def testBuildKeyHierarchy(self): """Tests the BuildKeyHierarchy function.""" test_key = fake.FakeWinRegistryKey( 'Microsoft', key_path='HKEY_CURRENT_USER\\Software\\Microsoft', last_written_time=0) test_value = fake.FakeWinRegistryValue('') self.assertIsNotNone(test_key) self.assertIsNotNone(test_value) # Test with subkeys and values. registry_key = fake.FakeWinRegistryKey( 'Software', key_path='HKEY_CURRENT_USER\\Software', last_written_time=0, subkeys=[test_key], values=[test_value]) self.assertIsNotNone(registry_key) # Test with duplicate subkeys and values. registry_key = fake.FakeWinRegistryKey( 'Software', key_path='HKEY_CURRENT_USER\\Software', last_written_time=0, subkeys=[test_key, test_key], values=[test_value, test_value]) self.assertIsNotNone(registry_key)
def _CreateTestRegistry(self): """Creates Registry keys and values for testing. Returns: dfwinreg.WinRegistry: Windows Registry for testing. """ key_path_prefix = 'HKEY_LOCAL_MACHINE\\Software' registry_file = dfwinreg_fake.FakeWinRegistryFile( key_path_prefix=key_path_prefix) registry_key = dfwinreg_fake.FakeWinRegistryKey('FolderDescriptions') registry_file.AddKeyByPath( '\\Microsoft\\Windows\\CurrentVersion\\Explorer', registry_key) subkey = dfwinreg_fake.FakeWinRegistryKey(self._GUID) registry_key.AddSubkey(self._GUID, subkey) value_data = self._NAME.encode('utf-16-le') registry_value = dfwinreg_fake.FakeWinRegistryValue( 'Name', data=value_data, data_type=dfwinreg_definitions.REG_SZ) subkey.AddValue(registry_value) value_data = self._LOCALIZED_NAME.encode('utf-16-le') registry_value = dfwinreg_fake.FakeWinRegistryValue( 'LocalizedName', data=value_data, data_type=dfwinreg_definitions.REG_SZ) subkey.AddValue(registry_value) registry_file.Open(None) registry = dfwinreg_registry.WinRegistry() registry.MapFile(key_path_prefix, registry_file) return registry
def _CreateTestKey(self, key_path, time_string): """Creates Registry keys and values for testing. Args: key_path (str): Windows Registry key path. time_string (str): key last written date and time. Returns: dfwinreg.WinRegistryKey: a Windows Registry key. """ filetime = dfdatetime_filetime.Filetime() filetime.CopyFromDateTimeString(time_string) registry_key = dfwinreg_fake.FakeWinRegistryKey( 'Servers', key_path=key_path, last_written_time=filetime.timestamp, offset=865) server_subkey_name = 'myserver.com' server_subkey = dfwinreg_fake.FakeWinRegistryKey( server_subkey_name, last_written_time=filetime.timestamp, offset=1456) registry_key.AddSubkey(server_subkey_name, server_subkey) value_data = 'DOMAIN\\username'.encode('utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( 'UsernameHint', data=value_data, data_type=dfwinreg_definitions.REG_SZ, offset=1892) server_subkey.AddValue(registry_value) return registry_key
def _CreateTestRegistry(self): """Creates Registry keys and values for testing. Returns: dfwinreg.WinRegistry: Windows Registry for testing. """ key_path_prefix = 'HKEY_LOCAL_MACHINE\\System' registry_file = dfwinreg_fake.FakeWinRegistryFile( key_path_prefix=key_path_prefix) registry_key = dfwinreg_fake.FakeWinRegistryKey('Select') registry_file.AddKeyByPath('\\', registry_key) value_data = b'\x01\x00\x00\x00' registry_value = dfwinreg_fake.FakeWinRegistryValue( 'Current', data=value_data, data_type=dfwinreg_definitions.REG_DWORD) registry_key.AddValue(registry_value) registry_key = dfwinreg_fake.FakeWinRegistryKey('AppCompatibility') registry_file.AddKeyByPath( '\\ControlSet001\\Control\\Session Manager', registry_key) registry_value = dfwinreg_fake.FakeWinRegistryValue( 'AppCompatCache', data=_CACHE_DATA_WINDOWS_XP, data_type=dfwinreg_definitions.REG_BINARY) registry_key.AddValue(registry_value) registry_file.Open(None) registry = dfwinreg_registry.WinRegistry() registry.MapFile(key_path_prefix, registry_file) return registry
