def test_array_uint16(self):
"""
Test the deserialization of an array UINT16 element
"""
event = Container()
meta = Container()
meta.ext_type = 11
meta.data_item = b'\x10\x00\x00Test\x00Engine\x00\x26'
event.extended_data = ListContainer([meta])
event.user_data = b'\x10\x00' + b'\x00' * 32
tl = build_tracelogging(event)
self.assertEqual(tl.get_name(), "Test", "Invalid Name")
self.assertEqual(tl["Engine"], [0] * 16)
def test_tracelogging_guid(self):
"""
Test a trace named Test and log GUI
"""
event = Container()
meta = Container()
meta.ext_type = 11
meta.data_item = b'\x10\x00\x00Test\x00Engine\x00\x0F'
event.extended_data = ListContainer([meta])
event.user_data = b'\x00' * 16
tl = build_tracelogging(event)
self.assertEqual(tl.get_name(), "Test", "Invalid Name")
parsed_guid = tl["Engine"]
self.assertEqual(
Guid(parsed_guid.data1, parsed_guid.data2, parsed_guid.data3,
parsed_guid.data4),
guid("00000000-0000-0000-0000-000000000000"), "Invalid GUID")
def test_tracelogging_wstring(self):
"""
Test the normal build of a trace logging
The name of the event is AmsiScript
This bin have three meta field to parse :
* Engine : name of the script engine
* Script : raw script for encoded in wide string
* Raw Script : raw script not encode (Array of UINT16)
"""
event = Container()
meta = Container()
meta.ext_type = 11
meta.data_item = b'\x10\x00\x00Test\x00Engine\x00\x01'
event.extended_data = ListContainer([meta])
event.user_data = b'P\x00o\x00w\x00e\x00r\x00S\x00h\x00e\x00l\x00l\x00\x00\x00'
tl = build_tracelogging(event)
self.assertEqual(tl.get_name(), "Test", "Invalid Name")
self.assertEqual(tl["Engine"], "PowerShell", "Invalid Name")
def parse_tracelogging(self) -> TraceLogging:
"""
Try to parse a tracelogging event
"""
return build_tracelogging(self.source)