def setUp(self): """Sets up the needed objects used throughout the test.""" pre_obj = event.PreprocessObject() registry_cache = cache.WinRegistryCache() registry_cache.attributes['current_control_set'] = 'ControlSet001' self._plugin = lfu.BootExecutePlugin(pre_obj=pre_obj, reg_cache=registry_cache)
def testProcess(self): """Tests the Process function.""" key_path = ( 'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Control\\Session Manager' ) time_string = '2012-08-31 20:45:29' registry_key = self._CreateTestKey(key_path, time_string) plugin = lfu.BootExecutePlugin() storage_writer = self._ParseKeyWithPlugin(registry_key, plugin) self.assertEqual(storage_writer.number_of_warnings, 0) self.assertEqual(storage_writer.number_of_events, 2) events = list(storage_writer.GetEvents()) event = events[0] self.CheckTimestamp(event.timestamp, '2012-08-31 20:45:29.000000') event_data = self._GetEventDataOfEvent(storage_writer, event) # This should just be the plugin name, as we're invoking it directly, # and not through the parser. self.assertEqual(event_data.parser, plugin.plugin_name) self.assertEqual(event_data.data_type, 'windows:registry:boot_execute') expected_message = ( '[{0:s}] ' 'BootExecute: autocheck autochk *').format(key_path) expected_short_message = '{0:s}...'.format(expected_message[:77]) self._TestGetMessageStrings(event_data, expected_message, expected_short_message) event = events[1] self.CheckTimestamp(event.timestamp, '2012-08-31 20:45:29.000000') event_data = self._GetEventDataOfEvent(storage_writer, event) self.assertEqual(event_data.data_type, 'windows:registry:key_value') expected_message = ( '[{0:s}] ' 'CriticalSectionTimeout: [REG_SZ] 2592000 ' 'ExcludeFromKnownDlls: [REG_MULTI_SZ] [] ' 'GlobalFlag: [REG_SZ] 0 ' 'HeapDeCommitFreeBlockThreshold: [REG_SZ] 0 ' 'HeapDeCommitTotalFreeThreshold: [REG_SZ] 0 ' 'HeapSegmentCommit: [REG_SZ] 0 ' 'HeapSegmentReserve: [REG_SZ] 0 ' 'NumberOfInitialSessions: [REG_SZ] 2').format(key_path) expected_short_message = '{0:s}...'.format(expected_message[:77]) self._TestGetMessageStrings(event_data, expected_message, expected_short_message)
def testFilters(self): """Tests the FILTERS class attribute.""" plugin = lfu.BootExecutePlugin() key_path = ( 'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Control\\Session Manager') self._AssertFiltersOnKeyPath(plugin, key_path) self._AssertNotFiltersOnKeyPath(plugin, 'HKEY_LOCAL_MACHINE\\Bogus')
def testProcess(self): """Tests the Process function.""" key_path = ( 'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Control\\Session Manager') time_string = '2012-08-31 20:45:29' registry_key = self._CreateTestKey(key_path, time_string) plugin = lfu.BootExecutePlugin() storage_writer = self._ParseKeyWithPlugin(registry_key, plugin) number_of_events = storage_writer.GetNumberOfAttributeContainers('event') self.assertEqual(number_of_events, 2) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'extraction_warning') self.assertEqual(number_of_warnings, 0) number_of_warnings = storage_writer.GetNumberOfAttributeContainers( 'recovery_warning') self.assertEqual(number_of_warnings, 0) events = list(storage_writer.GetEvents()) expected_event_values = { 'date_time': '2012-08-31 20:45:29.0000000', 'data_type': 'windows:registry:boot_execute', 'key_path': key_path, # This should just be the plugin name, as we're invoking it directly, # and not through the parser. 'parser': plugin.NAME, 'value': 'autocheck autochk *'} self.CheckEventValues(storage_writer, events[0], expected_event_values) expected_values = ( 'CriticalSectionTimeout: [REG_SZ] 2592000 ' 'ExcludeFromKnownDlls: [REG_MULTI_SZ] [] ' 'GlobalFlag: [REG_SZ] 0 ' 'HeapDeCommitFreeBlockThreshold: [REG_SZ] 0 ' 'HeapDeCommitTotalFreeThreshold: [REG_SZ] 0 ' 'HeapSegmentCommit: [REG_SZ] 0 ' 'HeapSegmentReserve: [REG_SZ] 0 ' 'NumberOfInitialSessions: [REG_SZ] 2') expected_event_values = { 'date_time': '2012-08-31 20:45:29.0000000', 'data_type': 'windows:registry:key_value', 'key_path': key_path, 'values': expected_values} self.CheckEventValues(storage_writer, events[1], expected_event_values)
def testProcess(self): """Tests the Process function.""" key_path = ( 'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Control\\Session Manager' ) time_string = '2012-08-31 20:45:29' registry_key = self._CreateTestKey(key_path, time_string) plugin = lfu.BootExecutePlugin() storage_writer = self._ParseKeyWithPlugin(registry_key, plugin) self.assertEqual(storage_writer.number_of_events, 2) events = list(storage_writer.GetEvents()) event = events[0] # This should just be the plugin name, as we're invoking it directly, # and not through the parser. self.assertEqual(event.parser, plugin.plugin_name) expected_timestamp = timelib.Timestamp.CopyFromString(time_string) self.assertEqual(event.timestamp, expected_timestamp) expected_message = ( '[{0:s}] BootExecute: autocheck autochk *').format(key_path) expected_short_message = '{0:s}...'.format(expected_message[:77]) self._TestGetMessageStrings(event, expected_message, expected_short_message) event = events[1] expected_message = ('[{0:s}] ' 'CriticalSectionTimeout: 2592000 ' 'ExcludeFromKnownDlls: [] ' 'GlobalFlag: 0 ' 'HeapDeCommitFreeBlockThreshold: 0 ' 'HeapDeCommitTotalFreeThreshold: 0 ' 'HeapSegmentCommit: 0 ' 'HeapSegmentReserve: 0 ' 'NumberOfInitialSessions: 2').format(key_path) expected_short_message = '{0:s}...'.format(expected_message[:77]) self._TestGetMessageStrings(event, expected_message, expected_short_message)
def setUp(self): """Makes preparations before running an individual test.""" self._plugin = lfu.BootExecutePlugin()
def setUp(self): """Sets up the needed objects used throughout the test.""" self._plugin = lfu.BootExecutePlugin()