def testCheckKeyPath(self): """Tests the _CheckKeyPath function.""" find_spec = registry_searcher.FindSpec( key_path=u'HKEY_CURRENT_USER\\Software\\Microsoft') registry_key = fake.FakeWinRegistryKey( u'Microsoft', key_path=u'HKEY_CURRENT_USER\\Software') result = find_spec._CheckKeyPath(registry_key, 3) self.assertTrue(result) result = find_spec._CheckKeyPath(registry_key, 0) self.assertTrue(result) # Test incorrect search depth. result = find_spec._CheckKeyPath(registry_key, 1) self.assertFalse(result) # Test invalid search depth. result = find_spec._CheckKeyPath(registry_key, -1) self.assertFalse(result) result = find_spec._CheckKeyPath(registry_key, 99) self.assertFalse(result) # Test find specification with regular expression. find_spec = registry_searcher.FindSpec( key_path_regex=[u'HKEY_CURRENT_USER', u'Software', u'Microsoft']) registry_key = fake.FakeWinRegistryKey( u'Microsoft', key_path=u'HKEY_CURRENT_USER\\Software') result = find_spec._CheckKeyPath(registry_key, 3) self.assertTrue(result)
def _CreateTestKey(self, key_path, time_string): """Creates Registry keys and values for testing. Args: key_path: the Windows Registry key path. time_string: string containing the key last written date and time. Returns: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ filetime = dfwinreg_filetime.Filetime() filetime.CopyFromString(time_string) registry_key = dfwinreg_fake.FakeWinRegistryKey( u'Servers', key_path=key_path, last_written_time=filetime.timestamp, offset=865) server_subkey = dfwinreg_fake.FakeWinRegistryKey( u'myserver.com', last_written_time=filetime.timestamp, offset=1456) value_data = u'DOMAIN\\username'.encode(u'utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( u'UsernameHint', data=value_data, data_type=dfwinreg_definitions.REG_SZ, offset=1892) server_subkey.AddValue(registry_value) registry_key.AddSubkey(server_subkey) return registry_key
def _CreateTestRegistry(self): """Creates Registry keys and values for testing. Returns: dfwinreg.WinRegistry: Windows Registry for testing. """ key_path_prefix = 'HKEY_LOCAL_MACHINE\\SAM' registry_file = dfwinreg_fake.FakeWinRegistryFile( key_path_prefix=key_path_prefix) registry_key = dfwinreg_fake.FakeWinRegistryKey('Users') registry_file.AddKeyByPath('\\SAM\\Domains\\Account', registry_key) subkey = dfwinreg_fake.FakeWinRegistryKey(self._RID) registry_key.AddSubkey(self._RID, subkey) registry_value = dfwinreg_fake.FakeWinRegistryValue( 'F', data=_F_VALUE_DATA, data_type=dfwinreg_definitions.REG_BINARY) subkey.AddValue(registry_value) registry_value = dfwinreg_fake.FakeWinRegistryValue( 'V', data=_V_VALUE_DATA, data_type=dfwinreg_definitions.REG_BINARY) subkey.AddValue(registry_value) registry_file.Open(None) registry = dfwinreg_registry.WinRegistry() registry.MapFile(key_path_prefix, registry_file) return registry
def _CreateTestRegistry(self): """Creates Registry keys and values for testing. Returns: dfwinreg.WinRegistry: Windows Registry for testing. """ key_path_prefix = 'HKEY_LOCAL_MACHINE\\Software' registry_file = dfwinreg_fake.FakeWinRegistryFile( key_path_prefix=key_path_prefix) registry_key = dfwinreg_fake.FakeWinRegistryKey('ProfileList') registry_file.AddKeyByPath( '\\Microsoft\\Windows NT\\CurrentVersion', registry_key) subkey = dfwinreg_fake.FakeWinRegistryKey(self._SID) registry_key.AddSubkey(subkey) value_data = self._PROFILE_PATH.encode('utf-16-le') registry_value = dfwinreg_fake.FakeWinRegistryValue( 'ProfileImagePath', data=value_data, data_type=dfwinreg_definitions.REG_SZ) subkey.AddValue(registry_value) registry_file.Open(None) registry = dfwinreg_registry.WinRegistry() registry.MapFile(key_path_prefix, registry_file) return registry
