Exemplo n.º 1
0
 def testWMIEventConsumerParserRaisesWhenNonEmptyDictReturnedEmpty(self):
     parser = wmi_parser.WMIActiveScriptEventConsumerParser()
     rdf_dict = rdf_protodict.Dict()
     rdf_dict["NonexistentField"] = "Abcdef"
     with self.assertRaises(ValueError):
         for output in parser.ParseMultiple([rdf_dict]):
             self.assertEqual(output.__class__, rdf_anomaly.Anomaly)
Exemplo n.º 2
0
    def testWMIActiveScriptEventConsumerParser(self):
        parser = wmi_parser.WMIActiveScriptEventConsumerParser()
        rdf_dict = rdf_protodict.Dict()
        rdf_dict["CreatorSID"] = [
            1, 5, 0, 0, 0, 0, 0, 5, 21, 0, 0, 0, 152, 18, 57, 8, 206, 29, 80,
            44, 70, 38, 82, 8, 244, 1, 0, 0
        ]
        rdf_dict["KillTimeout"] = 0
        rdf_dict["MachineName"] = None
        rdf_dict["MaximumQueueSize"] = None
        rdf_dict["Name"] = "SomeName"
        rdf_dict["ScriptFilename"] = None
        rdf_dict["ScriptingEngine"] = "VBScript"
        rdf_dict["ScriptText"] = r"""Dim objFS, objFile
Set objFS = CreateObject("Scripting.FileSystemObject")
Set objFile = objFS.OpenTextFile("C:\temp.log", 8, true)
objFile.WriteLine "Time: " & Now & "; Entry made by: ASEC"
objFile.WriteLine "Application closed. UserModeTime: " &
TargetEvent.TargetInstance.UserModeTime &_ "; KernelModeTime: " &
TargetEvent.TargetInstance.KernelModeTime & " [hundreds of nanoseconds]"
objFile.Close"""

        result_list = list(parser.ParseMultiple([rdf_dict]))
        self.assertLen(result_list, 1)
        result = result_list[0]
        self.assertEqual(result.CreatorSID,
                         "S-1-5-21-137958040-743448014-139601478-500")
        self.assertEqual(result.MaximumQueueSize, 0)
        self.assertFalse(result.ScriptFilename)
Exemplo n.º 3
0
  def testWMIEventConsumerParserDoesntFailOnMalformedSIDs(self):
    parser = wmi_parser.WMIActiveScriptEventConsumerParser()
    rdf_dict = rdf_protodict.Dict()
    tests = [[1, 5, 0, 0, 0, 0, 0, 5, 21, 0, 0], [1, 2, 3], [1], {1: 2}, (1, 2)]

    for test in tests:
      rdf_dict["CreatorSID"] = test
      result_list = list(parser.Parse(rdf_dict))
      self.assertEqual(len(result_list), 1)
Exemplo n.º 4
0
 def testWMIEventConsumerParserDoesntFailOnUnknownField(self):
   parser = wmi_parser.WMIActiveScriptEventConsumerParser()
   rdf_dict = rdf_protodict.Dict()
   rdf_dict["NonexistentField"] = "Abcdef"
   rdf_dict["Name"] = "Test event consumer"
   results = list(parser.Parse(None, rdf_dict, None))
   self.assertEqual(2, len(results))
   # Anomalies yield first
   self.assertEqual(results[0].__class__, rdf_anomaly.Anomaly)
   self.assertEqual(results[1].__class__, rdf_wmi.WMIActiveScriptEventConsumer)
Exemplo n.º 5
0
    def testWMIEventConsumerParserDoesntFailOnMalformedSIDs(self):
        parser = wmi_parser.WMIActiveScriptEventConsumerParser()
        rdf_dict = rdf_protodict.Dict()
        tests = [
            [1, 5, 0, 0, 0, 0, 0, 5, 21, 0, 0],
            "(1, 2, 3)",  # Older clients (3.0.0.3) return a the SID like this
            1,
            {
                1: 2
            },
            (1, 2)
        ]

        for test in tests:
            rdf_dict["CreatorSID"] = test
            result_list = list(parser.Parse(None, rdf_dict, None))
            self.assertEqual(len(result_list), 1)
Exemplo n.º 6
0
 def testWMIEventConsumerParser_EmptyConsumersYieldBlank(self):
     parser = wmi_parser.WMIActiveScriptEventConsumerParser()
     rdf_dict = rdf_protodict.Dict()
     result_list = list(parser.ParseMultiple([rdf_dict]))
     self.assertLen(result_list, 1)
     self.assertEqual(True, not result_list[0])
Exemplo n.º 7
0
 def testWMIEventConsumerParser_EmptyConsumersYieldBlank(self):
     parser = wmi_parser.WMIActiveScriptEventConsumerParser()
     rdf_dict = rdf_protodict.Dict()
     result_list = list(parser.Parse(None, rdf_dict, None))
     self.assertEqual(1, len(result_list))
     self.assertEqual(True, not result_list[0])