Python MRUListStringWindowsRegistryPlugin 예제들

예제 #1

    def testProcess(self):
        """Tests the Process function."""
        key_path = ('HKEY_CURRENT_USER\\Software\\Microsoft\\Some Windows\\'
                    'InterestingApp\\MRU')
        time_string = '2012-08-28 09:23:49.002031'
        registry_key = self._CreateTestKey(key_path, time_string)

        plugin = mrulist.MRUListStringWindowsRegistryPlugin()
        storage_writer = self._ParseKeyWithPlugin(registry_key, plugin)

        self.assertEqual(storage_writer.number_of_warnings, 0)
        self.assertEqual(storage_writer.number_of_events, 1)

        events = list(storage_writer.GetEvents())

        event = events[0]

        # This should just be the plugin name, as we're invoking it directly,
        # and not through the parser.
        self.assertEqual(event.parser, plugin.plugin_name)

        self.assertEqual(event.data_type, 'windows:registry:mrulist')
        self.CheckTimestamp(event.timestamp, '2012-08-28 09:23:49.002031')

        expected_message = (
            '[{0:s}] '
            'Index: 1 [MRU Value a]: Some random text here '
            'Index: 2 [MRU Value c]: C:/looks_legit.exe '
            'Index: 3 [MRU Value b]: c:/evil.exe').format(key_path)
        expected_short_message = '{0:s}...'.format(expected_message[:77])

        self._TestGetMessageStrings(event, expected_message,
                                    expected_short_message)

예제 #2

    def testFilters(self):
        """Tests the FILTERS class attribute."""
        plugin = mrulist.MRUListStringWindowsRegistryPlugin()

        key_path = ('HKEY_CURRENT_USER\\Software\\Microsoft\\Some Windows\\'
                    'InterestingApp\\MRU')
        registry_key = dfwinreg_fake.FakeWinRegistryKey('MRUlist',
                                                        key_path=key_path)

        result = self._CheckFiltersOnKeyPath(plugin, registry_key)
        self.assertFalse(result)

        registry_value = dfwinreg_fake.FakeWinRegistryValue('MRUList')
        registry_key.AddValue(registry_value)

        registry_value = dfwinreg_fake.FakeWinRegistryValue('a')
        registry_key.AddValue(registry_value)

        result = self._CheckFiltersOnKeyPath(plugin, registry_key)
        self.assertTrue(result)

        self._AssertNotFiltersOnKeyPath(plugin, 'HKEY_LOCAL_MACHINE\\Bogus')

        key_path = (
            'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\'
            'Explorer\\DesktopStreamMRU')
        self._AssertNotFiltersOnKeyPath(plugin, key_path)

예제 #3

파일: mrulist.py 프로젝트: dfjxs/plaso

    def testProcess(self):
        """Tests the Process function."""
        key_path = ('HKEY_CURRENT_USER\\Software\\Microsoft\\Some Windows\\'
                    'InterestingApp\\MRU')
        registry_key = self._CreateTestKey(key_path,
                                           '2012-08-28 09:23:49.002031')

        plugin = mrulist.MRUListStringWindowsRegistryPlugin()
        storage_writer = self._ParseKeyWithPlugin(registry_key, plugin)

        self.assertEqual(storage_writer.number_of_events, 1)
        self.assertEqual(storage_writer.number_of_extraction_warnings, 0)
        self.assertEqual(storage_writer.number_of_recovery_warnings, 0)

        events = list(storage_writer.GetEvents())

        expected_event_values = {
            'date_time':
            '2012-08-28 09:23:49.0020310',
            'data_type':
            'windows:registry:mrulist',
            'entries': ('Index: 1 [MRU Value a]: Some random text here '
                        'Index: 2 [MRU Value c]: C:/looks_legit.exe '
                        'Index: 3 [MRU Value b]: c:/evil.exe'),
            # This should just be the plugin name, as we're invoking it directly,
            # and not through the parser.
            'parser':
            plugin.NAME
        }

        self.CheckEventValues(storage_writer, events[0], expected_event_values)