registry.get_thread(process_id)
     assert proc is None

Esempio n. 29

0

Mostra file

 def test_parse_recv_dport_na(self, tcpip_parser, kevent_mock):
     ktcpip = dd({
         'seqnum': 0,
         'connid': 0,
         'sport': 25,
         'daddr': '91.226.88.5',
         'saddr': '10.0.2.15',
         'size': 266,
         'pid': 1380,
         'dport': 51234
     })
     tcpip_parser.parse_tcpip(RECV_SOCKET_TCPV4, ktcpip)
     kparams = kevent_mock.params
     assert kparams['protocol'] == 'smtp'

Esempio n. 30

0

Mostra file

File: tcpip.py Progetto: rabbitstack/fibratus

    def test_parse_accept(self, tcpip_parser, kevent_mock):
        ktcpip = dd({'connid': 0, 'sndwinscale': 0, 'rcvwinscale': 0, 'saddr': '10.0.2.15',
                     'sport': 22, 'rcvwin': 64240, 'tsopt': 0, 'pid': 1380, 'seqnum': 0,
                     'daddr': '216.58.211.206', 'size': 0, 'mss': 1460, 'dport': 49804, 'wsopt': 0, 'sackopt': 0})

        tcpip_parser.parse_tcpip(ACCEPT_SOCKET_TCPV4, ktcpip)
        kparams = kevent_mock.params

        assert kparams['pid'] == ktcpip.pid
        assert kparams['ip_src'] == ktcpip.saddr
        assert kparams['ip_dst'] == ktcpip.daddr
        assert kparams['sport'] == ktcpip.sport
        assert kparams['dport'] == ktcpip.dport
        assert kparams['rwin'] == ktcpip.rcvwin
        assert kparams['protocol'] == 'ssh'

Esempio n. 31

0

Mostra file

File: registry.py Progetto: wwebb-r7/fibratus

    def test_parse_hive_na(self, hive_parser, kevent_mock):
        regkevt = dd({
            "index": 2,
            "process_id": 896,
            "status": 0,
            "key_handle": 19446735964812642920,
            "key_name": "ThreadingModel",
            "thread_id": 2916,
            "initial_time": 24219715376
        })
        hive_parser.parse_hive(REG_OPEN_KEY, regkevt)
        kparams = kevent_mock.params

        assert kparams['hive'] == NA
        assert kparams['key'] == '..\\ThreadingModel'

Esempio n. 32

0

Mostra file

File: thread.py Progetto: CaineQT/fibratus

def thread_registry(handle_repo_mock):
    p1 = {"session_id": 0, "command_line": "C:\\Windows\\system32\\services.exe", "process_id": "0x1e4",
          "unique_process_key": 18446738026492816176, "exit_status": 259,
          "parent_id": "0x17c",
          "image_file_name": "services.exe",
          "directory_table_base": 4299976704,
          "user_sid": None}
    t1 = {"user_stack_base": 14483456, "io_priority": 2, "teb_base": 8796092874752, "process_id": "0x1e4",
          "stack_limit": 18446735827441688576, "t_thread_id": "0x238", "base_priority": 9,
          "win32_start_addr": 2009573488, "page_priority": 5,
          "stack_base": 18446735827441713152, "user_stack_limit": 14450688,
          "thread_flags": 0, "affinity": 15, "sub_process_tag": "0x0"}
    t2 = {"user_stack_base": 16580608, "io_priority": 2, "teb_base": 8796092669952, "process_id": "0x1e4",
          "stack_limit": 18446735827442425856, "t_thread_id": "0x254", "base_priority": 9,
          "win32_start_addr": 8791752742020, "page_priority": 5,
          "stack_base": 18446735827442450432, "user_stack_limit": 16547840,
          "thread_flags": 0, "affinity": 15, "sub_process_tag": "0x0"}

    thread_registry = ThreadRegistry(handle_repo_mock, [])
    thread_registry.add_thread(ENUM_PROCESS, dd(p1))
    thread_registry.add_thread(ENUM_THREAD, dd(t1))
    thread_registry.add_thread(ENUM_THREAD, dd(t2))

    return thread_registry

Esempio n. 33

0

Mostra file

File: registry.py Progetto: wwebb-r7/fibratus

    def test_add_kcb(self, hive_parser):
        kcb = dd({
            'initial_time': 0,
            'index': 0,
            'thread_id': 620,
            'status': 0,
            'key_handle': 18446735964879434920,
            'key_name': '\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM',
            'process_id': 3820
        })
        hive_parser.add_kcb(kcb)
        assert kcb.key_handle in hive_parser.kcblocks

        kcblock = hive_parser.kcblocks[kcb.key_handle]
        assert isinstance(kcblock, Kcb)
        assert kcblock.key == kcb.key_name

