def ParseResponses(self, knowledge_base, responses):
"""Parse Service registry keys and return WindowsServiceInformation."""
del knowledge_base # Unused.
precondition.AssertIterableType(responses, rdf_client_fs.StatEntry)
services = {}
field_map = {
"Description": "description",
"DisplayName": "display_name",
"Group": "group_name",
"DriverPackageId": "driver_package_id",
"ErrorControl": "error_control",
"ImagePath": "image_path",
"ObjectName": "object_name",
"Start": "startup_type",
"Type": "service_type",
"Parameters/ServiceDLL": "service_dll"
}
# Field map key should be converted to lowercase because key aquired through
# self._GetKeyName could have some characters in different case than the
# field map, e.g. ServiceDLL and ServiceDll.
field_map = {k.lower(): v for k, v in iteritems(field_map)}
for stat in responses:
# Ignore subkeys
if not stat.HasField("registry_data"):
continue
service_name = self._GetServiceName(stat.pathspec.path)
reg_key = os.path.dirname(stat.pathspec.path)
service_info = rdf_client.WindowsServiceInformation(
name=service_name, registry_key=reg_key)
services.setdefault(service_name, service_info)
key = self._GetKeyName(stat.pathspec.path)
if key in field_map:
try:
services[service_name].Set(field_map[key],
stat.registry_data.GetValue())
except type_info.TypeValueError:
# Flatten multi strings into a simple string
if (stat.registry_type ==
rdf_client_fs.StatEntry.RegistryType.REG_MULTI_SZ):
services[service_name].Set(
field_map[key],
utils.SmartUnicode(stat.registry_data.GetValue()))
else:
# Log failures for everything else
# TODO(user): change this to yield a ParserAnomaly object.
dest_type = type(services[service_name].Get(
field_map[key]))
logging.debug(
"Wrong type set for %s:%s, expected %s, got %s",
stat.pathspec.path, stat.registry_data.GetValue(),
dest_type, type(stat.registry_data.GetValue()))
return itervalues(services)
def testExportsValueCoorrectly(self):
sample = rdf_client.WindowsServiceInformation(
name="foo",
description="bar",
state="somestate",
wmi_information={
"c": "d",
"a": "b"
},
display_name="some name",
driver_package_id="1234",
error_control=rdf_client.WindowsServiceInformation.ErrorControl.
NORMAL,
image_path="/foo/bar",
object_name="an object",
startup_type=rdf_client.WindowsServiceInformation.ServiceMode.
SERVICE_AUTO_START,
service_type=rdf_client.WindowsServiceInformation.ServiceType.
SERVICE_FILE_SYSTEM_DRIVER,
group_name="somegroup",
service_dll="somedll",
registry_key="somekey",
)
converter = windows_service_info.WindowsServiceInformationConverter()
converted = list(converter.Convert(self.metadata, sample))
self.assertLen(converted, 1)
c = converted[0]
self.assertIsInstance(
c, windows_service_info.ExportedWindowsServiceInformation)
self.assertEqual(c.metadata, self.metadata)
self.assertEqual(c.name, "foo")
self.assertEqual(c.description, "bar")
self.assertEqual(c.state, "somestate")
self.assertEqual(c.wmi_information, "a=b,c=d")
self.assertEqual(c.display_name, "some name")
self.assertEqual(c.driver_package_id, "1234")
self.assertEqual(c.error_control, 1)
self.assertEqual(c.image_path, "/foo/bar")
self.assertEqual(c.object_name, "an object")
self.assertEqual(c.startup_type, 2)
self.assertEqual(c.service_type, 0x2)
self.assertEqual(c.group_name, "somegroup")
self.assertEqual(c.service_dll, "somedll")
self.assertEqual(c.registry_key, "somekey")
def testParse(self):
parser = windows_persistence.WindowsPersistenceMechanismsParser()
path = (r"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion"
r"\Run\test")
pathspec = rdf_paths.PathSpec(
path=path, pathtype=rdf_paths.PathSpec.PathType.REGISTRY)
reg_data = "C:\\blah\\some.exe /v"
reg_type = rdf_client_fs.StatEntry.RegistryType.REG_SZ
stat = rdf_client_fs.StatEntry(
pathspec=pathspec,
registry_type=reg_type,
registry_data=rdf_protodict.DataBlob(string=reg_data))
persistence = [stat]
image_paths = [
"system32\\drivers\\ACPI.sys",
"%systemroot%\\system32\\svchost.exe -k netsvcs",
"\\SystemRoot\\system32\\drivers\\acpipmi.sys"
]
reg_key = "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services/AcpiPmi"
for path in image_paths:
serv_info = rdf_client.WindowsServiceInformation(
name="blah",
display_name="GRRservice",
image_path=path,
registry_key=reg_key)
persistence.append(serv_info)
knowledge_base = rdf_client.KnowledgeBase()
knowledge_base.environ_systemroot = "C:\\Windows"
expected = [
"C:\\blah\\some.exe", "C:\\Windows\\system32\\drivers\\ACPI.sys",
"C:\\Windows\\system32\\svchost.exe",
"C:\\Windows\\system32\\drivers\\acpipmi.sys"
]
for index, item in enumerate(persistence):
results = list(
parser.Parse(item, knowledge_base,
rdf_paths.PathSpec.PathType.OS))
self.assertEqual(results[0].pathspec.path, expected[index])
self.assertEqual(len(results), 1)
def testExportsEmptyValueCorrectly(self):
sample = rdf_client.WindowsServiceInformation()
converter = windows_service_info.WindowsServiceInformationConverter()
converted = list(converter.Convert(self.metadata, sample))
self.assertLen(converted, 1)
c = converted[0]
self.assertEqual(c.metadata, self.metadata)
self.assertEqual(c.name, "")
self.assertEqual(c.description, "")
self.assertEqual(c.state, "")
self.assertEqual(c.wmi_information, "")
self.assertEqual(c.display_name, "")
self.assertEqual(c.driver_package_id, "")
self.assertEqual(c.error_control, 0)
self.assertEqual(c.image_path, "")
self.assertEqual(c.object_name, "")
self.assertEqual(c.startup_type, 0)
self.assertEqual(c.service_type, 0)
self.assertEqual(c.group_name, "")
self.assertEqual(c.service_dll, "")
self.assertEqual(c.registry_key, "")
