def _CreateTestKey(self, key_path, time_string):
"""Creates Registry keys and values for testing.
Args:
key_path: the Windows Registry key path.
time_string: string containing the key last written date and time.
Returns:
A Windows Registry key (instance of dfwinreg.WinRegistryKey).
"""
filetime = dfwinreg_fake.Filetime()
filetime.CopyFromString(time_string)
registry_key = dfwinreg_fake.FakeWinRegistryKey(
u'Search', key_path=key_path, last_written_time=filetime.timestamp,
offset=1456)
value_name = (
u'C:\\Users\\username\\AppData\\Local\\Microsoft\\Outlook\\'
u'*****@*****.**')
value_data = b'\xcf\x2b\x37\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
value_name, data=value_data, data_type=dfwinreg_definitions.REG_DWORD,
offset=1892)
registry_key.AddValue(registry_value)
return registry_key
def _CreateTestKey(self, key_path, time_string):
"""Creates Registry keys and values for testing.
Args:
key_path: the Windows Registry key path.
time_string: string containing the key last written date and time.
Returns:
A Windows Registry key (instance of dfwinreg.WinRegistryKey).
"""
filetime = dfwinreg_fake.Filetime()
filetime.CopyFromString(time_string)
registry_key = dfwinreg_fake.FakeWinRegistryKey(
u'Servers', key_path=key_path, last_written_time=filetime.timestamp,
offset=865)
server_subkey = dfwinreg_fake.FakeWinRegistryKey(
u'myserver.com', last_written_time=filetime.timestamp, offset=1456)
value_data = u'DOMAIN\\username'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'UsernameHint', data=value_data, data_type=dfwinreg_definitions.REG_SZ,
offset=1892)
server_subkey.AddValue(registry_value)
registry_key.AddSubkey(server_subkey)
return registry_key
def _CreateTestKey(self, key_path, time_string):
"""Creates Registry keys and values for testing.
Args:
key_path: the Windows Registry key path.
time_string: string containing the key last written date and time.
Returns:
A Windows Registry key (instance of dfwinreg.WinRegistryKey).
"""
filetime = dfwinreg_fake.Filetime()
filetime.CopyFromString(time_string)
registry_key = dfwinreg_fake.FakeWinRegistryKey(
u'Default', key_path=key_path, last_written_time=filetime.timestamp,
offset=1456)
value_data = u'192.168.16.60'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'MRU0', data=value_data, data_type=dfwinreg_definitions.REG_SZ,
offset=1892)
registry_key.AddValue(registry_value)
value_data = u'computer.domain.com'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'MRU1', data=value_data, data_type=dfwinreg_definitions.REG_SZ,
offset=612)
registry_key.AddValue(registry_value)
return registry_key
def _CreateTestKey(self, key_path, time_string):
"""Creates Registry keys and values for testing.
Args:
key_path: the Windows Registry key path.
time_string: string containing the key last written date and time.
Returns:
A Windows Registry key (instance of dfwinreg.WinRegistryKey).
"""
filetime = dfwinreg_fake.Filetime()
filetime.CopyFromString(time_string)
registry_key = dfwinreg_fake.FakeWinRegistryKey(
u'BootVerificationProgram',
key_path=key_path,
last_written_time=filetime.timestamp,
offset=153)
value_data = u'C:\\WINDOWS\\system32\\googleupdater.exe'.encode(
u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'ImagePath',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=123)
registry_key.AddValue(registry_value)
return registry_key
def _CreateTestKey(self, key_path, time_string):
"""Creates Registry keys and values for testing.
Args:
key_path: the Windows Registry key path.
time_string: string containing the key last written date and time.
Returns:
A Windows Registry key (instance of dfwinreg.WinRegistryKey).
