def _CreateTestKey(self, key_path, time_string): """Creates Registry keys and values for testing. Args: key_path: the Windows Registry key path. time_string: string containing the key last written date and time. Returns: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ filetime = dfwinreg_fake.Filetime() filetime.CopyFromString(time_string) registry_key = dfwinreg_fake.FakeWinRegistryKey( u'Default', key_path=key_path, last_written_time=filetime.timestamp, offset=1456) value_data = u'192.168.16.60'.encode(u'utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( u'MRU0', data=value_data, data_type=dfwinreg_definitions.REG_SZ, offset=1892) registry_key.AddValue(registry_value) value_data = u'computer.domain.com'.encode(u'utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( u'MRU1', data=value_data, data_type=dfwinreg_definitions.REG_SZ, offset=612) registry_key.AddValue(registry_value) return registry_key
def _CreateTestKey(self, key_path, time_string): """Creates Registry keys and values for testing. Args: key_path: the Windows Registry key path. time_string: string containing the key last written date and time. Returns: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ filetime = dfwinreg_fake.Filetime() filetime.CopyFromString(time_string) registry_key = dfwinreg_fake.FakeWinRegistryKey( u'CurrentVersion', key_path=key_path, last_written_time=filetime.timestamp, offset=153) value_data = u'Service Pack 1'.encode(u'utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( u'CSDVersion', data=value_data, data_type=dfwinreg_definitions.REG_SZ, offset=1892) registry_key.AddValue(registry_value) value_data = u'5.1'.encode(u'utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( u'CurrentVersion', data=value_data, data_type=dfwinreg_definitions.REG_SZ, offset=1121) registry_key.AddValue(registry_value) value_data = b'\x13\x1aAP' registry_value = dfwinreg_fake.FakeWinRegistryValue( u'InstallDate', data=value_data, data_type=dfwinreg_definitions.REG_DWORD_LITTLE_ENDIAN, offset=1001) registry_key.AddValue(registry_value) value_data = u'MyTestOS'.encode(u'utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( u'ProductName', data=value_data, data_type=dfwinreg_definitions.REG_SZ, offset=123) registry_key.AddValue(registry_value) value_data = u'A Concerned Citizen'.encode(u'utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( u'RegisteredOwner', data=value_data, data_type=dfwinreg_definitions.REG_SZ, offset=612) registry_key.AddValue(registry_value) return registry_key
def _CreateTestKey(self, key_path, time_string): """Creates Registry keys and values for testing. Args: key_path: the Windows Registry key path. time_string: string containing the key last written date and time. Returns: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ filetime = dfwinreg_fake.Filetime() filetime.CopyFromString(time_string) registry_key = dfwinreg_fake.FakeWinRegistryKey( u'TimeZoneInformation', key_path=key_path, last_written_time=filetime.timestamp, offset=1456) value_data = u'acb'.encode(u'utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( u'MRUList', data=value_data, data_type=dfwinreg_definitions.REG_SZ, offset=123) registry_key.AddValue(registry_value) value_data = u'Some random text here'.encode(u'utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( u'a', data=value_data, data_type=dfwinreg_definitions.REG_SZ, offset=1892) registry_key.AddValue(registry_value) value_data = u'c:/evil.exe'.encode(u'utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( u'b', data=value_data, data_type=dfwinreg_definitions.REG_BINARY, offset=612) registry_key.AddValue(registry_value) value_data = u'C:/looks_legit.exe'.encode(u'utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( u'c', data=value_data, data_type=dfwinreg_definitions.REG_SZ, offset=1001) registry_key.AddValue(registry_value) return registry_key
def _CreateTestKey(self, key_path, time_string): """Creates Registry keys and values for testing. Args: key_path: the Windows Registry key path. time_string: string containing the key last written date and time. Returns: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ filetime = dfwinreg_fake.Filetime() filetime.CopyFromString(time_string) registry_key = dfwinreg_fake.FakeWinRegistryKey( u'Search', key_path=key_path, last_written_time=filetime.timestamp, offset=1456) value_name = ( u'C:\\Users\\username\\AppData\\Local\\Microsoft\\Outlook\\' u'*****@*****.**') value_data = b'\xcf\x2b\x37\x00' registry_value = dfwinreg_fake.FakeWinRegistryValue( value_name, data=value_data, data_type=dfwinreg_definitions.REG_DWORD, offset=1892) registry_key.AddValue(registry_value) return registry_key
def _CreateTestKey(self, key_path, time_string): """Creates Registry keys and values for testing. Args: key_path: the Windows Registry key path. time_string: string containing the key last written date and time. Returns: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ filetime = dfwinreg_fake.Filetime() filetime.CopyFromString(time_string) registry_key = dfwinreg_fake.FakeWinRegistryKey( u'Servers', key_path=key_path, last_written_time=filetime.timestamp, offset=865) server_subkey = dfwinreg_fake.FakeWinRegistryKey( u'myserver.com', last_written_time=filetime.timestamp, offset=1456) value_data = u'DOMAIN\\username'.encode(u'utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( u'UsernameHint', data=value_data, data_type=dfwinreg_definitions.REG_SZ, offset=1892) server_subkey.AddValue(registry_value) registry_key.AddSubkey(server_subkey) return registry_key