Esempio n. 34

0

Mostra file

 def test_terminate_process(self, thread_registry):
     kti = dd({
         "session_id": 0,
         "command_line": "C:\\Windows\\system32\\services.exe",
         "process_id": "0x1e4",
         "unique_process_key": 18446738026492816176,
         "exit_status": 259,
         "parent_id": "0x17c",
         "image_file_name": "services.exe",
         "directory_table_base": 4299976704,
         "user_sid": None
     })
     process_id = int(kti.process_id, 16)
     proc = thread_registry.get_thread(process_id)
     assert proc
     thread_registry.remove_thread(TERMINATE_PROCESS, kti)
     proc = thread_registry.get_thread(process_id)
     assert proc is None

Esempio n. 35

0

Mostra file

File: thread.py Progetto: rabbitstack/fibratus

    def test_create_process(self, thread_registry, handle_repo_mock):

        kti = dd({"session_id": 4294967295, "command_line": "\\SystemRoot\\System32\\smss.exe",
                  "process_id": "0xfc", "unique_process_key": 18446738026484345648, "exit_status": 259,
                  "user_sid": None, "parent_id": "0x4", "image_file_name": "smss.exe",
                  "directory_table_base": 4508921856})
        thread_registry.add_thread(CREATE_PROCESS, kti)
        process_id = int(kti.process_id, 16)

        t = thread_registry.get_thread(process_id)
        sys_root = os.path.expandvars("%SystemRoot%")
        assert t
        assert t.pid == process_id
        assert t.ppid == int(kti.parent_id, 16)
        assert t.name == kti.image_file_name
        assert t.exe == '%s\\System32\\smss.exe' % sys_root
        assert t.comm == kti.command_line
        assert len(t.args) == 0

Esempio n. 36

0

Mostra file

File: thread.py Progetto: CaineQT/fibratus

    def test_create_thread(self, thread_registry):

        kti = dd({"user_stack_base": 18874368, "io_priority": 2, "teb_base": 8796092882944,
                 "process_id": "0x1e4", "stack_limit": 18446735827462836224,
                 "t_thread_id": "0x57c", "base_priority": 9, "win32_start_addr": 2009592544,
                 "page_priority": 5, "stack_base": 18446735827462860800,
                 "user_stack_limit": 18841600, "thread_flags": 0,
                 "affinity": 15, "sub_process_tag": "0x0"})
        thread_registry.add_thread(CREATE_THREAD, kti)
        thread_id = int(kti.t_thread_id, 16)
        t = thread_registry.get_thread(thread_id)
        assert t
        assert t.tid == thread_id
        assert t.pid == t.ppid == int(kti.process_id, 16)
        assert t.kstack_base == hex(kti.stack_base)
        assert t.ustack_base == hex(kti.user_stack_base)
        assert t.base_priority == kti.base_priority
        assert t.io_priority == kti.io_priority
        assert t.child_count == 0

Esempio n. 37

0

Mostra file

File: registry.py Progetto: CaineQT/fibratus

    def test_parse_hive_key_handles_lookup(self, hive_parser, kevent_mock, thread_registry_mock):
        regkevt = dd({"index": 0, "process_id": 896, "status": 3221225524,
                      "key_handle": 18446735964819421216,
                      "key_name": "Bags\\59\\Shell\\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}",
                      "thread_id": 2916, "initial_time": 24219715717})
        hive_parser.parse_hive(REG_OPEN_KEY, regkevt)

        thread_registry_mock.get_thread.assert_called_with(regkevt.process_id)

        kcb = hive_parser.kcblocks[regkevt.key_handle]
        assert kcb and isinstance(kcb, Kcb)

        assert kcb.key == "\\REGISTRY\\USER\\S-1-5-21-2945379629-2233710143-2353048178-1000_CLASSES\\Local Settings" \
                          "\\Software\Microsoft\\Windows\\Shell\\Bags\\59" \
                          "\\Shell\\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}"
        assert kevent_mock.params['hive'] == 'REGISTRY_USER_S-1-5-21-2945379629-2233710143-2353048178-1000_CLASSES'
        assert kevent_mock.params['key'] == "S-1-5-21-2945379629-2233710143-2353048178-1000_CLASSES\\Local Settings" \
                                            "\\Software\Microsoft\\Windows\\Shell\\Bags\\59" \
                                            "\\Shell\\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}"