"""
filetime = dfwinreg_fake.Filetime()
filetime.CopyFromString(time_string)
registry_key = dfwinreg_fake.FakeWinRegistryKey(
u'CurrentVersion',
key_path=key_path,
last_written_time=filetime.timestamp,
offset=153)
value_data = u'Service Pack 1'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'CSDVersion',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=1892)
registry_key.AddValue(registry_value)
value_data = u'5.1'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'CurrentVersion',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=1121)
registry_key.AddValue(registry_value)
value_data = b'\x13\x1aAP'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'InstallDate',
data=value_data,
data_type=dfwinreg_definitions.REG_DWORD_LITTLE_ENDIAN,
offset=1001)
registry_key.AddValue(registry_value)
value_data = u'MyTestOS'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'ProductName',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=123)
registry_key.AddValue(registry_value)
value_data = u'A Concerned Citizen'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'RegisteredOwner',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=612)
registry_key.AddValue(registry_value)
return registry_key
def _CreateTestKey(self, key_path, time_string):
"""Creates Registry keys and values for testing.
Args:
key_path: the Windows Registry key path.
time_string: string containing the key last written date and time.
Returns:
A Windows Registry key (instance of dfwinreg.WinRegistryKey).
"""
filetime = dfwinreg_fake.Filetime()
filetime.CopyFromString(time_string)
registry_key = dfwinreg_fake.FakeWinRegistryKey(
u'TimeZoneInformation',
key_path=key_path,
last_written_time=filetime.timestamp,
offset=1456)
value_data = u'acb'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'MRUList',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=123)
registry_key.AddValue(registry_value)
value_data = u'Some random text here'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'a',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=1892)
registry_key.AddValue(registry_value)
value_data = u'c:/evil.exe'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'b',
data=value_data,
data_type=dfwinreg_definitions.REG_BINARY,
offset=612)
registry_key.AddValue(registry_value)
value_data = u'C:/looks_legit.exe'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'c',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=1001)
registry_key.AddValue(registry_value)
return registry_key
def CreateTestEventObjects():
"""Creates the event objects for testing.
Returns:
A list of event objects (instances of EventObject).
"""
event_objects = []
filetime = dfwinreg_fake.Filetime()
filetime.CopyFromString(u'2012-04-20 22:38:46.929596')
values_dict = {u'Value': u'c:/Temp/evil.exe'}
event_object = windows_events.WindowsRegistryEvent(filetime.timestamp,
u'MY AutoRun key',
values_dict)
event_object.parser = 'UNKNOWN'
event_objects.append(event_object)
filetime.CopyFromString(u'2012-05-02 13:43:26.929596')
values_dict = {u'Value': u'send all the exes to the other world'}
event_object = windows_events.WindowsRegistryEvent(
filetime.timestamp, u'\\HKCU\\Secret\\EvilEmpire\\Malicious_key',
values_dict)
event_object.parser = 'UNKNOWN'
event_objects.append(event_object)
filetime.CopyFromString(u'2012-04-20 16:44:46')
values_dict = {u'Value': u'run all the benign stuff'}
event_object = windows_events.WindowsRegistryEvent(
filetime.timestamp, u'\\HKCU\\Windows\\Normal', values_dict)
event_object.parser = 'UNKNOWN'
event_objects.append(event_object)
timemstamp = timelib.Timestamp.CopyFromString(u'2009-04-05 12:27:39')
text_dict = {
u'hostname':
u'nomachine',
u'text':
(u'This is a line by someone not reading the log line properly. And '
u'since this log line exceeds the accepted 80 chars it will be '
u'shortened.'),
u'username':
u'johndoe'
}
event_object = text_events.TextEvent(timemstamp, 12, text_dict)
event_object.parser = 'UNKNOWN'
event_objects.append(event_object)
return event_objects
def _CreateTestKey(self, key_path, time_string):
"""Creates MRUList Registry keys and values for testing.
Args:
key_path: the Windows Registry key path.
time_string: string containing the key last written date and time.
Returns:
A Windows Registry key (instance of dfwinreg.WinRegistryKey).
