def testFindsKeyWithLiteralAndModificationTimeConditions(self):
modification_time = file_finder.FileFinderModificationTimeCondition(
min_last_modified_time=
rdfvalue.RDFDatetime().FromSecondsFromEpoch(1247546054 - 1),
max_last_modified_time=
rdfvalue.RDFDatetime().FromSecondsFromEpoch(1247546054 + 1))
value_literal_match = file_finder.FileFinderContentsLiteralMatchCondition(
bytes_before=10,
bytes_after=10,
literal="Windows Sidebar\\Sidebar.exe")
self.RunFlow(
["HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/CurrentVersion/Run/*"],
[registry.RegistryFinderCondition(
condition_type=
registry.RegistryFinderCondition.Type.MODIFICATION_TIME,
modification_time=modification_time),
registry.RegistryFinderCondition(
condition_type=
registry.RegistryFinderCondition.Type.VALUE_LITERAL_MATCH,
value_literal_match=value_literal_match)])
results = self.GetResults()
self.assertEqual(len(results), 1)
# We expect Sidebar and MctAdmin keys here (see
# test_data/client_fixture.py).
self.assertEqual(results[0].stat_entry.aff4path,
"aff4:/C.1000000000000000/registry/HKEY_USERS/S-1-5-20/"
"Software/Microsoft/Windows/CurrentVersion/Run/Sidebar")
def testFindsKeyIfItMatchesRegexMatchCondition(self):
value_regex_match = file_finder.FileFinderContentsRegexMatchCondition(
bytes_before=10,
bytes_after=10,
regex="Windows.+\\.exe")
self.RunFlow(
["HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/CurrentVersion/Run/*"],
[registry.RegistryFinderCondition(
condition_type=
registry.RegistryFinderCondition.Type.VALUE_REGEX_MATCH,
value_regex_match=value_regex_match)])
results = self.GetResults()
self.assertEqual(len(results), 1)
self.assertEqual(len(results[0].matches), 1)
self.assertEqual(results[0].matches[0].offset, 15)
self.assertEqual(results[0].matches[0].data,
"ramFiles%\\Windows Sidebar\\Sidebar.exe /autoRun")
self.assertEqual(results[0].stat_entry.aff4path,
"aff4:/C.1000000000000000/registry/HKEY_USERS/S-1-5-20/"
"Software/Microsoft/Windows/CurrentVersion/Run/Sidebar")
self.assertEqual(results[0].stat_entry.pathspec.path,
"/HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/"
"CurrentVersion/Run/Sidebar")
self.assertEqual(results[0].stat_entry.pathspec.pathtype,
rdf_paths.PathSpec.PathType.REGISTRY)
def testFindsKeysIfModificationTimeConditionMatches(self):
modification_time = file_finder.FileFinderModificationTimeCondition(
min_last_modified_time=rdfvalue.RDFDatetime().FromSecondsFromEpoch(
1247546054 - 1),
max_last_modified_time=rdfvalue.RDFDatetime().FromSecondsFromEpoch(
1247546054 + 1))
self.RunFlow([
"HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/CurrentVersion/Run/*"
], [
registry.RegistryFinderCondition(
condition_type=registry.RegistryFinderCondition.Type.
MODIFICATION_TIME,
modification_time=modification_time)
])
results = self.GetResults()
self.assertEqual(len(results), 2)
# We expect Sidebar and MctAdmin keys here (see
# test_data/client_fixture.py).
self.assertTrue([
r for r in results if r.stat_entry.aff4path.Basename() == "Sidebar"
])
self.assertTrue([
r for r in results
if r.stat_entry.aff4path.Basename() == "MctAdmin"
])
def testFindsKeyIfItMatchesLiteralMatchCondition(self):
vlm = rdf_file_finder.FileFinderContentsLiteralMatchCondition(
bytes_before=10,
bytes_after=10,
literal="Windows Sidebar\\Sidebar.exe")
session_id = self.RunFlow([self.runkey], [
registry.RegistryFinderCondition(
condition_type=registry.RegistryFinderCondition.Type.
VALUE_LITERAL_MATCH,
value_literal_match=vlm)
])
results = self.GetResults(session_id)
self.assertEqual(len(results), 1)
self.assertEqual(len(results[0].matches), 1)
self.assertEqual(results[0].matches[0].offset, 15)
self.assertEqual(results[0].matches[0].data,
"ramFiles%\\Windows Sidebar\\Sidebar.exe /autoRun")
self.assertEqual(
results[0].stat_entry.AFF4Path(self.client_id),
"aff4:/C.1000000000000000/registry/HKEY_USERS/S-1-5-20/"
"Software/Microsoft/Windows/CurrentVersion/Run/Sidebar")
self.assertEqual(
results[0].stat_entry.pathspec.path,
"/HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/"
"CurrentVersion/Run/Sidebar")
self.assertEqual(results[0].stat_entry.pathspec.pathtype,
rdf_paths.PathSpec.PathType.REGISTRY)
def testSizeCondition(self):
