def testGetServiceName(self): hklm = "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services" parser = windows_registry_parser.WinServicesParser() self.assertEqual(parser._GetServiceName("%s/SomeService/Start" % hklm), "SomeService") self.assertEqual( parser._GetServiceName("%s/SomeService/Parameters/ServiceDLL" % hklm), "SomeService")
def testWinServicesParser(self): dword = rdf_client.StatEntry.RegistryType.REG_DWORD_LITTLE_ENDIAN reg_str = rdf_client.StatEntry.RegistryType.REG_SZ hklm = "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services" hklm_set01 = "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services" service_keys = [ ("%s/ACPI/Type" % hklm, 1, dword), ("%s/ACPI/Start" % hklm, 0, dword), # This one is broken, the parser should just ignore it. ("%s/notarealservice" % hklm, 3, dword), ("%s/ACPI/ErrorControl" % hklm, 3, dword), ("%s/ACPI/ImagePath" % hklm, "system32\\drivers\\ACPI.sys", reg_str), ("%s/ACPI/DisplayName" % hklm, "Microsoft ACPI Driver", reg_str), ("%s/ACPI/Group" % hklm, "Boot Bus Extender", reg_str), ("%s/ACPI/DriverPackageId" % hklm, "acpi.inf_amd64_neutral_99aaaaabcccccccc", reg_str), ("%s/AcpiPmi/Start" % hklm_set01, 3, dword), ("%s/AcpiPmi/DisplayName" % hklm_set01, "AcpiPmi", rdf_client.StatEntry.RegistryType.REG_MULTI_SZ), (u"%s/中国日报/DisplayName" % hklm, u"中国日报", reg_str), (u"%s/中国日报/Parameters/ServiceDLL" % hklm, "blah.dll", reg_str) ] stats = [self._MakeRegStat(*x) for x in service_keys] parser = windows_registry_parser.WinServicesParser() results = parser.ParseMultiple(stats, None) names = [] for result in results: if result.display_name == u"中国日报": self.assertEqual(result.display_name, u"中国日报") self.assertEqual(result.service_dll, "blah.dll") names.append(result.display_name) elif utils.SmartStr(result.registry_key).endswith("AcpiPmi"): self.assertEqual(result.name, "AcpiPmi") self.assertEqual(result.startup_type, 3) self.assertEqual(result.display_name, "[u'AcpiPmi']") self.assertEqual(result.registry_key, "%s/AcpiPmi" % hklm_set01) names.append(result.display_name) elif utils.SmartStr(result.registry_key).endswith("ACPI"): self.assertEqual(result.name, "ACPI") self.assertEqual(result.service_type, 1) self.assertEqual(result.startup_type, 0) self.assertEqual(result.error_control, 3) self.assertEqual(result.image_path, "system32\\drivers\\ACPI.sys") self.assertEqual(result.display_name, "Microsoft ACPI Driver") self.assertEqual(result.group_name, "Boot Bus Extender") self.assertEqual(result.driver_package_id, "acpi.inf_amd64_neutral_99aaaaabcccccccc") names.append(result.display_name) self.assertItemsEqual( names, [u"中国日报", "[u'AcpiPmi']", "Microsoft ACPI Driver"])
def testWinServicesParser(self): dword = rdf_client_fs.StatEntry.RegistryType.REG_DWORD_LITTLE_ENDIAN reg_str = rdf_client_fs.StatEntry.RegistryType.REG_SZ hklm = "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services" hklm_set01 = "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services" service_keys = [ ("%s/ACPI/Type" % hklm, 1, dword), ("%s/ACPI/Start" % hklm, 0, dword), # This one is broken, the parser should just ignore it. ("%s/notarealservice" % hklm, 3, dword), ("%s/ACPI/ErrorControl" % hklm, 3, dword), ("%s/ACPI/ImagePath" % hklm, "system32\\drivers\\ACPI.sys", reg_str), ("%s/ACPI/DisplayName" % hklm, "Microsoft ACPI Driver", reg_str), ("%s/ACPI/Group" % hklm, "Boot Bus Extender", reg_str), ("%s/ACPI/DriverPackageId" % hklm, "acpi.inf_amd64_neutral_99aaaaabcccccccc", reg_str), ("%s/AcpiPmi/Start" % hklm_set01, 3, dword), ("%s/AcpiPmi/DisplayName" % hklm_set01, "AcpiPmi", rdf_client_fs.StatEntry.RegistryType.REG_MULTI_SZ), (u"%s/中国日报/DisplayName" % hklm, u"中国日报", reg_str), (u"%s/中国日报/Parameters/ServiceDLL" % hklm, "blah.dll", reg_str) ] stats = [self._MakeRegStat(*x) for x in service_keys] parser = windows_registry_parser.WinServicesParser() results = parser.ParseResponses(None, stats) names = [] for result in results: if result.display_name == u"中国日报": self.assertEqual(result.display_name, u"中国日报") self.assertEqual(result.service_dll, "blah.dll") names.append(result.display_name) elif str(result.registry_key).endswith("AcpiPmi"): self.assertEqual(result.name, "AcpiPmi") self.assertEqual(result.startup_type, 3) # TODO: String representation in Python 2 represents # unicode strings with "u" prefix and there is nothing we can do about # that. if compatibility.PY2: self.assertEqual(result.display_name, "[u'AcpiPmi']") else: self.assertEqual(result.display_name, "['AcpiPmi']") self.assertEqual(result.registry_key, "%s/AcpiPmi" % hklm_set01) names.append(result.display_name) elif str(result.registry_key).endswith("ACPI"): self.assertEqual(result.name, "ACPI") self.assertEqual(result.service_type, 1) self.assertEqual(result.startup_type, 0) self.assertEqual(result.error_control, 3) self.assertEqual(result.image_path, "system32\\drivers\\ACPI.sys") self.assertEqual(result.display_name, "Microsoft ACPI Driver") self.assertEqual(result.group_name, "Boot Bus Extender") self.assertEqual(result.driver_package_id, "acpi.inf_amd64_neutral_99aaaaabcccccccc") names.append(result.display_name) # TODO: See TODO comment above. if compatibility.PY2: self.assertCountEqual( names, [u"中国日报", "[u'AcpiPmi']", "Microsoft ACPI Driver"]) else: self.assertCountEqual( names, [u"中国日报", "['AcpiPmi']", "Microsoft ACPI Driver"])