def testProcess(self):
"""Tests the Process function on a virtual key."""
key_path = (
u'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\services\\TestDriver')
time_string = u'2012-08-28 09:23:49.002031'
registry_key = self._CreateTestKey(key_path, time_string)
plugin = services.ServicesPlugin()
storage_writer = self._ParseKeyWithPlugin(registry_key, plugin)
self.assertEqual(storage_writer.number_of_events, 1)
events = list(storage_writer.GetEvents())
event = events[0]
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event.parser, plugin.plugin_name)
expected_timestamp = timelib.Timestamp.CopyFromString(time_string)
self.assertEqual(event.timestamp, expected_timestamp)
expected_message = (
u'[{0:s}] '
u'DisplayName: Test Driver '
u'DriverPackageId: testdriver.inf_x86_neutral_dd39b6b0a45226c4 '
u'ErrorControl: Normal (1) '
u'Group: Pnp Filter '
u'ImagePath: C:\\Dell\\testdriver.sys '
u'Start: Auto Start (2) '
u'Type: File System Driver (0x2)').format(key_path)
expected_short_message = u'{0:s}...'.format(expected_message[:77])
self._TestGetMessageStrings(event, expected_message,
expected_short_message)
def setUp(self): """Sets up the needed objects used throughout the test.""" self._plugin = services.ServicesPlugin()
def setUp(self): """Makes preparations before running an individual test.""" self._plugin = services.ServicesPlugin()
def testProcessFile(self):
"""Tests the Process function on a key in a file."""
test_file_entry = self._GetTestFileEntry([u'SYSTEM'])
key_path = u'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\services'
win_registry = self._GetWinRegistryFromFileEntry(test_file_entry)
registry_key = win_registry.GetKeyByPath(key_path)
event_objects = []
# Select a few service subkeys to perform additional testing.
bits_event_objects = None
mc_task_manager_event_objects = None
rdp_video_miniport_event_objects = None
plugin_object = services.ServicesPlugin()
for winreg_subkey in registry_key.GetSubkeys():
storage_writer = self._ParseKeyWithPlugin(
winreg_subkey, plugin_object, file_entry=test_file_entry)
event_objects.extend(storage_writer.events)
if winreg_subkey.name == u'BITS':
bits_event_objects = storage_writer.events
elif winreg_subkey.name == u'McTaskManager':
mc_task_manager_event_objects = storage_writer.events
elif winreg_subkey.name == u'RdpVideoMiniport':
rdp_video_miniport_event_objects = storage_writer.events
self.assertEqual(len(event_objects), 416)
# Test the BITS subkey event objects.
self.assertEqual(len(bits_event_objects), 1)
event_object = bits_event_objects[0]
self.assertEqual(event_object.pathspec, test_file_entry.path_spec)
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event_object.parser, plugin_object.plugin_name)
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2012-04-06 20:43:27.639075')
self.assertEqual(event_object.timestamp, expected_timestamp)
self._TestRegvalue(event_object, u'Type', 0x20)
self._TestRegvalue(event_object, u'Start', 3)
self._TestRegvalue(
event_object, u'ServiceDll', u'%SystemRoot%\\System32\\qmgr.dll')
# Test the McTaskManager subkey event objects.
self.assertEqual(len(mc_task_manager_event_objects), 1)
event_object = mc_task_manager_event_objects[0]
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2011-09-16 20:49:16.877415')
self.assertEqual(event_object.timestamp, expected_timestamp)
self._TestRegvalue(event_object, u'DisplayName', u'McAfee Task Manager')
self._TestRegvalue(event_object, u'Type', 0x10)
# Test the RdpVideoMiniport subkey event objects.
self.assertEqual(len(rdp_video_miniport_event_objects), 1)
event_object = rdp_video_miniport_event_objects[0]
expected_timestamp = timelib.Timestamp.CopyFromString(
u'2011-09-17 13:37:59.347157')
self.assertEqual(event_object.timestamp, expected_timestamp)
self._TestRegvalue(event_object, u'Start', 3)
expected_value = u'System32\\drivers\\rdpvideominiport.sys'
self._TestRegvalue(event_object, u'ImagePath', expected_value)
def testProcessFile(self):
"""Tests the Process function on a key in a file."""