"""
filetime = dfwinreg_fake.Filetime()
filetime.CopyFromString(time_string)
registry_key = dfwinreg_fake.FakeWinRegistryKey(
u'DesktopStreamMRU', key_path=key_path,
last_written_time=filetime.timestamp, offset=1456)
value_data = u'a'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'MRUList', data=value_data, data_type=dfwinreg_definitions.REG_SZ,
offset=123)
registry_key.AddValue(registry_value)
value_data = b''.join(map(chr, [
0x14, 0x00, 0x1f, 0x00, 0xe0, 0x4f, 0xd0, 0x20, 0xea, 0x3a, 0x69, 0x10,
0xa2, 0xd8, 0x08, 0x00, 0x2b, 0x30, 0x30, 0x9d, 0x19, 0x00, 0x23, 0x43,
0x3a, 0x5c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0xee, 0x15, 0x00, 0x31,
0x00, 0x00, 0x00, 0x00, 0x00, 0x2e, 0x3e, 0x7a, 0x60, 0x10, 0x80, 0x57,
0x69, 0x6e, 0x6e, 0x74, 0x00, 0x00, 0x18, 0x00, 0x31, 0x00, 0x00, 0x00,
0x00, 0x00, 0x2e, 0x3e, 0xe4, 0x62, 0x10, 0x00, 0x50, 0x72, 0x6f, 0x66,
0x69, 0x6c, 0x65, 0x73, 0x00, 0x00, 0x25, 0x00, 0x31, 0x00, 0x00, 0x00,
0x00, 0x00, 0x2e, 0x3e, 0xe4, 0x62, 0x10, 0x00, 0x41, 0x64, 0x6d, 0x69,
0x6e, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x00, 0x41, 0x44,
0x4d, 0x49, 0x4e, 0x49, 0x7e, 0x31, 0x00, 0x17, 0x00, 0x31, 0x00, 0x00,
0x00, 0x00, 0x00, 0x2e, 0x3e, 0xe4, 0x62, 0x10, 0x00, 0x44, 0x65, 0x73,
0x6b, 0x74, 0x6f, 0x70, 0x00, 0x00, 0x00, 0x00]))
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'a', data=value_data, data_type=dfwinreg_definitions.REG_BINARY,
offset=612)
registry_key.AddValue(registry_value)
return registry_key
def _CreateTestKey(self, time_string, binary_data):
"""Creates Registry keys and values for testing.
Args:
time_string: string containing the key last written date and time.
binary_data: the binary data of the AppCompatCache Registry value.
Returns:
A Windows Registry key (instance of dfwinreg.WinRegistryKey).
"""
key_path = u'\\ControlSet001\\Control\\Session Manager\\AppCompatCache'
filetime = dfwinreg_fake.Filetime()
filetime.CopyFromString(time_string)
registry_key = dfwinreg_fake.FakeWinRegistryKey(
u'AppCompatCache', key_path=key_path,
last_written_time=filetime.timestamp, offset=1456)
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'AppCompatCache', data=binary_data,
data_type=dfwinreg_definitions.REG_BINARY)
registry_key.AddValue(registry_value)
return registry_key
def _CreateTestKey(self, key_path, time_string):
"""Creates WinRAR ArcHistory Registry keys and values for testing.
Args:
key_path: the Windows Registry key path.
time_string: string containing the key last written date and time.
Returns:
A Windows Registry key (instance of dfwinreg.WinRegistryKey).
"""
filetime = dfwinreg_fake.Filetime()
filetime.CopyFromString(time_string)
registry_key = dfwinreg_fake.FakeWinRegistryKey(
u'ArcHistory',
key_path=key_path,
last_written_time=filetime.timestamp,
offset=1456)
value_data = u'C:\\Downloads\\The Sleeping Dragon CD1.iso'.encode(
u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'0',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=1892)
registry_key.AddValue(registry_value)
value_data = u'C:\\Downloads\\plaso-static.rar'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'1',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=612)
registry_key.AddValue(registry_value)
return registry_key
def _CreateTestKey(self, key_path, time_string):
"""Creates Registry keys and values for testing.
Args:
key_path: the Windows Registry key path.
time_string: string containing the key last written date and time.
Returns:
A Windows Registry key (instance of dfwinreg.WinRegistryKey).
