def testBuildFindSpecsWithRegistry(self): """Tests the BuildFindSpecs function on Windows Registry artifacts.""" knowledge_base = knowledge_base_engine.KnowledgeBase() test_filter_file = self._CreateTestArtifactDefinitionsFilterHelper( ['TestRegistry'], knowledge_base) test_filter_file.BuildFindSpecs(environment_variables=None) find_specs_per_source_type = knowledge_base.GetValue( test_filter_file.KNOWLEDGE_BASE_VALUE) find_specs = find_specs_per_source_type.get( artifact_types.TYPE_INDICATOR_WINDOWS_REGISTRY_KEY, []) self.assertEqual(len(find_specs), 1) win_registry_reader = ( windows_registry_parser.FileObjectWinRegistryFileReader()) file_entry = self._GetTestFileEntry(['SYSTEM']) file_object = file_entry.GetFileObject() registry_file = win_registry_reader.Open(file_object) win_registry = dfwinreg_registry.WinRegistry() key_path_prefix = win_registry.GetRegistryFileMapping(registry_file) registry_file.SetKeyPathPrefix(key_path_prefix) win_registry.MapFile(key_path_prefix, registry_file) searcher = dfwinreg_registry_searcher.WinRegistrySearcher(win_registry) key_paths = list(searcher.Find(find_specs=find_specs)) self.assertIsNotNone(key_paths) # Three key paths found. self.assertEqual(len(key_paths), 3)
def RunPlugins(cls, artifacts_registry, file_system, mount_point, knowledge_base): searcher = file_system_searcher.FileSystemSearcher( file_system, mount_point) cls.CollectFromFileSystem(artifacts_registry, knowledge_base, searcher, file_system) environment_variables = None if knowledge_base: environment_variables = knowledge_base.GetEnvironmentVariables() registry_file_reader = FileSystemWinRegistryFileReader( file_system, mount_point, environment_variables=environment_variables) win_registry = dfwinreg_registry.WinRegistry( registry_file_reader=registry_file_reader) searcher = registry_searcher.WinRegistrySearcher(win_registry) cls.CollectFromWindowsRegistry(artifacts_registry, knowledge_base, searcher) cls.CollectFromKnowledgeBase(knowledge_base) if not knowledge_base.HasUserAccounts(): logger.warning('Unable to find any user accounts on the system.')
def testBuildFindSpecsWithRegistry(self): """Tests the BuildFindSpecs function on Windows Registry sources.""" knowledge_base = knowledge_base_engine.KnowledgeBase() artifact_filter_names = ['TestRegistry', 'TestRegistryValue'] test_filters_helper = self._CreateTestArtifactDefinitionsFiltersHelper( knowledge_base) test_filters_helper.BuildFindSpecs(artifact_filter_names) # There should be 3 Windows Registry find specifications. self.assertEqual( len(test_filters_helper.included_file_system_find_specs), 0) self.assertEqual(len(test_filters_helper.registry_find_specs), 3) win_registry_reader = ( windows_registry_parser.FileObjectWinRegistryFileReader()) file_entry = self._GetTestFileEntry(['SYSTEM']) file_object = file_entry.GetFileObject() registry_file = win_registry_reader.Open(file_object) win_registry = dfwinreg_registry.WinRegistry() key_path_prefix = win_registry.GetRegistryFileMapping(registry_file) registry_file.SetKeyPathPrefix(key_path_prefix) win_registry.MapFile(key_path_prefix, registry_file) searcher = dfwinreg_registry_searcher.WinRegistrySearcher(win_registry) key_paths = list( searcher.Find(find_specs=test_filters_helper.registry_find_specs)) self.assertIsNotNone(key_paths) self.assertEqual(len(key_paths), 5)
def _RunPreprocessorPluginOnWindowsRegistryValue(self, file_system, mount_point, plugin): """Runs a preprocessor plugin on a Windows Registry value. Args: file_system (dfvfs.FileSystem): file system to be preprocessed. mount_point (dfvfs.PathSpec): mount point path specification that refers to the base location of the file system. plugin (ArtifactPreprocessorPlugin): preprocessor plugin. Return: KnowledgeBase: knowledge base filled with preprocessing information. """ artifact_definition = self._artifacts_registry.GetDefinitionByName( plugin.ARTIFACT_DEFINITION_NAME) self.assertIsNotNone(artifact_definition) environment_variable = artifacts.EnvironmentVariableArtifact( case_sensitive=False, name='SystemRoot', value='C:\\Windows') registry_file_reader = manager.FileSystemWinRegistryFileReader( file_system, mount_point, environment_variables=[environment_variable]) win_registry = dfwinreg_registry.WinRegistry( registry_file_reader=registry_file_reader) knowledge_base_object = knowledge_base.KnowledgeBase() searcher = registry_searcher.WinRegistrySearcher(win_registry) plugin.Collect(knowledge_base_object, artifact_definition, searcher) return knowledge_base_object