def _CreateTestKey(self, binary_data): """Creates Registry keys and values for testing. Args: binary_data (bytes): BAM Registry value data. Returns: dfwinreg.WinRegistryKey: a Windows Registry key. """ key_path = '\\ControlSet001\\Services\\bam\\State' filetime = dfdatetime_filetime.Filetime() filetime.CopyFromDateTimeString('2019-03-19 20:55:19.975237') registry_key = dfwinreg_fake.FakeWinRegistryKey( 'UserSettings', key_path=key_path, last_written_time=filetime.timestamp) filetime.CopyFromDateTimeString('2019-03-19 13:29:56.008214') sid_key_name = 'S-1-5-21-321011808-3761883066-353627080-1000' sid_key = dfwinreg_fake.FakeWinRegistryKey( sid_key_name, last_written_time=filetime.timestamp) registry_value = dfwinreg_fake.FakeWinRegistryValue( ('\\Device\\HarddiskVolume1\\Windows\\System32\\WindowsPowerShell' '\\v1.0\\powershell.exe'), data=binary_data, data_type=dfwinreg_definitions.REG_BINARY) sid_key.AddValue(registry_value) registry_key.AddSubkey(sid_key_name, sid_key) return registry_key
def _CreateTestRegistry(self): """Creates Registry keys and values for testing. Returns: dfwinreg.WinRegistry: Windows Registry for testing. """ key_path_prefix = 'HKEY_LOCAL_MACHINE\\System' registry_file = dfwinreg_fake.FakeWinRegistryFile( key_path_prefix=key_path_prefix) registry_key = dfwinreg_fake.FakeWinRegistryKey('Services') registry_file.AddKeyByPath('\\CurrentControlSet', registry_key) subkey = dfwinreg_fake.FakeWinRegistryKey('WwanSvc') registry_key.AddSubkey('WwanSvc', subkey) value_data = self._DESCRIPTION.encode('utf-16-le') registry_value = dfwinreg_fake.FakeWinRegistryValue( 'Description', data=value_data, data_type=dfwinreg_definitions.REG_SZ) subkey.AddValue(registry_value) value_data = self._DISPLAY_NAME.encode('utf-16-le') registry_value = dfwinreg_fake.FakeWinRegistryValue( 'DisplayName', data=value_data, data_type=dfwinreg_definitions.REG_SZ) subkey.AddValue(registry_value) value_data = self._IMAGE_PATH.encode('utf-16-le') registry_value = dfwinreg_fake.FakeWinRegistryValue( 'ImagePath', data=value_data, data_type=dfwinreg_definitions.REG_SZ) subkey.AddValue(registry_value) value_data = self._OBJECT_NAME.encode('utf-16-le') registry_value = dfwinreg_fake.FakeWinRegistryValue( 'ObjectName', data=value_data, data_type=dfwinreg_definitions.REG_SZ) subkey.AddValue(registry_value) value_data = b'\x03\x00\x00\x00' registry_value = dfwinreg_fake.FakeWinRegistryValue( 'Start', data=value_data, data_type=dfwinreg_definitions.REG_DWORD) subkey.AddValue(registry_value) value_data = b'\x20\x00\x00\x00' registry_value = dfwinreg_fake.FakeWinRegistryValue( 'Type', data=value_data, data_type=dfwinreg_definitions.REG_DWORD) subkey.AddValue(registry_value) registry_file.Open(None) registry = dfwinreg_registry.WinRegistry() registry.MapFile(key_path_prefix, registry_file) return registry
def testAddSubkey(self): """Tests the AddSubkey function.""" registry_key = fake.FakeWinRegistryKey( 'Software', key_path='HKEY_CURRENT_USER\\Software', last_written_time=0) sub_registry_key = fake.FakeWinRegistryKey( 'Microsoft', key_path='HKEY_CURRENT_USER\\Software\\Microsoft', last_written_time=0) registry_key.AddSubkey(sub_registry_key) with self.assertRaises(KeyError): registry_key.AddSubkey(sub_registry_key)
def _CreateTestRegistry(self): """Creates Registry keys and values for testing. Returns: dfwinreg.WinRegistry: Windows Registry for testing. """ key_path_prefix = 'HKEY_LOCAL_MACHINE\\Software' registry_file = dfwinreg_fake.FakeWinRegistryFile( key_path_prefix=key_path_prefix) registry_key = dfwinreg_fake.FakeWinRegistryKey(self._GUID1) registry_file.AddKeyByPath('\\Classes\\TypeLib', registry_key) subkey = dfwinreg_fake.FakeWinRegistryKey(self._VERSION1) registry_key.AddSubkey(self._VERSION1, subkey) value_data = self._DESCRIPTION1.encode('utf-16-le') registry_value = dfwinreg_fake.FakeWinRegistryValue( '', data=value_data, data_type=dfwinreg_definitions.REG_SZ) subkey.AddValue(registry_value) language_key = dfwinreg_fake.FakeWinRegistryKey('409') subkey.AddSubkey('409', language_key) platform_key = dfwinreg_fake.FakeWinRegistryKey('Win32') language_key.AddSubkey('Win32', platform_key) value_data = self._FILENAME1.encode('utf-16-le') registry_value = dfwinreg_fake.FakeWinRegistryValue( '', data=value_data, data_type=dfwinreg_definitions.REG_SZ) platform_key.AddValue(registry_value) registry_key = dfwinreg_fake.FakeWinRegistryKey(self._GUID2) registry_file.AddKeyByPath('\\Classes\\TypeLib', registry_key) subkey = dfwinreg_fake.FakeWinRegistryKey(self._VERSION2) registry_key.AddSubkey(self._VERSION2, subkey) value_data = self._DESCRIPTION1.encode('utf-16-le') registry_value = dfwinreg_fake.FakeWinRegistryValue( '', data=value_data, data_type=dfwinreg_definitions.REG_SZ) subkey.AddValue(registry_value) language_key = dfwinreg_fake.FakeWinRegistryKey('0') subkey.AddSubkey('0', language_key) platform_key = dfwinreg_fake.FakeWinRegistryKey('x64') language_key.AddSubkey('x64', platform_key) value_data = self._FILENAME1.encode('utf-16-le') registry_value = dfwinreg_fake.FakeWinRegistryValue( '', data=value_data, data_type=dfwinreg_definitions.REG_SZ) platform_key.AddValue(registry_value) registry_file.Open(None) registry = dfwinreg_registry.WinRegistry() registry.MapFile(key_path_prefix, registry_file) return registry
def _CreateTestKey(self, time_string, binary_data): """Creates Registry keys and values for testing. Args: time_string: string containing the key last written date and time. binary_data: the binary data of the AppCompatCache Registry value. Returns: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ key_path = u'\\ControlSet001\\Control\\Session Manager\\AppCompatCache' filetime = dfwinreg_filetime.Filetime() filetime.CopyFromString(time_string) registry_key = dfwinreg_fake.FakeWinRegistryKey( u'AppCompatCache', key_path=key_path, last_written_time=filetime.timestamp, offset=1456) registry_value = dfwinreg_fake.FakeWinRegistryValue( u'AppCompatCache', data=binary_data, data_type=dfwinreg_definitions.REG_BINARY) registry_key.AddValue(registry_value) return registry_key
def _CreateTestKey(self, key_path, time_string): """Creates Registry keys and values for testing. Args: key_path: the Windows Registry key path. time_string: string containing the key last written date and time. Returns: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ filetime = dfdatetime_filetime.Filetime() filetime.CopyFromString(time_string) registry_key = dfwinreg_fake.FakeWinRegistryKey( u'TestDriver', key_path=key_path, last_written_time=filetime.timestamp, offset=1456) value_data = b'\x02\x00\x00\x00' registry_value = dfwinreg_fake.FakeWinRegistryValue( u'Type', data=value_data, data_type=dfwinreg_definitions.REG_DWORD, offset=123) registry_key.AddValue(registry_value) value_data = b'\x02\x00\x00\x00' registry_value = dfwinreg_fake.FakeWinRegistryValue( u'Start', data=value_data, data_type=dfwinreg_definitions.REG_DWORD, offset=127) registry_key.AddValue(registry_value) value_data = b'\x01\x00\x00\x00' registry_value = dfwinreg_fake.FakeWinRegistryValue( u'ErrorControl', data=value_data, data_type=dfwinreg_definitions.REG_DWORD, offset=131) registry_key.AddValue(registry_value) value_data = u'Pnp Filter'.encode(u'utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( u'Group', data=value_data, data_type=dfwinreg_definitions.REG_SZ, offset=140) registry_key.AddValue(registry_value) value_data = u'Test Driver'.encode(u'utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( u'DisplayName', data=value_data, data_type=dfwinreg_definitions.REG_SZ, offset=160) registry_key.AddValue(registry_value) value_data = u'testdriver.inf_x86_neutral_dd39b6b0a45226c4'.encode( u'utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( u'DriverPackageId', data=value_data, data_type=dfwinreg_definitions.REG_SZ, offset=180) registry_key.AddValue(registry_value) value_data = u'C:\\Dell\\testdriver.sys'.encode(u'utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( u'ImagePath', data=value_data, data_type=dfwinreg_definitions.REG_SZ, offset=200) registry_key.AddValue(registry_value) return registry_key