"""
filetime = dfwinreg_fake.Filetime()
filetime.CopyFromString(time_string)
registry_key = dfwinreg_fake.FakeWinRegistryKey(
u'TimeZoneInformation', key_path=key_path,
last_written_time=filetime.timestamp, offset=153)
value_data = u'C:\\Downloads\\plaso-static.rar'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'1', data=value_data, data_type=dfwinreg_definitions.REG_SZ,
offset=612)
registry_key.AddValue(registry_value)
value_data = b'\xff\xff\xff\xc4'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'ActiveTimeBias', data=value_data,
data_type=dfwinreg_definitions.REG_DWORD_BIG_ENDIAN)
registry_key.AddValue(registry_value)
value_data = b'\xff\xff\xff\xc4'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'Bias', data=value_data,
data_type=dfwinreg_definitions.REG_DWORD_BIG_ENDIAN)
registry_key.AddValue(registry_value)
value_data = b'\xff\xff\xff\xc4'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'DaylightBias', data=value_data,
data_type=dfwinreg_definitions.REG_DWORD_BIG_ENDIAN)
registry_key.AddValue(registry_value)
value_data = u'@tzres.dll,-321'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'DaylightName', data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
value_data = (
b'\x00\x00\x03\x00\x05\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'DaylightStart', data=value_data,
data_type=dfwinreg_definitions.REG_BINARY)
registry_key.AddValue(registry_value)
value_data = b'\x00\x00\x00\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'DynamicDaylightTimeDisabled', data=value_data,
data_type=dfwinreg_definitions.REG_DWORD_BIG_ENDIAN)
registry_key.AddValue(registry_value)
value_data = b'\x00\x00\x00\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'StandardBias', data=value_data,
data_type=dfwinreg_definitions.REG_DWORD_BIG_ENDIAN)
registry_key.AddValue(registry_value)
value_data = u'@tzres.dll,-322'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'StandardName', data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
value_data = (
b'\x00\x00\x0A\x00\x05\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'StandardStart', data=value_data,
data_type=dfwinreg_definitions.REG_BINARY)
registry_key.AddValue(registry_value)
value_data = u'W. Europe Standard Time'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'TimeZoneKeyName', data=value_data,
data_type=dfwinreg_definitions.REG_SZ)
registry_key.AddValue(registry_value)
return registry_key
def _CreateTestKey(self, key_path, time_string):
"""Creates Registry keys and values for testing.
Args:
key_path: the Windows Registry key path.
time_string: string containing the key last written date and time.
Returns:
A Windows Registry key (instance of dfwinreg.WinRegistryKey).
"""
filetime = dfwinreg_fake.Filetime()
filetime.CopyFromString(time_string)
registry_key = dfwinreg_fake.FakeWinRegistryKey(
u'TestDriver',
key_path=key_path,
last_written_time=filetime.timestamp,
offset=1456)
value_data = b'\x02\x00\x00\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'Type',
data=value_data,
data_type=dfwinreg_definitions.REG_DWORD,
offset=123)
registry_key.AddValue(registry_value)
value_data = b'\x02\x00\x00\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'Start',
data=value_data,
data_type=dfwinreg_definitions.REG_DWORD,
offset=127)
registry_key.AddValue(registry_value)
value_data = b'\x01\x00\x00\x00'
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'ErrorControl',
data=value_data,
data_type=dfwinreg_definitions.REG_DWORD,
offset=131)
registry_key.AddValue(registry_value)
value_data = u'Pnp Filter'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'Group',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=140)
registry_key.AddValue(registry_value)
value_data = u'Test Driver'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'DisplayName',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=160)
registry_key.AddValue(registry_value)
value_data = u'testdriver.inf_x86_neutral_dd39b6b0a45226c4'.encode(
u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'DriverPackageId',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=180)
registry_key.AddValue(registry_value)
value_data = u'C:\\Dell\\testdriver.sys'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'ImagePath',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=200)
registry_key.AddValue(registry_value)
return registry_key
def GetEventObjects():
"""Returns a list of test event objects."""
event_objects = []
hostname = u'MYHOSTNAME'
data_type = 'test:event'
event_object = event.EventObject()
event_object.username = u'joesmith'
event_object.filename = u'c:/Users/joesmith/NTUSER.DAT'
event_object.hostname = hostname
event_object.timestamp = 0
event_object.data_type = data_type
event_object.text = u''
event_objects.append(event_object)
filetime = dfwinreg_fake.Filetime()