def testFind(self): """Tests the Find function.""" test_path = self._GetTestFilePath(['SYSTEM']) self._SkipIfPathNotExists(test_path) win_registry = registry.WinRegistry( registry_file_reader=test_registry.TestWinRegistryFileReader()) registry_file = win_registry._OpenFile(test_path) key_path_prefix = win_registry.GetRegistryFileMapping(registry_file) win_registry.MapFile(key_path_prefix, registry_file) searcher = registry_searcher.WinRegistrySearcher(win_registry) find_spec = registry_searcher.FindSpec( key_path='HKEY_LOCAL_MACHINE\\System\\ControlSet001') expected_key_paths = ['HKEY_LOCAL_MACHINE\\System\\ControlSet001'] key_paths = list(searcher.Find(find_specs=[find_spec])) self.assertEqual(key_paths, expected_key_paths) find_spec = registry_searcher.FindSpec( key_path_glob='HKEY_LOCAL_MACHINE\\System\\ControlSet001\\*') expected_key_paths = [ 'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Control', 'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Enum', 'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Hardware Profiles', 'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Policies', 'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services' ] key_paths = list(searcher.Find(find_specs=[find_spec])) self.assertEqual(key_paths, expected_key_paths) find_spec = registry_searcher.FindSpec(key_path_regex=[ 'HKEY_LOCAL_MACHINE', 'System', 'ControlSet001', '.*' ]) expected_key_paths = [ 'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Control', 'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Enum', 'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Hardware Profiles', 'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Policies', 'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services' ] key_paths = list(searcher.Find(find_specs=[find_spec])) self.assertEqual(key_paths, expected_key_paths) # Test without find specifications. key_paths = list(searcher.Find()) self.assertEqual(len(key_paths), 31351)
def _ParseKeysFromFindSpecs(self, parser_mediator, win_registry, find_specs): """Parses the Registry keys from FindSpecs. Args: parser_mediator (ParserMediator): parser mediator. win_registry (dfwinreg.WinRegistryKey): root Windows Registry key. find_specs (dfwinreg.FindSpecs): Keys to search for. """ searcher = dfwinreg_registry_searcher.WinRegistrySearcher(win_registry) for registry_key_path in searcher.Find(find_specs=find_specs): if parser_mediator.abort: break registry_key = searcher.GetKeyByPath(registry_key_path) self._ParseKey(parser_mediator, registry_key)
def testSplitKeyPath(self): """Tests the SplitKeyPath function.""" win_registry = registry.WinRegistry( registry_file_reader=test_registry.TestWinRegistryFileReader()) test_path = self._GetTestFilePath(['SYSTEM']) registry_file = win_registry._OpenFile(test_path) key_path_prefix = win_registry.GetRegistryFileMapping(registry_file) win_registry.MapFile(key_path_prefix, registry_file) searcher = registry_searcher.WinRegistrySearcher(win_registry) path_segments = searcher.SplitKeyPath( 'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Control') self.assertEqual(len(path_segments), 4)
def testGetKeyByPath(self): """Tests the GetKeyByPath function.""" win_registry = registry.WinRegistry( registry_file_reader=test_registry.TestWinRegistryFileReader()) test_path = self._GetTestFilePath(['SYSTEM']) registry_file = win_registry._OpenFile(test_path) key_path_prefix = win_registry.GetRegistryFileMapping(registry_file) win_registry.MapFile(key_path_prefix, registry_file) searcher = registry_searcher.WinRegistrySearcher(win_registry) registry_key = searcher.GetKeyByPath( 'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Control') self.assertIsNotNone(registry_key)
def RunPlugins(cls, artifacts_registry, file_system, mount_point, mediator): """Runs the preprocessing plugins. Args: artifacts_registry (artifacts.ArtifactDefinitionsRegistry): artifacts definitions registry. file_system (dfvfs.FileSystem): file system to be preprocessed. mount_point (dfvfs.PathSpec): mount point path specification that refers to the base location of the file system. mediator (PreprocessMediator): mediates interactions between preprocess plugins and other components, such as storage and knowledge base. """ searcher = file_system_searcher.FileSystemSearcher( file_system, mount_point) cls.CollectFromFileSystem(artifacts_registry, mediator, searcher, file_system) # Run the Registry plugins separately so we do not have to open # Registry files for every preprocess plugin. environment_variables = None if mediator.knowledge_base: environment_variables = mediator.knowledge_base.GetEnvironmentVariables( ) registry_file_reader = FileSystemWinRegistryFileReader( file_system, mount_point, environment_variables=environment_variables) win_registry = dfwinreg_registry.WinRegistry( registry_file_reader=registry_file_reader) searcher = registry_searcher.WinRegistrySearcher(win_registry) cls.CollectFromWindowsRegistry(artifacts_registry, mediator, searcher) cls.CollectFromKnowledgeBase(mediator) if not mediator.knowledge_base.HasUserAccounts(): logger.warning('Unable to find any user accounts on the system.')