Esempio n. 38

0

Mostra file

File: registry.py Progetto: CaineQT/fibratus

    def test_parse_hive_set_value_kevent_full_node_name(self, hive_parser, kevent_mock):
        regkevt = dd({"index": 0, "process_id": 1224, "status": 3221225524, "key_handle": 0,
                     "key_name": "\\Registry\\Machine\\Software\\Classes\\Applications\\Explorer.exe"
                     "\\Drives\\C\\DefaultIcon", "thread_id": 2164, "initial_time": 24218563385})
        with patch('fibratus.registry.HiveParser._query_value', return_value=('open', 'REG_SZ')) \
                as query_value_mock:
            hive_parser.parse_hive(REG_SET_VALUE, regkevt)
            kparams = kevent_mock.params
            query_value_mock.assert_called_with(HKEY_LOCAL_MACHINE,
                                                'SOFTWARE\\Classes\\Applications\\Explorer.exe\\Drives\\C',
                                                'DefaultIcon')

            assert kparams['hive'] == 'REGISTRY_MACHINE_SOFTWARE'
            assert kparams['key'] == 'SOFTWARE\\Classes\\Applications\\Explorer.exe\\Drives\\C\\DefaultIcon'
            assert kparams['status'] == regkevt.status
            assert kparams['pid'] == regkevt.process_id
            assert kparams['tid'] == regkevt.thread_id
            assert kparams['value_type'] == 'REG_SZ'
            assert kparams['value'] == 'open'

Esempio n. 39

0

Mostra file

class TestHandleRepository():
    def test_init_handle_repository(self, handle_repo):
        handle_types = handle_repo._handle_types
        assert isinstance(handle_types, list)
        assert HandleType.FILE.name in handle_types

    @patch('fibratus.handle.HandleRepository._enum_handles',
           return_value=raw_handles())
    @patch('fibratus.handle.open_process',
           side_effect=[None, 200, 301, 120, 343])
    @patch('fibratus.handle.duplicate_handle', side_effect=[1, 1, 1, 0])
    @patch('fibratus.handle.HandleRepository._query_handle',
           side_effect=query_handle_side_effects())
    @patch('fibratus.handle.close_handle')
    @patch('fibratus.handle.get_current_process', return_value=os.getpid())
    @patch('fibratus.handle.cast', return_value=dd(value='FILE'))
    @patch('fibratus.handle.byref', return_value=0x100)
    def test_query_handles(self, byref_mock, cast_mock,
                           get_current_process_mock, close_handle_mock,
                           query_handle_mock, duplicate_handle_mock,
                           open_process_mock, enum_handles_mock, handle_repo):
        handles = handle_repo.query_handles()
        assert enum_handles_mock.called
        assert get_current_process_mock.called

        open_process_expected_calls = [
            call(PROCESS_DUP_HANDLE, False, 3472),
            call(PROCESS_DUP_HANDLE, False, 3472),
            call(PROCESS_DUP_HANDLE, False, 920),
            call(PROCESS_DUP_HANDLE, False, 920),
            call(PROCESS_DUP_HANDLE, False, 1616)
        ]
        open_process_mock.assert_has_calls(open_process_expected_calls,
                                           any_order=True)

        assert duplicate_handle_mock.call_count == 4
        assert query_handle_mock.call_count == 6
        assert close_handle_mock.call_count == 7

        assert len(handles) == 3
        assert len([h
                    for h in handles if h.handle_type == HandleType.FILE]) > 0

Esempio n. 40

0

Mostra file

File: registry.py Progetto: wwebb-r7/fibratus

    def test_parse_hive_key_kevent_kcb_lookup_match(self, kevent_type,
                                                    hive_parser, kevent_mock):
        regkevt = dd({
            "index": 2,
            "process_id": 896,
            "status": 0,
            "key_handle": 18446735964812642928,
            "key_name": "ThreadingModel",
            "thread_id": 2916,
            "initial_time": 24219715376
        })
        hive_parser.parse_hive(kevent_type, regkevt)
        kparams = kevent_mock.params

        assert kparams['hive'] == 'REGISTRY_MACHINE_SOFTWARE'
        assert kparams['key'] == 'SOFTWARE\\Classes\\CLSID\\{D2D588B5-D081-11D0-99E0-00C04FC2F8EC}' \
                                  '\\InprocServer32\\ThreadingModel'
        assert kparams['status'] == regkevt.status
        assert kparams['pid'] == regkevt.process_id
        assert kparams['tid'] == regkevt.thread_id