test_file_entry = self._GetTestFileEntry(['SYSTEM'])
key_path = 'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\services'
win_registry = self._GetWinRegistryFromFileEntry(test_file_entry)
registry_key = win_registry.GetKeyByPath(key_path)
events = []
# Select a few service subkeys to perform additional testing.
bits_events = None
mc_task_manager_events = None
rdp_video_miniport_events = None
plugin = services.ServicesPlugin()
for winreg_subkey in registry_key.GetSubkeys():
storage_writer = self._ParseKeyWithPlugin(
winreg_subkey, plugin, file_entry=test_file_entry)
events_subkey = list(storage_writer.GetEvents())
events.extend(list(events_subkey))
if winreg_subkey.name == 'BITS':
bits_events = events_subkey
elif winreg_subkey.name == 'McTaskManager':
mc_task_manager_events = events_subkey
elif winreg_subkey.name == 'RdpVideoMiniport':
rdp_video_miniport_events = events_subkey
self.assertEqual(len(events), 416)
# Test the BITS subkey events.
self.assertEqual(len(bits_events), 1)
event = bits_events[0]
self.assertEqual(event.pathspec, test_file_entry.path_spec)
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEqual(event.parser, plugin.plugin_name)
self.CheckTimestamp(event.timestamp, '2012-04-06 20:43:27.639075')
self.assertEqual(event.data_type, 'windows:registry:service')
self.assertEqual(event.service_type, 0x20)
self.assertEqual(event.start_type, 3)
self.assertEqual(event.service_dll, '%SystemRoot%\\System32\\qmgr.dll')
# Test the McTaskManager subkey events.
self.assertEqual(len(mc_task_manager_events), 1)
event = mc_task_manager_events[0]
self.CheckTimestamp(event.timestamp, '2011-09-16 20:49:16.877416')
self.assertEqual(event.data_type, 'windows:registry:service')
self.assertEqual(event.service_type, 0x10)
self.assertTrue(
'DisplayName: [REG_SZ] McAfee Task Manager' in event.values)
# Test the RdpVideoMiniport subkey events.
self.assertEqual(len(rdp_video_miniport_events), 1)
event = rdp_video_miniport_events[0]
self.CheckTimestamp(event.timestamp, '2011-09-17 13:37:59.347158')
self.assertEqual(event.data_type, 'windows:registry:service')
self.assertEqual(event.start_type, 3)
self.assertEqual(event.image_path,
'System32\\drivers\\rdpvideominiport.sys')
def testProcessFile(self):
"""Tests the Process function on a key in a file."""
test_file_entry = self._GetTestFileEntry(['SYSTEM'])
key_path = 'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\services'
win_registry = self._GetWinRegistryFromFileEntry(test_file_entry)
registry_key = win_registry.GetKeyByPath(key_path)
plugin = services.ServicesPlugin()
events = []
for winreg_subkey in registry_key.GetSubkeys():
storage_writer = self._ParseKeyWithPlugin(
winreg_subkey, plugin, file_entry=test_file_entry)
events_subkey = list(storage_writer.GetEvents())
events.extend(events_subkey)
self.assertEqual(len(events), 416)
# Test the BITS subkey events.
winreg_subkey = registry_key.GetSubkeyByName('BITS')
bits_storage_writer = self._ParseKeyWithPlugin(
winreg_subkey, plugin, file_entry=test_file_entry)
bits_events = list(bits_storage_writer.GetEvents())
self.assertEqual(len(bits_events), 1)
expected_event_values = {
'date_time': '2012-04-06 20:43:27.6390752',
'data_type': 'windows:registry:service',
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
'parser': plugin.NAME,
'service_dll': '%SystemRoot%\\System32\\qmgr.dll',
'service_type': 0x20,
'start_type': 3
}
self.CheckEventValues(bits_storage_writer, bits_events[0],
expected_event_values)
# Test the McTaskManager subkey events.
winreg_subkey = registry_key.GetSubkeyByName('McTaskManager')
mc_task_manager_storage_writer = self._ParseKeyWithPlugin(
winreg_subkey, plugin, file_entry=test_file_entry)
mc_task_manager_events = list(
mc_task_manager_storage_writer.GetEvents())
self.assertEqual(len(mc_task_manager_events), 1)
expected_event_values = {
'date_time': '2011-09-16 20:49:16.8774156',
'data_type': 'windows:registry:service',
'service_type': 0x10
}
self.CheckEventValues(mc_task_manager_storage_writer,
mc_task_manager_events[0], expected_event_values)
event_data = self._GetEventDataOfEvent(mc_task_manager_storage_writer,
mc_task_manager_events[0])
self.assertTrue(
'DisplayName: [REG_SZ] McAfee Task Manager' in event_data.values)
# Test the RdpVideoMiniport subkey events.
winreg_subkey = registry_key.GetSubkeyByName('RdpVideoMiniport')
rdp_video_miniport_storage_writer = self._ParseKeyWithPlugin(
winreg_subkey, plugin, file_entry=test_file_entry)
rdp_video_miniport_events = list(
rdp_video_miniport_storage_writer.GetEvents())
self.assertEqual(len(rdp_video_miniport_events), 1)
expected_event_values = {
'date_time': '2011-09-17 13:37:59.3471577',
'data_type': 'windows:registry:service',
'image_path': 'System32\\drivers\\rdpvideominiport.sys',
'start_type': 3
}
self.CheckEventValues(rdp_video_miniport_storage_writer,
rdp_video_miniport_events[0],
expected_event_values)