def _CreateTestKey(self, key_path, time_string): """Creates WinRAR ArcHistory Registry keys and values for testing. Args: key_path (str): Windows Registry key path. time_string (str): key last written date and time. Returns: dfwinreg.WinRegistryKey: a Windows Registry key. """ filetime = dfdatetime_filetime.Filetime() filetime.CopyFromString(time_string) registry_key = dfwinreg_fake.FakeWinRegistryKey( u'ArcHistory', key_path=key_path, last_written_time=filetime.timestamp, offset=1456) value_data = u'C:\\Downloads\\The Sleeping Dragon CD1.iso'.encode( u'utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( u'0', data=value_data, data_type=dfwinreg_definitions.REG_SZ, offset=1892) registry_key.AddValue(registry_value) value_data = u'C:\\Downloads\\plaso-static.rar'.encode(u'utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( u'1', data=value_data, data_type=dfwinreg_definitions.REG_SZ, offset=612) registry_key.AddValue(registry_value) return registry_key
def _CreateTestRegistry(self): """Creates Registry keys and values for testing. Returns: dfwinreg.WinRegistry: Windows Registry for testing. """ key_path_prefix = 'HKEY_LOCAL_MACHINE\\Software' registry_file = dfwinreg_fake.FakeWinRegistryFile( key_path_prefix=key_path_prefix) registry_key = dfwinreg_fake.FakeWinRegistryKey( '{fd6c8b29-e936-4a61-8da6-b0c12ad3ba00}') registry_file.AddKeyByPath('\\Classes\\AppID', registry_key) value_data = 'Wordpad'.encode('utf-16-le') registry_value = dfwinreg_fake.FakeWinRegistryValue( '', data=value_data, data_type=dfwinreg_definitions.REG_SZ) registry_key.AddValue(registry_value) registry_file.Open(None) registry = dfwinreg_registry.WinRegistry() registry.MapFile(key_path_prefix, registry_file) return registry
def GetKeyByPath(self, key_path): """Retrieves the key for a specific path. Args: key_path (str): Windows Registry key path. Returns: WinRegistryKey: Windows Registry key or None if not available. Raises: RuntimeError: if the root key is not supported. """ if key_path == 'HKEY_LOCAL_MACHINE\\System\\Select': registry_key = fake.FakeWinRegistryKey( 'Select', key_path='HKEY_LOCAL_MACHINE\\System', last_written_time=0) registry_value = fake.FakeWinRegistryValue( 'Current', data=b'DATA', data_type=definitions.REG_BINARY) registry_key.AddValue(registry_value) registry_value = fake.FakeWinRegistryValue( 'Default', data=b'\xff\xff\xff\xff', data_type=definitions.REG_DWORD) registry_key.AddValue(registry_value) registry_value = fake.FakeWinRegistryValue( 'LastKnownGood', data=b'\x01\x00\x00\x00', data_type=definitions.REG_DWORD) registry_key.AddValue(registry_value) return registry_key return super(TestWinRegistry, self).GetKeyByPath(key_path)
def _CreateTestRegistry(self): """Creates Registry keys and values for testing. Returns: dfwinreg.WinRegistry: Windows Registry for testing. """ key_path_prefix = 'HKEY_LOCAL_MACHINE\\System' registry_file = dfwinreg_fake.FakeWinRegistryFile( key_path_prefix=key_path_prefix) registry_key = dfwinreg_fake.FakeWinRegistryKey('Environment') registry_file.AddKeyByPath( '\\CurrentControlSet\\Control\\Session Manager', registry_key) value_data = '%SystemRoot%\\TEMP'.encode('utf-16-le') registry_value = dfwinreg_fake.FakeWinRegistryValue( 'TEMP', data=value_data, data_type=dfwinreg_definitions.REG_SZ) registry_key.AddValue(registry_value) registry_file.Open(None) registry = dfwinreg_registry.WinRegistry() registry.MapFile(key_path_prefix, registry_file) return registry
def _CreateTestRegistry(self): """Creates Registry keys and values for testing. Returns: dfwinreg.WinRegistry: Windows Registry for testing. """ key_path_prefix = 'HKEY_CURRENT_USER' registry_file = dfwinreg_fake.FakeWinRegistryFile( key_path_prefix=key_path_prefix) registry_key = dfwinreg_fake.FakeWinRegistryKey('RecentDocs') registry_file.AddKeyByPath( '\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer', registry_key) value_data = b'a\x00\x00\x00' registry_value = dfwinreg_fake.FakeWinRegistryValue( 'MRUList', data=value_data, data_type=dfwinreg_definitions.REG_BINARY) registry_key.AddValue(registry_value) value_data = 'MyFile.txt\x00'.encode('utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( 'a', data=value_data, data_type=dfwinreg_definitions.REG_BINARY) registry_key.AddValue(registry_value) registry_file.Open(None) registry = dfwinreg_registry.WinRegistry() registry.MapFile(key_path_prefix, registry_file) return registry
