Python WinServicesParser示例，grr.parsers.windows_registry_parser.WinServicesParser Python示例

示例#1

0

显示文件

文件： windows_registry_parser_test.py 项目： wprelic/grr

 def testGetServiceName(self):
   hklm = "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services"
   parser = windows_registry_parser.WinServicesParser()
   self.assertEqual(parser._GetServiceName(
       "%s/SomeService/Start" % hklm), "SomeService")
   self.assertEqual(parser._GetServiceName(
       "%s/SomeService/Parameters/ServiceDLL" % hklm), "SomeService")

示例#2

0

显示文件

文件： windows_registry_parser_test.py 项目： stevensfwang-via/grr

    def testWinServicesParser(self):
        dword = rdf_client.StatEntry.RegistryType.REG_DWORD_LITTLE_ENDIAN
        reg_str = rdf_client.StatEntry.RegistryType.REG_SZ
        hklm = "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services"
        hklm_set01 = "HKEY_LOCAL_MACHINE/SYSTEM/ControlSet001/services"
        service_keys = [
            ("%s/ACPI/Type" % hklm, 1, dword),
            ("%s/ACPI/Start" % hklm, 0, dword),
            # This one is broken, the parser should just ignore it.
            ("%s/notarealservice" % hklm, 3, dword),
            ("%s/ACPI/ErrorControl" % hklm, 3, dword),
            ("%s/ACPI/ImagePath" % hklm, "system32\\drivers\\ACPI.sys",
             reg_str),
            ("%s/ACPI/DisplayName" % hklm, "Microsoft ACPI Driver", reg_str),
            ("%s/ACPI/Group" % hklm, "Boot Bus Extender", reg_str),
            ("%s/ACPI/DriverPackageId" % hklm,
             "acpi.inf_amd64_neutral_99aaaaabcccccccc", reg_str),
            ("%s/AcpiPmi/Start" % hklm_set01, 3, dword),
            ("%s/AcpiPmi/DisplayName" % hklm_set01, "AcpiPmi",
             rdf_client.StatEntry.RegistryType.REG_MULTI_SZ),
            (u"%s/中国日报/DisplayName" % hklm, u"中国日报", reg_str),
            (u"%s/中国日报/Parameters/ServiceDLL" % hklm, "blah.dll", reg_str)
        ]

        stats = [self._MakeRegStat(*x) for x in service_keys]
        parser = windows_registry_parser.WinServicesParser()
        results = parser.ParseMultiple(stats, None)

        names = []
        for result in results:
            if result.display_name == u"中国日报":
                self.assertEqual(result.display_name, u"中国日报")
                self.assertEqual(result.service_dll, "blah.dll")
                names.append(result.display_name)
            elif utils.SmartStr(result.registry_key).endswith("AcpiPmi"):
                self.assertEqual(result.name, "AcpiPmi")
                self.assertEqual(result.startup_type, 3)
                self.assertEqual(result.display_name, "[u'AcpiPmi']")
                self.assertEqual(
                    result.registry_key.Path(),
                    "/C.1000000000000000/registry/%s/AcpiPmi" % hklm_set01)
                names.append(result.display_name)
            elif utils.SmartStr(result.registry_key).endswith("ACPI"):
                self.assertEqual(result.name, "ACPI")
                self.assertEqual(result.service_type, 1)
                self.assertEqual(result.startup_type, 0)
                self.assertEqual(result.error_control, 3)
                self.assertEqual(result.image_path,
                                 "system32\\drivers\\ACPI.sys")
                self.assertEqual(result.display_name, "Microsoft ACPI Driver")
                self.assertEqual(result.group_name, "Boot Bus Extender")
                self.assertEqual(result.driver_package_id,
                                 "acpi.inf_amd64_neutral_99aaaaabcccccccc")
                names.append(result.display_name)
        self.assertItemsEqual(
            names, [u"中国日报", "[u'AcpiPmi']", "Microsoft ACPI Driver"])

示例#3

0

显示文件

    def testWinServicesParser(self):
        dword = rdfvalue.StatEntry.RegistryType.REG_DWORD_LITTLE_ENDIAN
        reg_str = rdfvalue.StatEntry.RegistryType.REG_SZ
        hklm = "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services"
        hklm_set01 = "HKEY_LOCAL_MACHINE/SYSTEM/ControlSet001/services"
        service_keys = [
            ("%s/ACPI/Type" % hklm, 1, dword),
            ("%s/ACPI/Start" % hklm, 0, dword),
            ("%s/ACPI/ErrorControl" % hklm, 3, dword),
            ("%s/ACPI/ImagePath" % hklm, "system32\\drivers\\ACPI.sys",
             reg_str),
            ("%s/ACPI/DisplayName" % hklm, "Microsoft ACPI Driver", reg_str),
            ("%s/ACPI/Group" % hklm, "Boot Bus Extender", reg_str),
            ("%s/ACPI/DriverPackageId" % hklm,
             "acpi.inf_amd64_neutral_99aaaaabcccccccc", reg_str),
            ("%s/AcpiPmi/Start" % hklm_set01, 3, dword),
            ("%s/AcpiPmi/DisplayName" % hklm_set01, "AcpiPmi",
             rdfvalue.StatEntry.RegistryType.REG_MULTI_SZ),
            (u"%s/中国日报/DisplayName" % hklm, u"中国日报", reg_str),
            (u"%s/中国日报/Parameters/ServiceDLL" % hklm, "blah.dll", reg_str)
        ]

        stats = [self._MakeRegStat(*x) for x in service_keys]
        parser = windows_registry_parser.WinServicesParser()
        results = parser.ParseMultiple(stats, None)

        non_ascii = results.next()
        self.assertEqual(non_ascii.display_name, u"中国日报")
        self.assertEqual(non_ascii.service_dll, "blah.dll")

        acpipmi = results.next()
        self.assertEqual(acpipmi.name, "AcpiPmi")
        self.assertEqual(acpipmi.startup_type, 3)
        self.assertEqual(acpipmi.display_name, "[u'AcpiPmi']")
        self.assertEqual(
            acpipmi.registry_key.Path(),
            "/C.1000000000000000/registry/%s/AcpiPmi" % hklm_set01)

        acpi = results.next()
        self.assertEqual(acpi.name, "ACPI")
        self.assertEqual(acpi.service_type, 1)
        self.assertEqual(acpi.startup_type, 0)
        self.assertEqual(acpi.error_control, 3)
        self.assertEqual(acpi.image_path, "system32\\drivers\\ACPI.sys")
        self.assertEqual(acpi.display_name, "Microsoft ACPI Driver")
        self.assertEqual(acpi.group_name, "Boot Bus Extender")
        self.assertEqual(acpi.driver_package_id,
                         "acpi.inf_amd64_neutral_99aaaaabcccccccc")
        self.assertRaises(StopIteration, results.next)