# There are two values, one is 20 bytes, the other 53.
self.RunFlow(
["HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/CurrentVersion/Run/*"],
[registry.RegistryFinderCondition(
condition_type=registry.RegistryFinderCondition.Type.SIZE,
size=file_finder.FileFinderSizeCondition(min_file_size=50))])
results = self.GetResults()
self.assertEqual(len(results), 1)
self.assertGreater(results[0].stat_entry.st_size, 50)
def testSizeCondition(self):
# There are two values, one is 20 bytes, the other 53.
session_id = self.RunFlow([self.runkey], [
registry.RegistryFinderCondition(
condition_type=registry.RegistryFinderCondition.Type.SIZE,
size=rdf_file_finder.FileFinderSizeCondition(min_file_size=50))
])
results = self.GetResults(session_id)
self.assertEqual(len(results), 1)
self.assertGreater(results[0].stat_entry.st_size, 50)
def testFindsNothingIfRegexMatchesNothing(self):
value_regex_match = rdf_file_finder.FileFinderContentsRegexMatchCondition(
bytes_before=10, bytes_after=10, regex=".*CanNotFindMe.*")
session_id = self.RunFlow([self.runkey], [
registry.RegistryFinderCondition(
condition_type=registry.RegistryFinderCondition.Type.
VALUE_REGEX_MATCH,
value_regex_match=value_regex_match)
])
self.AssertNoResults(session_id)
def testFindsNothingIfNothingMatchesLiteralMatchCondition(self):
vlm = rdf_file_finder.FileFinderContentsLiteralMatchCondition(
bytes_before=10, bytes_after=10, literal="CanNotFindMe")
session_id = self.RunFlow([self.runkey], [
registry.RegistryFinderCondition(
condition_type=registry.RegistryFinderCondition.Type.
VALUE_LITERAL_MATCH,
value_literal_match=vlm)
])
self.AssertNoResults(session_id)
def testFindsNothingIfRegexMatchesNothing(self):
value_regex_match = file_finder.FileFinderContentsRegexMatchCondition(
regex=".*CanNotFindMe.*")
self.RunFlow(
["HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/CurrentVersion/Run/*"],
[registry.RegistryFinderCondition(
condition_type=
registry.RegistryFinderCondition.Type.VALUE_REGEX_MATCH,
value_regex_match=value_regex_match)])
self.AssertNoResults()
def testFindsNothingIfNothingMatchesLiteralMatchCondition(self):
value_literal_match = file_finder.FileFinderContentsLiteralMatchCondition(
literal="CanNotFindMe")
self.RunFlow(
["HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/CurrentVersion/Run/*"],
[registry.RegistryFinderCondition(
condition_type=
registry.RegistryFinderCondition.Type.VALUE_LITERAL_MATCH,
value_literal_match=value_literal_match)])
self.AssertNoResults()
def testFindsNothingIfModiciationTimeConditionMatchesNothing(self):
modification_time = file_finder.FileFinderModificationTimeCondition(
min_last_modified_time=rdfvalue.RDFDatetime().FromSecondsFromEpoch(0),
max_last_modified_time=rdfvalue.RDFDatetime().FromSecondsFromEpoch(1))
self.RunFlow(
["HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/CurrentVersion/Run/*"],
[registry.RegistryFinderCondition(
condition_type=
registry.RegistryFinderCondition.Type.MODIFICATION_TIME,
modification_time=modification_time)])
self.AssertNoResults()
def testFindsNothingIfModiciationTimeConditionMatchesNothing(self):
modification_time = rdf_file_finder.FileFinderModificationTimeCondition(
min_last_modified_time=rdfvalue.RDFDatetime().FromSecondsFromEpoch(0),
max_last_modified_time=rdfvalue.RDFDatetime().FromSecondsFromEpoch(1))
session_id = self.RunFlow(
[self.runkey], [
registry.RegistryFinderCondition(
condition_type=registry.RegistryFinderCondition.Type.
MODIFICATION_TIME,
modification_time=modification_time)
])
self.AssertNoResults(session_id)
def testFindsKeysIfModificationTimeConditionMatches(self):
modification_time = rdf_file_finder.FileFinderModificationTimeCondition(
min_last_modified_time=rdfvalue.RDFDatetime().FromSecondsFromEpoch(
1247546054 - 1),
max_last_modified_time=rdfvalue.RDFDatetime().FromSecondsFromEpoch(
1247546054 + 1))
session_id = self.RunFlow(
[self.runkey], [
registry.RegistryFinderCondition(
condition_type=registry.RegistryFinderCondition.Type.
MODIFICATION_TIME,
modification_time=modification_time)
])
results = self.GetResults(session_id)
self.assertEqual(len(results), 2)
# We expect Sidebar and MctAdmin keys here (see
# test_data/client_fixture.py).
basenames = [os.path.basename(r.stat_entry.pathspec.path) for r in results]
self.assertItemsEqual(basenames, ["Sidebar", "MctAdmin"])
