示例#1
0
    def testWMIActiveScriptEventConsumerParser(self):
        parser = wmi_parser.WMIActiveScriptEventConsumerParser()
        rdf_dict = rdf_protodict.Dict()
        rdf_dict["CreatorSID"] = [
            1, 5, 0, 0, 0, 0, 0, 5, 21, 0, 0, 0, 152, 18, 57, 8, 206, 29, 80,
            44, 70, 38, 82, 8, 244, 1, 0, 0
        ]
        rdf_dict["KillTimeout"] = 0
        rdf_dict["MachineName"] = None
        rdf_dict["MaximumQueueSize"] = None
        rdf_dict["Name"] = "SomeName"
        rdf_dict["ScriptFilename"] = None
        rdf_dict["ScriptingEngine"] = "VBScript"
        rdf_dict["ScriptText"] = r"""Dim objFS, objFile
Set objFS = CreateObject("Scripting.FileSystemObject")
Set objFile = objFS.OpenTextFile("C:\temp.log", 8, true)
objFile.WriteLine "Time: " & Now & "; Entry made by: ASEC"
objFile.WriteLine "Application closed. UserModeTime: " &
TargetEvent.TargetInstance.UserModeTime &_ "; KernelModeTime: " &
TargetEvent.TargetInstance.KernelModeTime & " [hundreds of nanoseconds]"
objFile.Close"""

        result_list = list(parser.Parse(None, rdf_dict, None))
        self.assertEqual(len(result_list), 1)
        result = result_list[0]
        self.assertEqual(result.CreatorSID,
                         "S-1-5-21-137958040-743448014-139601478-500")
        self.assertEqual(result.MaximumQueueSize, 0)
        self.assertFalse(result.ScriptFilename)
示例#2
0
 def testWMIEventConsumerParserRaisesWhenNonEmptyDictReturnedEmpty(self):
     parser = wmi_parser.WMIActiveScriptEventConsumerParser()
     rdf_dict = rdf_protodict.Dict()
     rdf_dict["NonexistentField"] = "Abcdef"
     with self.assertRaises(ValueError):
         for output in parser.Parse(None, rdf_dict, None):
             self.assertEqual(output.__class__, rdf_anomaly.Anomaly)
示例#3
0
 def testWMIEventConsumerParserDoesntFailOnUnknownField(self):
     parser = wmi_parser.WMIActiveScriptEventConsumerParser()
     rdf_dict = rdf_protodict.Dict()
     rdf_dict["NonexistentField"] = "Abcdef"
     rdf_dict["Name"] = "Test event consumer"
     results = list(parser.Parse(None, rdf_dict, None))
     self.assertEqual(2, len(results))
     # Anomalies yield first
     self.assertEqual(results[0].__class__, rdf_anomaly.Anomaly)
     self.assertEqual(results[1].__class__,
                      rdf_wmi.WMIActiveScriptEventConsumer)
示例#4
0
    def testWMIEventConsumerParserDoesntFailOnMalformedSIDs(self):
        parser = wmi_parser.WMIActiveScriptEventConsumerParser()
        rdf_dict = rdf_protodict.Dict()
        tests = [
            [1, 5, 0, 0, 0, 0, 0, 5, 21, 0, 0],
            "(1, 2, 3)",  # Older clients (3.0.0.3) return a the SID like this
            1,
            {
                1: 2
            },
            (1, 2)
        ]

        for test in tests:
            rdf_dict["CreatorSID"] = test
            result_list = list(parser.Parse(None, rdf_dict, None))
            self.assertEqual(len(result_list), 1)
示例#5
0
 def testWMIEventConsumerParser_EmptyConsumersYieldBlank(self):
     parser = wmi_parser.WMIActiveScriptEventConsumerParser()
     rdf_dict = rdf_protodict.Dict()
     result_list = list(parser.Parse(None, rdf_dict, None))
     self.assertEqual(1, len(result_list))
     self.assertEqual(True, not result_list[0])