def testFilters(self): """Tests the FILTERS class attribute.""" plugin = msie_zones.MsieZoneSettingsPlugin() key_path = ( 'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\' 'Internet Settings\\Lockdown_Zones') self._AssertFiltersOnKeyPath(plugin, key_path) key_path = ( 'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\' 'Internet Settings\\Zones') self._AssertFiltersOnKeyPath(plugin, key_path) key_path = ( 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\' 'Internet Settings\\Lockdown_Zones') self._AssertFiltersOnKeyPath(plugin, key_path) key_path = ( 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\' 'Internet Settings\\Zones') self._AssertFiltersOnKeyPath(plugin, key_path) self._AssertNotFiltersOnKeyPath(plugin, 'HKEY_LOCAL_MACHINE\\Bogus')
def testProcessNtuserZones(self): """Tests the Process function on a Zones key.""" test_file_entry = self._GetTestFileEntry([u'NTUSER-WIN7.DAT']) key_path = ( u'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\' u'Internet Settings\\Zones') win_registry = self._GetWinRegistryFromFileEntry(test_file_entry) registry_key = win_registry.GetKeyByPath(key_path) plugin = msie_zones.MsieZoneSettingsPlugin() storage_writer = self._ParseKeyWithPlugin(registry_key, plugin, file_entry=test_file_entry) self.assertEqual(storage_writer.number_of_events, 6) events = list(storage_writer.GetEvents()) event = events[1] # This should just be the plugin name, as we're invoking it directly, # and not through the parser. self.assertEqual(event.parser, plugin.plugin_name) expected_timestamp = timelib.Timestamp.CopyFromString( u'2011-09-16 21:12:40.145514') self.assertEqual(event.timestamp, expected_timestamp) regvalue_identifier = u'[1200] Run ActiveX controls and plug-ins' expected_value = u'0 (Allow)' self._TestRegvalue(event, regvalue_identifier, expected_value) expected_message = ( u'[{0:s}\\0 (My Computer)] ' u'[1200] Run ActiveX controls and plug-ins: 0 (Allow) ' u'[1400] Active scripting: 0 (Allow) ' u'[2001] .NET: Run components signed with Authenticode: 3 (Not ' u'Allowed) ' u'[2004] .NET: Run components not signed with Authenticode: 3 (Not ' u'Allowed) ' u'[2007] UNKNOWN: 3 ' u'[CurrentLevel]: 0 ' u'[Description]: Your computer ' u'[DisplayName]: Computer ' u'[Flags]: 33 [Icon]: shell32.dll#0016 ' u'[LowIcon]: inetcpl.cpl#005422 ' u'[PMDisplayName]: Computer ' u'[Protected Mode]').format(key_path) expected_short_message = u'{0:s}...'.format(expected_message[:77]) self._TestGetMessageStrings(event, expected_message, expected_short_message)
def testProcessNtuserLockdownZones(self): """Tests the Process function on a Lockdown_Zones key.""" test_file_entry = self._GetTestFileEntry(['NTUSER-WIN7.DAT']) key_path = ( 'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\' 'Internet Settings\\Lockdown_Zones') win_registry = self._GetWinRegistryFromFileEntry(test_file_entry) registry_key = win_registry.GetKeyByPath(key_path) plugin = msie_zones.MsieZoneSettingsPlugin() storage_writer = self._ParseKeyWithPlugin(registry_key, plugin, file_entry=test_file_entry) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 6) events = list(storage_writer.GetEvents()) event = events[1] # This should just be the plugin name, as we're invoking it directly, # and not through the parser. self.assertEqual(event.parser, plugin.plugin_name) self.CheckTimestamp(event.timestamp, '2011-09-16 21:12:40.145514') regvalue_identifier = '[1200] Run ActiveX controls and plug-ins' expected_value = '3 (Not Allowed)' self._TestRegvalue(event, regvalue_identifier, expected_value) expected_message = ( '[{0:s}\\0 (My Computer)] ' '[1200] Run ActiveX controls and plug-ins: 3 (Not Allowed) ' '[1400] Active scripting: 1 (Prompt User) ' '[CurrentLevel]: 0 ' '[Description]: Your computer ' '[DisplayName]: Computer ' '[Flags]: 33 ' '[Icon]: shell32.dll#0016 ' '[LowIcon]: inetcpl.cpl#005422 ' '[PMDisplayName]: Computer ' '[Protected Mode]').format(key_path) expected_short_message = '{0:s}...'.format(expected_message[:77]) self._TestGetMessageStrings(event, expected_message, expected_short_message)
def testProcessSoftwareZones(self): """Tests the Process function on a Zones key.""" test_file_entry = self._GetTestFileEntry(['SOFTWARE']) key_path = ( 'HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\' 'Internet Settings\\Zones') win_registry = self._GetWinRegistryFromFileEntry(test_file_entry) registry_key = win_registry.GetKeyByPath(key_path) plugin = msie_zones.MsieZoneSettingsPlugin() storage_writer = self._ParseKeyWithPlugin(registry_key, plugin, file_entry=test_file_entry) self.assertEqual(storage_writer.number_of_events, 6) events = list(storage_writer.GetEvents()) event = events[1] # This should just be the plugin name, as we're invoking it directly, # and not through the parser. self.assertEqual(event.parser, plugin.plugin_name) self.CheckTimestamp(event.timestamp, '2011-08-28 