def testRealEventsYAML(self):
"""Test the plugin with YAML output against real events from the parser."""
parser = winreg.WinRegistryParser()
# We could remove the non-Services plugins, but testing shows that the
# performance gain is negligible.
knowledge_base = self._SetUpKnowledgeBase()
test_path = self._GetTestFilePath([u'SYSTEM'])
event_queue = self._ParseFile(parser, test_path, knowledge_base)
# Run the analysis plugin.
analysis_plugin = windows_services.WindowsServicesPlugin(event_queue)
analysis_plugin.SetOutputFormat(u'yaml')
analysis_report_queue_consumer = self._RunAnalysisPlugin(
analysis_plugin, knowledge_base)
analysis_reports = self._GetAnalysisReportsFromQueue(
analysis_report_queue_consumer)
report = analysis_reports[0]
text = report.text
# We'll check that a few strings are in the report, like they're supposed
# to be, rather than checking for the exact content of the string,
# as that's dependent on the full path to the test files.
test_strings = [
windows_services.WindowsService.yaml_tag, u'1394ohci', u'WwanSvc',
u'ControlSet001', u'ControlSet002'
]
for string in test_strings:
self.assertTrue(string in text,
u'{0:s} not found in report text'.format(string))
def testExamineEventAndCompileReportOnSystemFile(self):
"""Tests the ExamineEvent and CompileReport functions on a SYSTEM file."""
# We could remove the non-Services plugins, but testing shows that the
# performance gain is negligible.
parser = winreg.WinRegistryParser()
plugin = windows_services.WindowsServicesAnalysisPlugin()
storage_writer = self._ParseAndAnalyzeFile([u'SYSTEM'], parser, plugin)
self.assertEqual(len(storage_writer.events), 31436)
self.assertEqual(len(storage_writer.analysis_reports), 1)
analysis_report = storage_writer.analysis_reports[0]
# We'll check that a few strings are in the report, like they're supposed
# to be, rather than checking for the exact content of the string,
# as that's dependent on the full path to the test files.
test_strings = [
u'1394ohci',
u'WwanSvc',
u'Sources:',
u'ControlSet001',
u'ControlSet002']
for string in test_strings:
self.assertIn(string, analysis_report.text)
def testParseNoRootKey(self):
"""Test the parse function on a Registry file with no root key."""
parser = winreg.WinRegistryParser()
storage_writer = self._ParseFile(['ntuser.dat.LOG'], parser)
self.assertEqual(storage_writer.number_of_warnings, 0)
self.assertEqual(storage_writer.number_of_events, 0)
def testParseSystem(self):
"""Tests the Parse function on a SYSTEM file."""
parser = winreg.WinRegistryParser()
storage_writer = self._ParseFile([u'SYSTEM'], parser)
events = list(storage_writer.GetEvents())
parser_chains = self._GetParserChains(events)
# Check the existence of few known plugins, see if they
# are being properly picked up and are parsed.
plugin_names = [
u'windows_usbstor_devices', u'windows_boot_execute',
u'windows_services'
]
for plugin in plugin_names:
expected_parser_chain = self._PluginNameToParserChain(plugin)
self.assertTrue(
expected_parser_chain in parser_chains,
u'Chain {0:s} not found in events.'.format(
expected_parser_chain))
# Check that the number of events produced by each plugin are correct.
parser_chain = self._PluginNameToParserChain(
u'windows_usbstor_devices')
self.assertEqual(parser_chains.get(parser_chain, 0), 10)
parser_chain = self._PluginNameToParserChain(u'windows_boot_execute')
self.assertEqual(parser_chains.get(parser_chain, 0), 4)
parser_chain = self._PluginNameToParserChain(u'windows_services')
self.assertEqual(parser_chains.get(parser_chain, 0), 831)
def testParseSystemWithArtifactFilters(self):
"""Tests the Parse function on a SYSTEM file with artifact filters."""