def testFind(self): """Tests the Find function.""" win_registry = registry.WinRegistry( registry_file_reader=test_registry.TestWinRegistryFileReader()) test_path = self._GetTestFilePath([u'SYSTEM']) registry_file = win_registry._OpenFile(test_path) key_path_prefix = win_registry.GetRegistryFileMapping(registry_file) win_registry.MapFile(key_path_prefix, registry_file) searcher = registry_searcher.WinRegistrySearcher(win_registry) find_spec = registry_searcher.FindSpec( key_path=u'HKEY_LOCAL_MACHINE\\System\\ControlSet001') expected_key_paths = [u'HKEY_LOCAL_MACHINE\\System\\ControlSet001'] key_paths = list(searcher.Find(find_specs=[find_spec])) self.assertEqual(key_paths, expected_key_paths) find_spec = registry_searcher.FindSpec( key_path_glob=u'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\*') expected_key_paths = [ u'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Control', u'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Enum', u'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Hardware Profiles', u'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services'] key_paths = list(searcher.Find(find_specs=[find_spec])) self.assertEqual(key_paths, expected_key_paths) find_spec = registry_searcher.FindSpec( key_path_regex=[ u'HKEY_LOCAL_MACHINE', u'System', u'ControlSet001', u'.*']) expected_key_paths = [ u'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Control', u'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Enum', u'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Hardware Profiles', u'HKEY_LOCAL_MACHINE\\System\\ControlSet001\\Services'] key_paths = list(searcher.Find(find_specs=[find_spec])) self.assertEqual(key_paths, expected_key_paths)
def RunPlugins(cls, artifacts_registry, file_system, mount_point, knowledge_base): """Runs the preprocessing plugins. Args: artifacts_registry (artifacts.ArtifactDefinitionsRegistry): artifacts definitions registry. file_system (dfvfs.FileSystem): file system to be preprocessed. mount_point (dfvfs.PathSpec): mount point path specification that refers to the base location of the file system. knowledge_base (KnowledgeBase): to fill with preprocessing information. """ searcher = file_system_searcher.FileSystemSearcher( file_system, mount_point) cls.CollectFromFileSystem(artifacts_registry, knowledge_base, searcher, file_system) # Run the Registry plugins separately so we do not have to open # Registry files for every preprocess plugin. environment_variables = None if knowledge_base: environment_variables = knowledge_base.GetEnvironmentVariables() registry_file_reader = FileSystemWinRegistryFileReader( file_system, mount_point, environment_variables=environment_variables) win_registry = dfwinreg_registry.WinRegistry( registry_file_reader=registry_file_reader) searcher = registry_searcher.WinRegistrySearcher(win_registry) cls.CollectFromWindowsRegistry(artifacts_registry, knowledge_base, searcher) if not knowledge_base.HasUserAccounts(): logging.warning('Unable to find any user accounts on the system.')
def _RunPreprocessorPluginOnWindowsRegistryValue(self, file_system, mount_point, storage_writer, plugin): """Runs a preprocessor plugin on a Windows Registry value. Args: file_system (dfvfs.FileSystem): file system to be preprocessed. mount_point (dfvfs.PathSpec): mount point path specification that refers to the base location of the file system. storage_writer (StorageWriter): storage writer. plugin (ArtifactPreprocessorPlugin): preprocessor plugin. Return: PreprocessMediator: preprocess mediator. """ artifact_definition = self._artifacts_registry.GetDefinitionByName( plugin.ARTIFACT_DEFINITION_NAME) self.assertIsNotNone(artifact_definition) environment_variable = artifacts.EnvironmentVariableArtifact( case_sensitive=False, name='SystemRoot', value='C:\\Windows') registry_file_reader = manager.FileSystemWinRegistryFileReader( file_system, mount_point, environment_variables=[environment_variable]) win_registry = dfwinreg_registry.WinRegistry( registry_file_reader=registry_file_reader) session = sessions.Session() test_knowledge_base = knowledge_base.KnowledgeBase() test_mediator = mediator.PreprocessMediator(session, storage_writer, test_knowledge_base) searcher = registry_searcher.WinRegistrySearcher(win_registry) plugin.Collect(test_mediator, artifact_definition, searcher) return test_mediator
def testInitialize(self): """Tests the __init__ function.""" with self.assertRaises(ValueError): registry_searcher.WinRegistrySearcher(None)