21:32:44.937675') regvalue_identifier = '[1200] Run ActiveX controls and plug-ins' expected_value = '0 (Allow)' self._TestRegvalue(event, regvalue_identifier, expected_value) expected_message = ( '[{0:s}\\0 (My Computer)] ' '[1001] Download signed ActiveX controls: 0 (Allow) ' '[1004] Download unsigned ActiveX controls: 0 (Allow) ' '[1200] Run ActiveX controls and plug-ins: 0 (Allow) ' '[1201] Initialize and script ActiveX controls not marked as safe: 1 ' '(Prompt User) ' '[1206] Allow scripting of IE Web browser control: 0 ' '[1207] Reserved: 0 ' '[1208] Allow previously unused ActiveX controls to run without ' 'prompt: 0 ' '[1209] Allow Scriptlets: 0 ' '[120A] Override Per-Site (domain-based) ActiveX restrictions: 0 ' '[120B] Override Per-Site (domain-based) ActiveX restrictions: 0 ' '[1400] Active scripting: 0 (Allow) ' '[1402] Scripting of Java applets: 0 (Allow) ' '[1405] Script ActiveX controls marked as safe for scripting: 0 ' '(Allow) ' '[1406] Access data sources across domains: 0 (Allow) ' '[1407] Allow Programmatic clipboard access: 0 (Allow) ' '[1408] Reserved: 0 ' '[1409] UNKNOWN: 3 ' '[1601] Submit non-encrypted form data: 0 (Allow) ' '[1604] Font download: 0 (Allow) ' '[1605] Run Java: 0 ' '[1606] Userdata persistence: 0 (Allow) ' '[1607] Navigate sub-frames across different domains: 0 (Allow) ' '[1608] Allow META REFRESH: 0 (Allow) ' '[1609] Display mixed content: 1 (Prompt User) ' '[160A] Include local directory path when uploading files to a ' 'server: 0 ' '[1802] Drag and drop or copy and paste files: 0 (Allow) ' '[1803] File Download: 0 (Allow) ' '[1804] Launching programs and files in an IFRAME: 0 (Allow) ' '[1805] Launching programs and files in webview: 0 ' '[1806] Launching applications and unsafe files: 0 ' '[1807] Reserved: 0 ' '[1808] Reserved: 0 ' '[1809] Use Pop-up Blocker: 3 (Not Allowed) ' '[180A] Reserved: 0 ' '[180C] Reserved: 0 ' '[180D] Reserved: 0 ' '[180E] UNKNOWN: 0 ' '[180F] UNKNOWN: 0 ' '[1A00] User Authentication: Logon: 0x00000000 (Automatic logon with ' 'current user name and password) ' '[1A02] Allow persistent cookies that are stored on your computer: 0 ' '[1A03] Allow per-session cookies (not stored): 0 ' '[1A04] Don\'t prompt for client cert selection when no certs exists: ' '0 (Allow) ' '[1A05] Allow 3rd party persistent cookies: 0 ' '[1A06] Allow 3rd party session cookies: 0 ' '[1A10] Privacy Settings: 0 ' '[1C00] Java permissions: 0x00020000 (Medium safety) ' '[2000] Binary and script behaviors: 0 (Allow) ' '[2001] .NET: Run components signed with Authenticode: ' '3 (Not Allowed) ' '[2004] .NET: Run components not signed with Authenticode: ' '3 (Not Allowed) ' '[2005] UNKNOWN: 0 ' '[2007] UNKNOWN: 3 ' '[2100] Open files based on content, not file extension: 0 (Allow) ' '[2101] Web sites in less privileged zone can navigate into this ' 'zone: 3 (Not Allowed) ' '[2102] Allow script initiated windows without size/position ' 'constraints: 0 (Allow) ' '[2103] Allow status bar updates via script: 0 ' '[2104] Allow websites to open windows without address or status ' 'bars: 0 ' '[2105] Allow websites to prompt for information using scripted ' 'windows: 0 ' '[2106] UNKNOWN: 0 ' '[2107] UNKNOWN: 0 ' '[2200] Automatic prompting for file downloads: 0 (Allow) ' '[2201] Automatic prompting for ActiveX controls: 0 (Allow) ' '[2300] Allow web pages to use restricted protocols for active ' 'content: 1 (Prompt User) ' '[2301] Use Phishing Filter: 3 ' '[2400] .NET: XAML browser applications: 0 ' '[2401] .NET: XPS documents: 0 ' '[2402] .NET: Loose XAML: 0 ' '[2500] Turn on Protected Mode: 3 ' '[2600] Enable .NET Framework setup: 0 ' '[2700] UNKNOWN: 3 ' '[2701] UNKNOWN: 0 ' '[2702] UNKNOWN: 3 ' '[2703] UNKNOWN: 3 ' '[2708] UNKNOWN: 0 ' '[2709] UNKNOWN: 0 ' '[CurrentLevel]: 0 ' '[Description]: Your computer ' '[DisplayName]: Computer ' '[Flags]: 33 ' '[Icon]: shell32.dll#0016 ' '[LowIcon]: inetcpl.cpl#005422 ' '[PMDisplayName]: Computer ' '[Protected Mode]').format(key_path) expected_short_message = '{0:s}...'.format(expected_message[:77]) self._TestGetMessageStrings(event, expected_message, expected_short_message)
def setUp(self): """Sets up the needed objects used throughout the test.""" self._plugin = msie_zones.MsieZoneSettingsPlugin()
def setUp(self): """Sets up the needed objects used throughout the test.""" self._plugin = msie_zones.MsieZoneSettingsPlugin() path_segments = [u'NTUSER-WIN7.DAT'] self._test_file = self._GetTestFilePath(path_segments) self._file_entry = self._GetTestFileEntryFromPath(path_segments)
def setUp(self): """Sets up the needed objects used throughout the test.""" self._plugin = msie_zones.MsieZoneSettingsPlugin() self._test_file = self._GetTestFilePath(['NTUSER-WIN7.DAT'])
def setUp(self): """Makes preparations before running an individual test.""" self._plugin = msie_zones.MsieZoneSettingsPlugin()