def _CreateTestRegistry(self): """Creates Registry keys and values for testing. Returns: dfwinreg.WinRegistry: Windows Registry for testing. """ key_path_prefix = 'HKEY_LOCAL_MACHINE\\System' registry_file = dfwinreg_fake.FakeWinRegistryFile( key_path_prefix=key_path_prefix) registry_key = dfwinreg_fake.FakeWinRegistryKey('MountedDevices') registry_file.AddKeyByPath('\\', registry_key) value_data = b'\x78\x56\x34\x12\x00\x10\x00\x00\x00\x00\x00\x00' registry_value = dfwinreg_fake.FakeWinRegistryValue( '\\DosDevices\\C:', data=value_data, data_type=dfwinreg_definitions.REG_BINARY) registry_key.AddValue(registry_value) registry_file.Open(None) registry = dfwinreg_registry.WinRegistry() registry.MapFile(key_path_prefix, registry_file) return registry
def _CreateTestRegistry(self): """Creates Registry keys and values for testing. Returns: dfwinreg.WinRegistry: Windows Registry for testing. """ key_path_prefix = 'HKEY_LOCAL_MACHINE\\Software' registry_file = dfwinreg_fake.FakeWinRegistryFile( key_path_prefix=key_path_prefix) registry_key = dfwinreg_fake.FakeWinRegistryKey('CurrentVersion') registry_file.AddKeyByPath('\\Microsoft\\Windows NT', registry_key) value_data = self._CSD_VERSION.encode('utf-16-le') registry_value = dfwinreg_fake.FakeWinRegistryValue( 'CSDVersion', data=value_data, data_type=dfwinreg_definitions.REG_SZ) registry_key.AddValue(registry_value) value_data = self._CURRENT_BUILD_NUMBER.encode('utf-16-le') registry_value = dfwinreg_fake.FakeWinRegistryValue( 'CurrentBuildNumber', data=value_data, data_type=dfwinreg_definitions.REG_SZ) registry_key.AddValue(registry_value) value_data = self._CURRENT_TYPE.encode('utf-16-le') registry_value = dfwinreg_fake.FakeWinRegistryValue( 'CurrentType', data=value_data, data_type=dfwinreg_definitions.REG_SZ) registry_key.AddValue(registry_value) value_data = self._CURRENT_VERSION.encode('utf-16-le') registry_value = dfwinreg_fake.FakeWinRegistryValue( 'CurrentVersion', data=value_data, data_type=dfwinreg_definitions.REG_SZ) registry_key.AddValue(registry_value) value_data = b'\x47\xc8\xda\x4c' registry_value = dfwinreg_fake.FakeWinRegistryValue( 'InstallDate', data=value_data, data_type=dfwinreg_definitions.REG_DWORD) registry_key.AddValue(registry_value) value_data = self._PRODUCT_IDENTIFIER.encode('utf-16-le') registry_value = dfwinreg_fake.FakeWinRegistryValue( 'ProductId', data=value_data, data_type=dfwinreg_definitions.REG_SZ) registry_key.AddValue(registry_value) value_data = self._PRODUCT_NAME.encode('utf-16-le') registry_value = dfwinreg_fake.FakeWinRegistryValue( 'ProductName', data=value_data, data_type=dfwinreg_definitions.REG_SZ) registry_key.AddValue(registry_value) # TODO: add more values. registry_file.Open(None) registry = dfwinreg_registry.WinRegistry() registry.MapFile(key_path_prefix, registry_file) return registry
def _CreateTestKey(self, key_path, time_string): """Creates Registry keys and values for testing. Args: key_path (str): Windows Registry key path. time_string (str): key last written date and time. Returns: dfwinreg.WinRegistryKey: a Windows Registry key. """ filetime = dfdatetime_filetime.Filetime() filetime.CopyFromDateTimeString(time_string) registry_key = dfwinreg_fake.FakeWinRegistryKey( 'BootVerificationProgram', key_path=key_path, last_written_time=filetime.timestamp, offset=153) value_data = 'C:\\WINDOWS\\system32\\googleupdater.exe'.encode( 'utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( 'ImagePath', data=value_data, data_type=dfwinreg_definitions.REG_SZ, offset=123) registry_key.AddValue(registry_value) return registry_key