Esempio n. 41

0

Mostra file

File: thread.py Progetto: CaineQT/fibratus

    def test_terminate_thread(self, thread_registry):

        kti = dd({"user_stack_base": 18874368, "io_priority": 2, "teb_base": 8796092882944,
                 "process_id": "0x1e4", "stack_limit": 18446735827462836224,
                 "t_thread_id": "0x57c", "base_priority": 9, "win32_start_addr": 2009592544,
                 "page_priority": 5, "stack_base": 18446735827462860800,
                 "user_stack_limit": 18841600, "thread_flags": 0,
                 "affinity": 15, "sub_process_tag": "0x0"})

        thread_id = int(kti.t_thread_id, 16)
        process_id = int(kti.process_id, 16)
        proc = thread_registry.get_thread(process_id)

        child_count = proc.child_count
        t = thread_registry.get_thread(thread_id)
        assert t
        thread_registry.remove_thread(TERMINATE_THREAD, kti)

        t = thread_registry.get_thread(thread_id)
        assert t is None
        assert proc.child_count == child_count - 1

Esempio n. 42

0

Mostra file

File: registry.py Progetto: CaineQT/fibratus

 def test_parse_hive_set_value_kevent_full_node_name(self, hive_parser, kevent_mock):
     regkevt = dd({"index": 0, "process_id": 1224, "status": 3221225524, "key_handle": 0,
                           "key_name": "\\REGISTRY\\USER\\S-1-5-21-2945379629-2233710143-2353048178-1000_CLASSES"
                           "\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\IconStreams",
                           "thread_id": 2164, "initial_time": 24218563385})
     with patch('fibratus.registry.HiveParser._query_value', return_value=('0x12', 'REG_DWORD')) \
             as query_value_mock:
         hive_parser.parse_hive(REG_QUERY_VALUE, regkevt)
         kparams = kevent_mock.params
         query_value_mock.assert_called_with(HKEY_USERS,
                                                 "S-1-5-21-2945379629-2233710143-2353048178-1000_CLASSES"
                                                 "\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion"
                                                 "\\TrayNotify",
                                                 'IconStreams')
         assert kparams['hive'] == 'REGISTRY_USER_S-1-5-21-2945379629-2233710143-2353048178-1000_CLASSES'
         assert kparams['key'] == "S-1-5-21-2945379629-2233710143-2353048178-1000_CLASSES\\Local Settings" \
                                  "\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\IconStreams"
         assert kparams['status'] == regkevt.status
         assert kparams['pid'] == regkevt.process_id
         assert kparams['tid'] == regkevt.thread_id
         assert kparams['value_type'] == 'REG_DWORD'
         assert kparams['value'] == '0x12'

Esempio n. 43

0

Mostra file

File: registry.py Progetto: wwebb-r7/fibratus

 def test_parse_hive_set_value_kevent_full_node_name(
         self, hive_parser, kevent_mock):
     regkevt = dd({
         "index":
         0,
         "process_id":
         1224,
         "status":
         3221225524,
         "key_handle":
         0,
         "key_name":
         "\\REGISTRY\\USER\\S-1-5-21-2945379629-2233710143-2353048178-1000_CLASSES"
         "\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\IconStreams",
         "thread_id":
         2164,
         "initial_time":
         24218563385
     })
     with patch('fibratus.registry.HiveParser._query_value', return_value=('0x12', 'REG_DWORD')) \
             as query_value_mock:
         hive_parser.parse_hive(REG_QUERY_VALUE, regkevt)
         kparams = kevent_mock.params
         query_value_mock.assert_called_with(
             HKEY_USERS,
             "S-1-5-21-2945379629-2233710143-2353048178-1000_CLASSES"
             "\\Local Settings\\Software\\Microsoft\\Windows\\CurrentVersion"
             "\\TrayNotify", 'IconStreams')
         assert kparams[
             'hive'] == 'REGISTRY_USER_S-1-5-21-2945379629-2233710143-2353048178-1000_CLASSES'
         assert kparams['key'] == "S-1-5-21-2945379629-2233710143-2353048178-1000_CLASSES\\Local Settings" \
                                  "\\Software\\Microsoft\\Windows\\CurrentVersion\\TrayNotify\\IconStreams"
         assert kparams['status'] == regkevt.status
         assert kparams['pid'] == regkevt.process_id
         assert kparams['tid'] == regkevt.thread_id
         assert kparams['value_type'] == 'REG_DWORD'
         assert kparams['value'] == '0x12'