parser = winreg.WinRegistryParser()
knowledge_base = knowledge_base_engine.KnowledgeBase()
artifact_filter_names = ['TestRegistryKey', 'TestRegistryValue']
registry = artifacts_registry.ArtifactDefinitionsRegistry()
reader = artifacts_reader.YamlArtifactsReader()
registry.ReadFromDirectory(reader,
self._GetTestFilePath(['artifacts']))
artifacts_filter_helper = artifact_filters.ArtifactDefinitionsFilterHelper(
registry, knowledge_base)
artifacts_filter_helper.BuildFindSpecs(artifact_filter_names,
environment_variables=None)
storage_writer = self._ParseFile(
['SYSTEM'],
parser,
artifacts_filter_helper=artifacts_filter_helper)
events = list(storage_writer.GetEvents())
parser_chains = self._GetParserChains(events)
# Check the existence of few known plugins, see if they
# are being properly picked up and are parsed.
plugin_names = [
'windows_usbstor_devices', 'windows_boot_execute',
'windows_services'
]
for plugin in plugin_names:
expected_parser_chain = self._PluginNameToParserChain(plugin)
self.assertTrue(
expected_parser_chain in parser_chains,
'Chain {0:s} not found in events.'.format(
expected_parser_chain))
# Check that the number of events produced by each plugin are correct.
# There will be 5 usbstor chains for currentcontrolset:
# 'HKEY_LOCAL_MACHINE\System\CurrentControlSet\Enum\USBSTOR'
parser_chain = self._PluginNameToParserChain('windows_usbstor_devices')
self.assertEqual(parser_chains.get(parser_chain, 0), 5)
# There will be 4 Windows boot execute chains for key_value pairs:
# {key: 'HKEY_LOCAL_MACHINE\System\ControlSet001\Control\Session Manager',
# value: 'BootExecute'}
# {key: 'HKEY_LOCAL_MACHINE\System\ControlSet002\Control\Session Manager',
# value: 'BootExecute'}
parser_chain = self._PluginNameToParserChain('windows_boot_execute')
self.assertEqual(parser_chains.get(parser_chain, 0), 4)
# There will be 831 windows services chains for keys:
# 'HKEY_LOCAL_MACHINE\System\ControlSet001\services\**'
# 'HKEY_LOCAL_MACHINE\System\ControlSet002\services\**'
parser_chain = self._PluginNameToParserChain('windows_services')
self.assertEqual(parser_chains.get(parser_chain, 0), 831)
def testEnablePlugins(self):
"""Tests the EnablePlugins function."""
parser = winreg.WinRegistryParser()
parser.EnablePlugins([u'appcompatcache'])
self.assertIsNotNone(parser)
self.assertIsNotNone(parser._default_plugin)
self.assertNotEqual(parser._plugins, [])
self.assertEqual(len(parser._plugins), 1)
def testParseNoRootKey(self):
"""Test the parse function on a Registry file with no root key."""
parser_object = winreg.WinRegistryParser()
test_file = self._GetTestFilePath([u'ntuser.dat.LOG'])
event_queue_consumer = self._ParseFile(parser_object, test_file)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEqual(len(event_objects), 0)
def testParseNTUserDat(self):
"""Tests the Parse function on a NTUSER.DAT file."""
parser_object = winreg.WinRegistryParser()
storage_writer = self._ParseFile([u'NTUSER.DAT'], parser_object)
parser_chains = self._GetParserChains(storage_writer.events)
expected_parser_chain = self._PluginNameToParserChain(u'userassist')
self.assertTrue(expected_parser_chain in parser_chains)
self.assertEqual(parser_chains[expected_parser_chain], 14)
def testParseNTUserDat(self):
"""Tests the Parse function on a NTUSER.DAT file."""
parser_object = winreg.WinRegistryParser()
test_file = self._GetTestFilePath([u'NTUSER.DAT'])
event_queue_consumer = self._ParseFile(parser_object, test_file)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
parser_chains = self._GetParserChains(event_objects)
expected_parser_chain = self._PluginNameToParserChain(u'userassist')
self.assertTrue(expected_parser_chain in parser_chains)
self.assertEqual(parser_chains[expected_parser_chain], 14)
def setUp(self):
"""Sets up the needed objects used throughout the test."""
self._parser = winreg.WinRegistryParser()
def testParseNoRootKey(self):
"""Test the parse function on a Registry file with no root key."""
parser_object = winreg.WinRegistryParser()
storage_writer = self._ParseFile([u'ntuser.dat.LOG'], parser_object)
self.assertEqual(len(storage_writer.events), 0)
def setUp(self):
"""Makes preparations before running an individual test."""
self._parser = winreg.WinRegistryParser()
def setUp(self): """Sets up the needed objects used throughout the test.""" pre_obj = event.PreprocessObject() pre_obj.current_control_set = 'ControlSet001' self._parser = winreg.WinRegistryParser(pre_obj)