def ParseResponses(self, knowledge_base, responses): """Parse Service registry keys and return WindowsServiceInformation.""" del knowledge_base # Unused. precondition.AssertIterableType(responses, rdf_client_fs.StatEntry) services = {} field_map = { "Description": "description", "DisplayName": "display_name", "Group": "group_name", "DriverPackageId": "driver_package_id", "ErrorControl": "error_control", "ImagePath": "image_path", "ObjectName": "object_name", "Start": "startup_type", "Type": "service_type", "Parameters/ServiceDLL": "service_dll" } # Field map key should be converted to lowercase because key aquired through # self._GetKeyName could have some characters in different case than the # field map, e.g. ServiceDLL and ServiceDll. field_map = {k.lower(): v for k, v in iteritems(field_map)} for stat in responses: # Ignore subkeys if not stat.HasField("registry_data"): continue service_name = self._GetServiceName(stat.pathspec.path) reg_key = os.path.dirname(stat.pathspec.path) service_info = rdf_client.WindowsServiceInformation( name=service_name, registry_key=reg_key) services.setdefault(service_name, service_info) key = self._GetKeyName(stat.pathspec.path) if key in field_map: try: services[service_name].Set(field_map[key], stat.registry_data.GetValue()) except type_info.TypeValueError: # Flatten multi strings into a simple string if (stat.registry_type == rdf_client_fs.StatEntry.RegistryType.REG_MULTI_SZ): services[service_name].Set( field_map[key], utils.SmartUnicode(stat.registry_data.GetValue())) else: # Log failures for everything else # TODO(user): change this to yield a ParserAnomaly object. dest_type = type(services[service_name].Get( field_map[key])) logging.debug( "Wrong type set for %s:%s, expected %s, got %s", stat.pathspec.path, stat.registry_data.GetValue(), dest_type, type(stat.registry_data.GetValue())) return itervalues(services)
def testExportsValueCoorrectly(self): sample = rdf_client.WindowsServiceInformation( name="foo", description="bar", state="somestate", wmi_information={ "c": "d", "a": "b" }, display_name="some name", driver_package_id="1234", error_control=rdf_client.WindowsServiceInformation.ErrorControl. NORMAL, image_path="/foo/bar", object_name="an object", startup_type=rdf_client.WindowsServiceInformation.ServiceMode. SERVICE_AUTO_START, service_type=rdf_client.WindowsServiceInformation.ServiceType. SERVICE_FILE_SYSTEM_DRIVER, group_name="somegroup", service_dll="somedll", registry_key="somekey", ) converter = windows_service_info.WindowsServiceInformationConverter() converted = list(converter.Convert(self.metadata, sample)) self.assertLen(converted, 1) c = converted[0] self.assertIsInstance( c, windows_service_info.ExportedWindowsServiceInformation) self.assertEqual(c.metadata, self.metadata) self.assertEqual(c.name, "foo") self.assertEqual(c.description, "bar") self.assertEqual(c.state, "somestate") self.assertEqual(c.wmi_information, "a=b,c=d") self.assertEqual(c.display_name, "some name") self.assertEqual(c.driver_package_id, "1234") self.assertEqual(c.error_control, 1) self.assertEqual(c.image_path, "/foo/bar") self.assertEqual(c.object_name, "an object") self.assertEqual(c.startup_type, 2) self.assertEqual(c.service_type, 0x2) self.assertEqual(c.group_name, "somegroup") self.assertEqual(c.service_dll, "somedll") self.assertEqual(c.registry_key, "somekey")
def testParse(self): parser = windows_persistence.WindowsPersistenceMechanismsParser() path = (r"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" r"\Run\test") pathspec = rdf_paths.PathSpec( path=path, pathtype=rdf_paths.PathSpec.PathType.REGISTRY) reg_data = "C:\\blah\\some.exe /v" reg_type = rdf_client_fs.StatEntry.RegistryType.REG_SZ stat = rdf_client_fs.StatEntry( pathspec=pathspec, registry_type=reg_type, registry_data=rdf_protodict.DataBlob(string=reg_data)) persistence = [stat] image_paths = [ "system32\\drivers\\ACPI.sys", "%systemroot%\\system32\\svchost.exe -k netsvcs", "\\SystemRoot\\system32\\drivers\\acpipmi.sys" ] reg_key = "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services/AcpiPmi" for path in image_paths: serv_info = rdf_client.WindowsServiceInformation( name="blah", display_name="GRRservice", image_path=path, registry_key=reg_key) persistence.append(serv_info) knowledge_base = rdf_client.KnowledgeBase() knowledge_base.environ_systemroot = "C:\\Windows" expected = [ "C:\\blah\\some.exe", "C:\\Windows\\system32\\drivers\\ACPI.sys", "C:\\Windows\\system32\\svchost.exe", "C:\\Windows\\system32\\drivers\\acpipmi.sys" ] for index, item in enumerate(persistence): results = list( parser.Parse(item, knowledge_base, rdf_paths.PathSpec.PathType.OS)) self.assertEqual(results[0].pathspec.path, expected[index]) self.assertEqual(len(results), 1)
def testExportsEmptyValueCorrectly(self): sample = rdf_client.WindowsServiceInformation() converter = windows_service_info.WindowsServiceInformationConverter() converted = list(converter.Convert(self.metadata, sample)) self.assertLen(converted, 1) c = converted[0] self.assertEqual(c.metadata, self.metadata) self.assertEqual(c.name, "") self.assertEqual(c.description, "") self.assertEqual(c.state, "") self.assertEqual(c.wmi_information, "") self.assertEqual(c.display_name, "") self.assertEqual(c.driver_package_id, "") self.assertEqual(c.error_control, 0) self.assertEqual(c.image_path, "") self.assertEqual(c.object_name, "") self.assertEqual(c.startup_type, 0) self.assertEqual(c.service_type, 0) self.assertEqual(c.group_name, "") self.assertEqual(c.service_dll, "") self.assertEqual(c.registry_key, "")