def _CreateTestKey(self, key_path, time_string): """Creates Registry keys and values for testing. Args: key_path (str): Windows Registry key path. time_string (str): key last written date and time. Returns: dfwinreg.WinRegistryKey: a Windows Registry key. """ filetime = dfdatetime_filetime.Filetime() filetime.CopyFromDateTimeString(time_string) registry_key = dfwinreg_fake.FakeWinRegistryKey( 'Default', key_path=key_path, last_written_time=filetime.timestamp, offset=1456) value_data = '192.168.16.60'.encode('utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( 'MRU0', data=value_data, data_type=dfwinreg_definitions.REG_SZ, offset=1892) registry_key.AddValue(registry_value) value_data = 'computer.domain.com'.encode('utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( 'MRU1', data=value_data, data_type=dfwinreg_definitions.REG_SZ, offset=612) registry_key.AddValue(registry_value) return registry_key
def testFilters(self): """Tests the FILTERS class attribute.""" plugin = mrulist.MRUListStringPlugin() key_path = ( 'HKEY_CURRENT_USER\\Software\\Microsoft\\Some Windows\\' 'InterestingApp\\MRU') registry_key = dfwinreg_fake.FakeWinRegistryKey( 'MRUlist', key_path=key_path) result = self._CheckFiltersOnKeyPath(plugin, registry_key) self.assertFalse(result) registry_value = dfwinreg_fake.FakeWinRegistryValue('MRUList') registry_key.AddValue(registry_value) registry_value = dfwinreg_fake.FakeWinRegistryValue('a') registry_key.AddValue(registry_value) result = self._CheckFiltersOnKeyPath(plugin, registry_key) self.assertTrue(result) self._AssertNotFiltersOnKeyPath(plugin, 'HKEY_LOCAL_MACHINE\\Bogus') key_path = ( 'HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\' 'Explorer\\DesktopStreamMRU') self._AssertNotFiltersOnKeyPath(plugin, key_path)
def testGetValuesFromKey(self): """Tests the _GetValuesFromKey function.""" registry_key = dfwinreg_fake.FakeWinRegistryKey( 'Explorer', key_path='HKEY_LOCAL_MACHINE\\Software\\Windows\\MRU') value_data = b'a\x00' registry_value = dfwinreg_fake.FakeWinRegistryValue( 'MRUList', data=value_data, data_type=dfwinreg_definitions.REG_BINARY) registry_key.AddValue(registry_value) value_data = b'o\x00n\x00e\x00' registry_value = dfwinreg_fake.FakeWinRegistryValue( 'a', data=value_data, data_type=dfwinreg_definitions.REG_SZ) registry_key.AddValue(registry_value) plugin = interface.WindowsRegistryPlugin() expected_value_dict = { 'a': '[REG_SZ] one', 'MRUList': '[REG_BINARY] (2 bytes)' } values_dict = plugin._GetValuesFromKey(registry_key) self.assertEqual(sorted(values_dict.items()), sorted(expected_value_dict.items()))
def _CreateTestKey(self, time_string, binary_data): """Creates Registry keys and values for testing. Args: time_string (str): key last written date and time. binary_data (bytes): AppCompatCache Registry value data. Returns: dfwinreg.WinRegistryKey: a Windows Registry key. """ filetime = dfdatetime_filetime.Filetime() filetime.CopyFromDateTimeString(time_string) registry_key = dfwinreg_fake.FakeWinRegistryKey( 'AppCompatCache', key_path=self._TEST_KEY_PATH, last_written_time=filetime.timestamp, offset=1456) registry_value = dfwinreg_fake.FakeWinRegistryValue( 'AppCompatCache', data=binary_data, data_type=dfwinreg_definitions.REG_BINARY) registry_key.AddValue(registry_value) return registry_key
def _CreateTestKey(self, key_path, time_string): """Creates Registry keys and values for testing. Args: key_path (str): Windows Registry key path. time_string (str): key last written date and time. Returns: dfwinreg.WinRegistryKey: a Windows Registry key. """ filetime = dfdatetime_filetime.Filetime() filetime.CopyFromDateTimeString(time_string) registry_key = dfwinreg_fake.FakeWinRegistryKey( 'Search', key_path=key_path, last_written_time=filetime.timestamp, offset=1456) value_name = ( 'C:\\Users\\username\\AppData\\Local\\Microsoft\\Outlook\\' '*****@*****.**') value_data = b'\xcf\x2b\x37\x00' registry_value = dfwinreg_fake.FakeWinRegistryValue( value_name, data=value_data, data_type=dfwinreg_definitions.REG_DWORD, offset=1892) registry_key.AddValue(registry_value) return registry_key