Esempio n. 44

0

Mostra file

File: thread.py Progetto: CaineQT/fibratus

    def test_enum_process(self, thread_registry, handle_repo_mock):

        kti = dd({"session_id": 0, "command_line": "C:\\Windows\\system32\\svchost.exe -k RPCSS",
                  "process_id": "0x2d8",
                  "unique_process_key": 18446738026496154416,
                  "exit_status": 259, "user_sid": None, "parent_id": "0x1e4",
                  "image_file_name": "svchost.exe", "directory_table_base": 3716534272})
        thread_registry.add_thread(ENUM_PROCESS, kti)
        process_id = int(kti.process_id, 16)

        handle_repo_mock.query_handles.assert_not_called()

        t = thread_registry.get_thread(process_id)
        assert t

        assert t.pid == process_id
        assert t.ppid == int(kti.parent_id, 16)
        assert t.name == kti.image_file_name
        assert t.exe == 'C:\\Windows\\system32\\svchost.exe'
        assert t.comm == kti.command_line
        assert len(t.args) > 0
        assert ['-k', 'RPCSS'] == t.args
        assert '-k' in t.args
        assert 'RPCSS' in t.args

Esempio n. 45

0

Mostra file

File: registry.py Progetto: wwebb-r7/fibratus

    def test_parse_hive_set_value_kevent_full_node_name(
            self, hive_parser, kevent_mock):
        regkevt = dd({
            "index":
            0,
            "process_id":
            1224,
            "status":
            3221225524,
            "key_handle":
            0,
            "key_name":
            "\\Registry\\Machine\\Software\\Classes\\Applications\\Explorer.exe"
            "\\Drives\\C\\DefaultIcon",
            "thread_id":
            2164,
            "initial_time":
            24218563385
        })
        with patch('fibratus.registry.HiveParser._query_value', return_value=('open', 'REG_SZ')) \
                as query_value_mock:
            hive_parser.parse_hive(REG_SET_VALUE, regkevt)
            kparams = kevent_mock.params
            query_value_mock.assert_called_with(
                HKEY_LOCAL_MACHINE,
                'SOFTWARE\\Classes\\Applications\\Explorer.exe\\Drives\\C',
                'DefaultIcon')

            assert kparams['hive'] == 'REGISTRY_MACHINE_SOFTWARE'
            assert kparams[
                'key'] == 'SOFTWARE\\Classes\\Applications\\Explorer.exe\\Drives\\C\\DefaultIcon'
            assert kparams['status'] == regkevt.status
            assert kparams['pid'] == regkevt.process_id
            assert kparams['tid'] == regkevt.thread_id
            assert kparams['value_type'] == 'REG_SZ'
            assert kparams['value'] == 'open'

Esempio n. 46

0

Mostra file

File: tcpip.py Progetto: rabbitstack/fibratus

 def test_parse_recv_dport_na(self, tcpip_parser, kevent_mock):
     ktcpip = dd({'seqnum': 0, 'connid': 0, 'sport': 25, 'daddr': '91.226.88.5',
                 'saddr': '10.0.2.15', 'size': 266, 'pid': 1380, 'dport': 51234})
     tcpip_parser.parse_tcpip(RECV_SOCKET_TCPV4, ktcpip)
     kparams = kevent_mock.params
     assert kparams['protocol'] == 'smtp'

Esempio n. 47

0

Mostra file

File: fs.py Progetto: CaineQT/fibratus

 def test_delete_file(self, fsio, kevent):
     kfsio = dd({"file_object": 18446738026474426144, "ttid": 1956, "irp_ptr": 18446738026471032392})
     fsio.parse_fsio(DELETE_FILE, kfsio)
     assert kevent.params.tid == kfsio.ttid
     assert kevent.params.file == '\\Device\\HarddiskVolume2\\fibratus.log'

Esempio n. 48

0

Mostra file

File: registry.py Progetto: CaineQT/fibratus

 def test_remove_kcb(self, hive_parser):
     kcb = dd({'initial_time': 0, 'index': 0, 'thread_id': 620,
               'status': 0, 'key_handle': 18446735964879434920,
               'key_name': '\\REGISTRY\\MACHINE\\SOFTWARE\\Microsoft\\WBEM\\WDM', 'process_id': 3820})
     hive_parser.remove_kcb(kcb.key_handle)
     assert kcb.key_handle not in hive_parser.kcblocks

Esempio n. 49

0

Mostra file

def query_handle_side_effects():
    return [dd(contents=dd(type_name=dd(buffer="FILE"))), dd(contents=dd(buffer="\Device\HarddiskVolume2"))] \
        * len(raw_handles())

Esempio n. 50

0

Mostra file

class TestTcpIpParser():