# TODO: move this to a WindowsRegistryEvent unit test.
filetime.CopyFromString(u'2012-04-20 22:38:46.929596')
values_dict = {u'Run': u'c:/Temp/evil.exe'}
event_object = windows_events.WindowsRegistryEvent(filetime.timestamp,
u'MY AutoRun key',
values_dict)
event_object.hostname = hostname
event_objects.append(event_object)
filetime.CopyFromString(u'2012-04-20 23:56:46.929596')
values_dict = {u'Value': u'send all the exes to the other world'}
event_object = windows_events.WindowsRegistryEvent(
filetime.timestamp, u'//HKCU/Secret/EvilEmpire/Malicious_key',
values_dict)
event_object.hostname = hostname
event_objects.append(event_object)
filetime.CopyFromString(u'2012-04-20 16:44:46.000000')
values_dict = {u'Value': u'run all the benign stuff'}
event_object = windows_events.WindowsRegistryEvent(
filetime.timestamp, u'//HKCU/Windows/Normal', values_dict)
event_object.hostname = hostname
event_objects.append(event_object)
timestamp = timelib.Timestamp.CopyFromString(u'2012-04-30 10:29:47.929596')
filename = u'c:/Temp/evil.exe'
attributes = {u'text': u'This log line reads ohh so much.'}
event_object = TestEvent(timestamp, attributes)
event_object.filename = filename
event_object.hostname = hostname
event_objects.append(event_object)
timestamp = timelib.Timestamp.CopyFromString(u'2012-04-30 10:29:47.929596')
attributes = {u'text': u'Nothing of interest here, move on.'}
event_object = TestEvent(timestamp, attributes)
event_object.filename = filename
event_object.hostname = hostname
event_objects.append(event_object)
timestamp = timelib.Timestamp.CopyFromString(u'2012-04-30 13:06:47.939596')
attributes = {
u'text': u'Mr. Evil just logged into the machine and got root.'
}
event_object = TestEvent(timestamp, attributes)
event_object.filename = filename
event_object.hostname = hostname
event_objects.append(event_object)
text_dict = {
u'body':
(u'This is a line by someone not reading the log line properly. And '
u'since this log line exceeds the accepted 80 chars it will be '
u'shortened.'),
u'hostname':
u'nomachine',
u'username':
u'johndoe'
}
# TODO: move this to a TextEvent unit test.
timestamp = timelib.Timestamp.CopyFromString(u'2012-06-05 22:14:19.000000')
event_object = text_events.TextEvent(timestamp, 12, text_dict)
event_object.text = event_object.body
event_object.hostname = hostname
event_object.filename = filename
event_objects.append(event_object)
return event_objects
def _CreateTestKey(self, key_path, time_string):
"""Creates Registry keys and values for testing.
Args:
key_path: the Windows Registry key path.
time_string: string containing the key last written date and time.
Returns:
A Windows Registry key (instance of dfwinreg.WinRegistryKey).
"""
filetime = dfwinreg_fake.Filetime()
filetime.CopyFromString(time_string)
registry_key = dfwinreg_fake.FakeWinRegistryKey(
u'Session Manager',
key_path=key_path,
last_written_time=filetime.timestamp,
offset=153)
value_data = u'autocheck autochk *\x00'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'BootExecute',
data=value_data,
data_type=dfwinreg_definitions.REG_MULTI_SZ,
offset=123)
registry_key.AddValue(registry_value)
value_data = u'2592000'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'CriticalSectionTimeout',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=153)
registry_key.AddValue(registry_value)
value_data = u'\x00'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'ExcludeFromKnownDlls',
data=value_data,
data_type=dfwinreg_definitions.REG_MULTI_SZ,
offset=163)
registry_key.AddValue(registry_value)
value_data = u'0'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'GlobalFlag',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=173)
registry_key.AddValue(registry_value)
value_data = u'0'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'HeapDeCommitFreeBlockThreshold',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=183)
registry_key.AddValue(registry_value)
value_data = u'0'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'HeapDeCommitTotalFreeThreshold',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=203)
registry_key.AddValue(registry_value)
value_data = u'0'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'HeapSegmentCommit',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=213)
registry_key.AddValue(registry_value)
value_data = u'0'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'HeapSegmentReserve',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=223)
registry_key.AddValue(registry_value)
value_data = u'2'.encode(u'utf_16_le')
registry_value = dfwinreg_fake.FakeWinRegistryValue(
u'NumberOfInitialSessions',
data=value_data,
data_type=dfwinreg_definitions.REG_SZ,
offset=243)
registry_key.AddValue(registry_value)
return registry_key
