def testFindsKeyWithLiteralAndModificaitonTimeConditions(self):
modification_time = rdfvalue.FileFinderModificationTimeCondition(
min_last_modified_time=rdfvalue.RDFDatetime().FromSecondsFromEpoch(
1247546054 - 1),
max_last_modified_time=rdfvalue.RDFDatetime().FromSecondsFromEpoch(
1247546054 + 1))
value_literal_match = rdfvalue.FileFinderContentsLiteralMatchCondition(
literal="Windows Sidebar\\Sidebar.exe")
self.RunFlow([
"HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/CurrentVersion/Run/*"
], [
rdfvalue.RegistryFinderCondition(
condition_type=rdfvalue.RegistryFinderCondition.Type.
MODIFICATION_TIME,
modification_time=modification_time),
rdfvalue.RegistryFinderCondition(
condition_type=rdfvalue.RegistryFinderCondition.Type.
VALUE_LITERAL_MATCH,
value_literal_match=value_literal_match)
])
results = self.GetResults()
self.assertEqual(len(results), 1)
# We expect Sidebar and MctAdmin keys here (see
# test_data/client_fixture.py).
self.assertEqual(
results[0].stat_entry.aff4path,
"aff4:/C.1000000000000000/registry/HKEY_USERS/S-1-5-20/"
"Software/Microsoft/Windows/CurrentVersion/Run/Sidebar")
def testFindsKeysIfModificationTimeConditionMatches(self):
modification_time = rdfvalue.FileFinderModificationTimeCondition(
min_last_modified_time=rdfvalue.RDFDatetime().FromSecondsFromEpoch(
1247546054 - 1),
max_last_modified_time=rdfvalue.RDFDatetime().FromSecondsFromEpoch(
1247546054 + 1))
self.RunFlow([
"HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/CurrentVersion/Run/*"
], [
rdfvalue.RegistryFinderCondition(
condition_type=rdfvalue.RegistryFinderCondition.Type.
MODIFICATION_TIME,
modification_time=modification_time)
])
results = self.GetResults()
self.assertEqual(len(results), 2)
# We expect Sidebar and MctAdmin keys here (see
# test_data/client_fixture.py).
self.assertTrue([
r for r in results if r.stat_entry.aff4path.Basename() == "Sidebar"
])
self.assertTrue([
r for r in results
if r.stat_entry.aff4path.Basename() == "MctAdmin"
])
def testFindsNothingIfModiciationTimeConditionMatchesNothing(self):
modification_time = rdfvalue.FileFinderModificationTimeCondition(
min_last_modified_time=rdfvalue.RDFDatetime().FromSecondsFromEpoch(
0),
max_last_modified_time=rdfvalue.RDFDatetime().FromSecondsFromEpoch(
1))
self.RunFlow([
"HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/CurrentVersion/Run/*"
], [
rdfvalue.RegistryFinderCondition(
condition_type=rdfvalue.RegistryFinderCondition.Type.
MODIFICATION_TIME,
modification_time=modification_time)
])
self.AssertNoResults()
def testModificationTimeConditionWithDifferentActions(self):
expected_files = ["dpkg.log", "dpkg_false.log"]
non_expected_files = ["auth.log"]
change_time = rdfvalue.RDFDatetime().FromSecondsFromEpoch(1444444440)
modification_time_condition = rdfvalue.FileFinderCondition(
condition_type=rdfvalue.FileFinderCondition.Type.MODIFICATION_TIME,
modification_time=rdfvalue.FileFinderModificationTimeCondition(
min_last_modified_time=change_time))
for action in sorted(
file_finder.FileFinderAction.Action.enum_dict.values()):
self.RunFlowAndCheckResults(
action=action,
conditions=[modification_time_condition],
expected_files=expected_files,
non_expected_files=non_expected_files)