    @pytest.mark.parametrize('ktcpip, l4_proto, l5_proto, kevent_type', [
        (dd({"saddr": "10.0.2.15", "sport": 49279, "daddr": "216.58.211.238",
             "dport": 443, "pid": 1848, "connid": 0, "size": 63, "seqnum": 0}), 'TCP', 'https', SEND_SOCKET_TCPV4),
        (dd({"saddr": "10.0.2.15", "sport": 49279, "daddr": "216.58.211.238",
             "dport": 53, "pid": 1848, "connid": 0, "size": 63, "seqnum": 0}), 'UDP', 'domain', SEND_SOCKET_UDPV4)])
    def test_parse_send(self, ktcpip, l4_proto, l5_proto,
                        kevent_type, tcpip_parser,
                        kevent_mock):

        tcpip_parser.parse_tcpip(kevent_type, ktcpip)
        kparams = kevent_mock.params

        assert kparams['pid'] == ktcpip.pid
        assert kparams['ip_src'] == ktcpip.saddr
        assert kparams['ip_dst'] == ktcpip.daddr
        assert kparams['sport'] == ktcpip.sport
        assert kparams['dport'] == ktcpip.dport
        assert kparams['packet_size'] == ktcpip.size
        assert kparams['l4_proto'] == l4_proto
        assert kparams['application'] == l5_proto

    @pytest.mark.parametrize('ktcpip, l4_proto, l5_proto, kevent_type', [
        (dd({'seqnum': 0, 'connid': 0, 'sport': 49720, 'daddr': '91.226.88.5',
             'saddr': '10.0.2.15', 'size': 266, 'pid': 1380, 'dport': 443}), 'TCP', 'https', RECV_SOCKET_TCPV4),
        (dd({"saddr": "10.0.2.15", "sport": 49279, "daddr": "216.58.211.238",
             "dport": 53, "pid": 1848, "connid": 0, "size": 63, "seqnum": 0}), 'UDP', 'domain', RECV_SOCKET_UDPV4)])
    def test_parse_recv(self, ktcpip, l4_proto, l5_proto,
                        kevent_type, tcpip_parser,
                        kevent_mock):

        tcpip_parser.parse_tcpip(kevent_type, ktcpip)
        kparams = kevent_mock.params

        assert kparams['pid'] == ktcpip.pid
        assert kparams['ip_src'] == ktcpip.saddr
        assert kparams['ip_dst'] == ktcpip.daddr
        assert kparams['sport'] == ktcpip.sport
        assert kparams['dport'] == ktcpip.dport
        assert kparams['packet_size'] == ktcpip.size
        assert kparams['l4_proto'] == l4_proto
        assert kparams['application'] == l5_proto

    def test_parse_recv_dport_na(self, tcpip_parser, kevent_mock):
        ktcpip = dd({'seqnum': 0, 'connid': 0, 'sport': 25, 'daddr': '91.226.88.5',
                    'saddr': '10.0.2.15', 'size': 266, 'pid': 1380, 'dport': 51234})
        tcpip_parser.parse_tcpip(RECV_SOCKET_TCPV4, ktcpip)
        kparams = kevent_mock.params
        assert kparams['application'] == 'smtp'

    def test_parse_accept(self, tcpip_parser, kevent_mock):
        ktcpip = dd({'connid': 0, 'sndwinscale': 0, 'rcvwinscale': 0, 'saddr': '10.0.2.15',
                     'sport': 22, 'rcvwin': 64240, 'tsopt': 0, 'pid': 1380, 'seqnum': 0,
                     'daddr': '216.58.211.206', 'size': 0, 'mss': 1460, 'dport': 49804, 'wsopt': 0, 'sackopt': 0})

        tcpip_parser.parse_tcpip(ACCEPT_SOCKET_TCPV4, ktcpip)
        kparams = kevent_mock.params

        assert kparams['pid'] == ktcpip.pid
        assert kparams['ip_src'] == ktcpip.saddr
        assert kparams['ip_dst'] == ktcpip.daddr
        assert kparams['sport'] == ktcpip.sport
        assert kparams['dport'] == ktcpip.dport
        assert kparams['rwin'] == ktcpip.rcvwin
        assert kparams['application'] == 'ssh'

    def test_parse_connect(self, tcpip_parser, kevent_mock):
        ktcpip = dd({'connid': 0, 'sndwinscale': 0, 'rcvwinscale': 0, 'saddr': '10.0.2.15',
                     'sport': 49804, 'rcvwin': 64240, 'tsopt': 0, 'pid': 1380, 'seqnum': 0,
                     'daddr': '216.58.211.206', 'size': 0, 'mss': 1460, 'dport': 443, 'wsopt': 0, 'sackopt': 0})