def _CreateTestKey(self, key_path, time_string): """Creates Registry keys and values for testing. Args: key_path (str): Windows Registry key path. time_string (str): key last written date and time. Returns: dfwinreg.WinRegistryKey: a Windows Registry key. """ filetime = dfdatetime_filetime.Filetime() filetime.CopyFromDateTimeString(time_string) registry_key = dfwinreg_fake.FakeWinRegistryKey( 'CurrentVersion', key_path=key_path, last_written_time=filetime.timestamp, offset=153) value_data = 'Service Pack 1'.encode('utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( 'CSDVersion', data=value_data, data_type=dfwinreg_definitions.REG_SZ, offset=1892) registry_key.AddValue(registry_value) value_data = '5.1'.encode('utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( 'CurrentVersion', data=value_data, data_type=dfwinreg_definitions.REG_SZ, offset=1121) registry_key.AddValue(registry_value) value_data = b'\x13\x1aAP' registry_value = dfwinreg_fake.FakeWinRegistryValue( 'InstallDate', data=value_data, data_type=dfwinreg_definitions.REG_DWORD_LITTLE_ENDIAN, offset=1001) registry_key.AddValue(registry_value) value_data = 'MyTestOS'.encode('utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( 'ProductName', data=value_data, data_type=dfwinreg_definitions.REG_SZ, offset=123) registry_key.AddValue(registry_value) value_data = 'A Concerned Citizen'.encode('utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( 'RegisteredOwner', data=value_data, data_type=dfwinreg_definitions.REG_SZ, offset=612) registry_key.AddValue(registry_value) return registry_key
def testAddKeyByPath(self): """Tests the AddKeyByPath function.""" registry_file = fake.FakeWinRegistryFile() software_key = fake.FakeWinRegistryKey('Software') registry_file.AddKeyByPath('\\', software_key) test_key = fake.FakeWinRegistryKey('Key') registry_file.AddKeyByPath('\\Test\\Path', test_key) test_key = fake.FakeWinRegistryKey('More') registry_file.AddKeyByPath('\\Test\\Path\\Key', test_key) with self.assertRaises(KeyError): registry_file.AddKeyByPath('\\', software_key) with self.assertRaises(ValueError): registry_file.AddKeyByPath('Test', software_key)
def testGetKeyByPath(self): """Tests the GetKeyByPath function.""" registry_file = fake.FakeWinRegistryFile() registry_key = registry_file.GetKeyByPath('\\') self.assertIsNone(registry_key) registry_file = self._OpenFakeRegistryFile( key_path_prefix='HKEY_LOCAL_MACHINE') test_key = fake.FakeWinRegistryKey('Key') registry_file.AddKeyByPath('\\Test\\Path', test_key) # Test root key without prefix. key_path = '\\' registry_key = registry_file.GetKeyByPath(key_path) self.assertIsNotNone(registry_key) self.assertEqual(registry_key.path, key_path) # Test root key with prefix. key_path = 'HKEY_LOCAL_MACHINE\\' registry_key = registry_file.GetKeyByPath(key_path) self.assertIsNotNone(registry_key) self.assertEqual(registry_key.path, '\\') # Test key without prefix. key_path = '\\Software' registry_key = registry_file.GetKeyByPath(key_path) self.assertIsNotNone(registry_key) self.assertEqual(registry_key.path, key_path) # Test key with prefix. key_path = 'HKEY_LOCAL_MACHINE\\Software' registry_key = registry_file.GetKeyByPath(key_path) self.assertIsNotNone(registry_key) self.assertEqual(registry_key.path, '\\Software') # Test key with some depth. key_path = '\\Test\\Path\\Key' registry_key = registry_file.GetKeyByPath(key_path) self.assertIsNotNone(registry_key) self.assertEqual(registry_key.path, key_path) # Test non-existing keys. key_path = '\\Bogus' registry_key = registry_file.GetKeyByPath(key_path) self.assertIsNone(registry_key) key_path = '\\Test\\Path\\Bogus' registry_key = registry_file.GetKeyByPath(key_path) self.assertIsNone(registry_key) key_path = 'Bogus' registry_key = registry_file.GetKeyByPath(key_path) self.assertIsNone(registry_key) registry_file.Close()