示例#1
0
 def test_array_uint16(self):
     """
     Test the deserialization of an array UINT16 element
     """
     event = Container()
     meta = Container()
     meta.ext_type = 11
     meta.data_item = b'\x10\x00\x00Test\x00Engine\x00\x26'
     event.extended_data = ListContainer([meta])
     event.user_data = b'\x10\x00' + b'\x00' * 32
     tl = build_tracelogging(event)
     self.assertEqual(tl.get_name(), "Test", "Invalid Name")
     self.assertEqual(tl["Engine"], [0] * 16)
示例#2
0
 def test_tracelogging_guid(self):
     """
     Test a trace named Test and log GUI
     """
     event = Container()
     meta = Container()
     meta.ext_type = 11
     meta.data_item = b'\x10\x00\x00Test\x00Engine\x00\x0F'
     event.extended_data = ListContainer([meta])
     event.user_data = b'\x00' * 16
     tl = build_tracelogging(event)
     self.assertEqual(tl.get_name(), "Test", "Invalid Name")
     parsed_guid = tl["Engine"]
     self.assertEqual(
         Guid(parsed_guid.data1, parsed_guid.data2, parsed_guid.data3,
              parsed_guid.data4),
         guid("00000000-0000-0000-0000-000000000000"), "Invalid GUID")
示例#3
0
 def test_tracelogging_wstring(self):
     """
     Test the normal build of a trace logging
     The name of the event is AmsiScript
     This bin have three meta field to parse :
     * Engine : name of the script engine
     * Script : raw script for encoded in wide string
     * Raw Script : raw script not encode (Array of UINT16)
     """
     event = Container()
     meta = Container()
     meta.ext_type = 11
     meta.data_item = b'\x10\x00\x00Test\x00Engine\x00\x01'
     event.extended_data = ListContainer([meta])
     event.user_data = b'P\x00o\x00w\x00e\x00r\x00S\x00h\x00e\x00l\x00l\x00\x00\x00'
     tl = build_tracelogging(event)
     self.assertEqual(tl.get_name(), "Test", "Invalid Name")
     self.assertEqual(tl["Engine"], "PowerShell", "Invalid Name")
示例#4
0
 def parse_tracelogging(self) -> TraceLogging:
     """
     Try to parse a tracelogging event
     """
     return build_tracelogging(self.source)