        tcpip_parser.parse_tcpip(CONNECT_SOCKET_TCPV4, ktcpip)
        kparams = kevent_mock.params

        assert kparams['pid'] == ktcpip.pid
        assert kparams['ip_src'] == ktcpip.saddr
        assert kparams['ip_dst'] == ktcpip.daddr
        assert kparams['sport'] == ktcpip.sport
        assert kparams['dport'] == ktcpip.dport
        assert kparams['rwin'] == ktcpip.rcvwin
        assert kparams['application'] == 'https'

    def test_parse_disconnect(self, tcpip_parser, kevent_mock):
        ktcpip = dd({'connid': 0, 'saddr': '10.0.2.15',
                     'sport': 49804, 'pid': 1380,
                     'daddr': '216.58.211.206', 'dport': 443,})

        tcpip_parser.parse_tcpip(DISCONNECT_SOCKET_TCPV4, ktcpip)
        kparams = kevent_mock.params

        assert kparams['pid'] == ktcpip.pid
        assert kparams['ip_src'] == ktcpip.saddr
        assert kparams['ip_dst'] == ktcpip.daddr
        assert kparams['sport'] == ktcpip.sport
        assert kparams['dport'] == ktcpip.dport

    def test_parse_reconnect(self, tcpip_parser, kevent_mock):
        ktcpip = dd({'connid': 0, 'saddr': '10.0.2.15',
                     'sport': 49804, 'pid': 1380,
                     'daddr': '216.58.211.206', 'dport': 443,})

        tcpip_parser.parse_tcpip(RECONNECT_SOCKET_TCPV4, ktcpip)
        kparams = kevent_mock.params

        assert kparams['pid'] == ktcpip.pid
        assert kparams['ip_src'] == ktcpip.saddr
        assert kparams['ip_dst'] == ktcpip.daddr
        assert kparams['sport'] == ktcpip.sport
        assert kparams['dport'] == ktcpip.dport

Esempio n. 51

0

Mostra file

File: handle.py Progetto: CaineQT/fibratus

def query_handle_side_effects():
    return [dd(contents=dd(type_name=dd(buffer="FILE"))), dd(contents=dd(buffer="\Device\HarddiskVolume2"))] \
        * len(raw_handles())

Esempio n. 52

0

Mostra file

File: fs.py Progetto: wwebb-r7/fibratus

class TestFsIO():
    def test_init_fsio(self, fsio):
        assert len(fsio.file_handles) == 2

    @pytest.mark.parametrize(
        'expected_op, kfsio',
        [(FileOps.SUPERSEDE,
          dd({
              "file_object": 18446738026482168384,
              "ttid": 1484,
              "create_options": 1223456,
              "open_path":
              "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll",
              "irp_ptr": 18446738026471032392,
              "share_access": 1,
              "file_attributes": 0
          })),
         (FileOps.OPEN,
          dd({
              "file_object": 18446738026482168384,
              "ttid": 1484,
              "create_options": 18874368,
              "open_path":
              "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll",
              "irp_ptr": 18446738026471032392,
              "share_access": 2,
              "file_attributes": 0
          })),
         (FileOps.CREATE,
          dd({
              "file_object": 18446738026482168384,
              "ttid": 1484,
              "create_options": 33554532,
              "open_path":
              "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll",
              "irp_ptr": 18446738026471032392,
              "share_access": 4,
              "file_attributes": 0
          })),
         (FileOps.OPEN_IF,
          dd({
              "file_object": 18446738026482168384,
              "ttid": 1484,
              "create_options": 58651617,
              "open_path":
              "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll",
              "irp_ptr": 18446738026471032392,
              "share_access": 3,
              "file_attributes": 0
          })),
         (FileOps.OVERWRITE,
          dd({
              "file_object": 18446738026482168384,
              "ttid": 1484,
              "create_options": 78874400,
              "open_path":
              "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll",
              "irp_ptr": 18446738026471032392,
              "share_access": 5,
              "file_attributes": 0
          })),
         (FileOps.OVERWRITE_IF,
          dd({
              "file_object": 18446738026482168384,
              "ttid": 1484,
              "create_options": 83886112,
              "open_path":
              "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll",
              "irp_ptr": 18446738026471032392,
              "share_access": 6,
              "file_attributes": 0
          }))])
    def test_create_file_operation(self, expected_op, kfsio, fsio, kevent):

        fsio.parse_fsio(CREATE_FILE, kfsio)

        kparams = kevent.params
        assert kparams.file == kfsio.open_path
        assert kparams.tid == kfsio.ttid
        assert kparams.operation == expected_op.name

