def testFindsKeyWithLiteralAndModificationTimeConditions(self): modification_time = file_finder.FileFinderModificationTimeCondition( min_last_modified_time= rdfvalue.RDFDatetime().FromSecondsFromEpoch(1247546054 - 1), max_last_modified_time= rdfvalue.RDFDatetime().FromSecondsFromEpoch(1247546054 + 1)) value_literal_match = file_finder.FileFinderContentsLiteralMatchCondition( bytes_before=10, bytes_after=10, literal="Windows Sidebar\\Sidebar.exe") self.RunFlow( ["HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/CurrentVersion/Run/*"], [registry.RegistryFinderCondition( condition_type= registry.RegistryFinderCondition.Type.MODIFICATION_TIME, modification_time=modification_time), registry.RegistryFinderCondition( condition_type= registry.RegistryFinderCondition.Type.VALUE_LITERAL_MATCH, value_literal_match=value_literal_match)]) results = self.GetResults() self.assertEqual(len(results), 1) # We expect Sidebar and MctAdmin keys here (see # test_data/client_fixture.py). self.assertEqual(results[0].stat_entry.aff4path, "aff4:/C.1000000000000000/registry/HKEY_USERS/S-1-5-20/" "Software/Microsoft/Windows/CurrentVersion/Run/Sidebar")
def testFindsKeysIfModificationTimeConditionMatches(self): modification_time = file_finder.FileFinderModificationTimeCondition( min_last_modified_time=rdfvalue.RDFDatetime().FromSecondsFromEpoch( 1247546054 - 1), max_last_modified_time=rdfvalue.RDFDatetime().FromSecondsFromEpoch( 1247546054 + 1)) self.RunFlow([ "HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/CurrentVersion/Run/*" ], [ registry.RegistryFinderCondition( condition_type=registry.RegistryFinderCondition.Type. MODIFICATION_TIME, modification_time=modification_time) ]) results = self.GetResults() self.assertEqual(len(results), 2) # We expect Sidebar and MctAdmin keys here (see # test_data/client_fixture.py). self.assertTrue([ r for r in results if r.stat_entry.aff4path.Basename() == "Sidebar" ]) self.assertTrue([ r for r in results if r.stat_entry.aff4path.Basename() == "MctAdmin" ])
def testFindsNothingIfModiciationTimeConditionMatchesNothing(self): modification_time = file_finder.FileFinderModificationTimeCondition( min_last_modified_time=rdfvalue.RDFDatetime().FromSecondsFromEpoch(0), max_last_modified_time=rdfvalue.RDFDatetime().FromSecondsFromEpoch(1)) self.RunFlow( ["HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/CurrentVersion/Run/*"], [registry.RegistryFinderCondition( condition_type= registry.RegistryFinderCondition.Type.MODIFICATION_TIME, modification_time=modification_time)]) self.AssertNoResults()
def testModificationTimeConditionWithDifferentActions(self): expected_files = ["dpkg.log", "dpkg_false.log"] non_expected_files = ["auth.log"] change_time = rdfvalue.RDFDatetime().FromSecondsFromEpoch(1444444440) modification_time_condition = file_finder.FileFinderCondition( condition_type=file_finder.FileFinderCondition.Type.MODIFICATION_TIME, modification_time=file_finder.FileFinderModificationTimeCondition( min_last_modified_time=change_time)) for action in sorted(file_finder.FileFinderAction.Action.enum_dict.values( )): self.RunFlowAndCheckResults(action=action, conditions=[modification_time_condition], expected_files=expected_files, non_expected_files=non_expected_files)