    @pytest.mark.parametrize(
        'expected_share_mask, kfsio',
        [('r--',
          dd({
              "file_object": 18446738026482168384,
              "ttid": 1484,
              "create_options": 18874368,
              "open_path":
              "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll",
              "irp_ptr": 18446738026471032392,
              "share_access": 1,
              "file_attributes": 0
          })),
         ('-w-',
          dd({
              "file_object": 18446738026482168384,
              "ttid": 1484,
              "create_options": 18874368,
              "open_path":
              "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll",
              "irp_ptr": 18446738026471032392,
              "share_access": 2,
              "file_attributes": 0
          })),
         ('--d',
          dd({
              "file_object": 18446738026482168384,
              "ttid": 1484,
              "create_options": 18874368,
              "open_path":
              "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll",
              "irp_ptr": 18446738026471032392,
              "share_access": 4,
              "file_attributes": 0
          })),
         ('rw-',
          dd({
              "file_object": 18446738026482168384,
              "ttid": 1484,
              "create_options": 18874368,
              "open_path":
              "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll",
              "irp_ptr": 18446738026471032392,
              "share_access": 3,
              "file_attributes": 0
          })),
         ('r-d',
          dd({
              "file_object": 18446738026482168384,
              "ttid": 1484,
              "create_options": 18874368,
              "open_path":
              "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll",
              "irp_ptr": 18446738026471032392,
              "share_access": 5,
              "file_attributes": 0
          })),
         ('-wd',
          dd({
              "file_object": 18446738026482168384,
              "ttid": 1484,
              "create_options": 18874368,
              "open_path":
              "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll",
              "irp_ptr": 18446738026471032392,
              "share_access": 6,
              "file_attributes": 0
          })),
         ('rwd',
          dd({
              "file_object": 18446738026482168384,
              "ttid": 1484,
              "create_options": 18874368,
              "open_path":
              "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll",
              "irp_ptr": 18446738026471032392,
              "share_access": 7,
              "file_attributes": 0
          })),
         ('---',
          dd({
              "file_object": 18446738026482168384,
              "ttid": 1484,
              "create_options": 18874368,
              "open_path":
              "\\Device\\HarddiskVolume2\\Windows\\system32\\kernel32.dll",
              "irp_ptr": 18446738026471032392,
              "share_access": -1,
              "file_attributes": 0
          }))])
    def test_create_file_share_mask(self, expected_share_mask, kfsio, fsio,
                                    kevent):
        fsio.parse_fsio(CREATE_FILE, kfsio)
        assert kevent.params.share_mask == expected_share_mask

    def test_delete_file(self, fsio, kevent):
        kfsio = dd({
            "file_object": 18446738026474426144,
            "ttid": 1956,
            "irp_ptr": 18446738026471032392
        })
        fsio.parse_fsio(DELETE_FILE, kfsio)
        assert kevent.params.tid == kfsio.ttid
        assert kevent.params.file == '\\Device\\HarddiskVolume2\\fibratus.log'

    def test_write_file(self, fsio, kevent):
        kfsio = dd({
            "file_object": 18446738026474426144,
            "io_flags": 0,
            "io_size": 8296,
            "offset": 75279,
            "ttid": 1956
        })
        fsio.parse_fsio(WRITE_FILE, kfsio)
        assert kevent.params.tid == kfsio.ttid
        assert kevent.params.file == NA
        assert kevent.params.io_size == kfsio.io_size / 1024

    def test_rename_file(self, fsio, kevent):
        kfsio = dd({
            "file_object": 18446738023471035392,
            "ttid": 1956,
            "irp_ptr": 18446738026471032392
        })
        fsio.parse_fsio(RENAME_FILE, kfsio)
        assert kevent.params.tid == kfsio.ttid
        assert kevent.params.file == '\\Device\\HarddiskVolume2\\Windows\\system32\\rpcss.dll'

Esempio n. 53

0

Mostra file

File: fs.py Progetto: CaineQT/fibratus

 def test_rename_file(self, fsio, kevent):
     kfsio = dd({"file_object": 18446738023471035392, "ttid": 1956, "irp_ptr": 18446738026471032392})
     fsio.parse_fsio(RENAME_FILE, kfsio)
     assert kevent.params.tid == kfsio.ttid
     assert kevent.params.file == '\\Device\\HarddiskVolume2\\Windows\\system32\\rpcss.dll'