def _CreateTestKey(self, key_path, time_string): """Creates Registry keys and values for testing. Args: key_path: the Windows Registry key path. time_string: string containing the key last written date and time. Returns: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ filetime = dfwinreg_fake.Filetime() filetime.CopyFromString(time_string) registry_key = dfwinreg_fake.FakeWinRegistryKey( u'BootVerificationProgram', key_path=key_path, last_written_time=filetime.timestamp, offset=153) value_data = u'C:\\WINDOWS\\system32\\googleupdater.exe'.encode( u'utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( u'ImagePath', data=value_data, data_type=dfwinreg_definitions.REG_SZ, offset=123) registry_key.AddValue(registry_value) return registry_key
def _CreateTestKey(self, key_path, time_string): """Creates MRUList Registry keys and values for testing. Args: key_path: the Windows Registry key path. time_string: string containing the key last written date and time. Returns: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ filetime = dfwinreg_fake.Filetime() filetime.CopyFromString(time_string) registry_key = dfwinreg_fake.FakeWinRegistryKey( u'DesktopStreamMRU', key_path=key_path, last_written_time=filetime.timestamp, offset=1456) value_data = u'a'.encode(u'utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( u'MRUList', data=value_data, data_type=dfwinreg_definitions.REG_SZ, offset=123) registry_key.AddValue(registry_value) value_data = b''.join(map(chr, [ 0x14, 0x00, 0x1f, 0x00, 0xe0, 0x4f, 0xd0, 0x20, 0xea, 0x3a, 0x69, 0x10, 0xa2, 0xd8, 0x08, 0x00, 0x2b, 0x30, 0x30, 0x9d, 0x19, 0x00, 0x23, 0x43, 0x3a, 0x5c, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x11, 0xee, 0x15, 0x00, 0x31, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2e, 0x3e, 0x7a, 0x60, 0x10, 0x80, 0x57, 0x69, 0x6e, 0x6e, 0x74, 0x00, 0x00, 0x18, 0x00, 0x31, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2e, 0x3e, 0xe4, 0x62, 0x10, 0x00, 0x50, 0x72, 0x6f, 0x66, 0x69, 0x6c, 0x65, 0x73, 0x00, 0x00, 0x25, 0x00, 0x31, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2e, 0x3e, 0xe4, 0x62, 0x10, 0x00, 0x41, 0x64, 0x6d, 0x69, 0x6e, 0x69, 0x73, 0x74, 0x72, 0x61, 0x74, 0x6f, 0x72, 0x00, 0x41, 0x44, 0x4d, 0x49, 0x4e, 0x49, 0x7e, 0x31, 0x00, 0x17, 0x00, 0x31, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2e, 0x3e, 0xe4, 0x62, 0x10, 0x00, 0x44, 0x65, 0x73, 0x6b, 0x74, 0x6f, 0x70, 0x00, 0x00, 0x00, 0x00])) registry_value = dfwinreg_fake.FakeWinRegistryValue( u'a', data=value_data, data_type=dfwinreg_definitions.REG_BINARY, offset=612) registry_key.AddValue(registry_value) return registry_key
def _CreateTestKey(self, key_path, time_string): """Creates WinRAR ArcHistory Registry keys and values for testing. Args: key_path: the Windows Registry key path. time_string: string containing the key last written date and time. Returns: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ filetime = dfwinreg_fake.Filetime() filetime.CopyFromString(time_string) registry_key = dfwinreg_fake.FakeWinRegistryKey( u'ArcHistory', key_path=key_path, last_written_time=filetime.timestamp, offset=1456) value_data = u'C:\\Downloads\\The Sleeping Dragon CD1.iso'.encode( u'utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( u'0', data=value_data, data_type=dfwinreg_definitions.REG_SZ, offset=1892) registry_key.AddValue(registry_value) value_data = u'C:\\Downloads\\plaso-static.rar'.encode(u'utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( u'1', data=value_data, data_type=dfwinreg_definitions.REG_SZ, offset=612) registry_key.AddValue(registry_value) return registry_key
def _CreateTestKey(self, time_string, binary_data): """Creates Registry keys and values for testing. Args: time_string: string containing the key last written date and time. binary_data: the binary data of the AppCompatCache Registry value. Returns: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ key_path = u'\\ControlSet001\\Control\\Session Manager\\AppCompatCache' filetime = dfwinreg_fake.Filetime() filetime.CopyFromString(time_string) registry_key = dfwinreg_fake.FakeWinRegistryKey( u'AppCompatCache', key_path=key_path, last_written_time=filetime.timestamp, offset=1456) registry_value = dfwinreg_fake.FakeWinRegistryValue( u'AppCompatCache', data=binary_data, data_type=dfwinreg_definitions.REG_BINARY) registry_key.AddValue(registry_value) return registry_key
def _CreateTestKey(self, key_path, time_string): """Creates Registry keys and values for testing. Args: key_path: the Windows Registry key path. time_string: string containing the key last written date and time. Returns: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ filetime = dfwinreg_fake.Filetime() filetime.CopyFromString(time_string) registry_key = dfwinreg_fake.FakeWinRegistryKey( u'TimeZoneInformation', key_path=key_path, last_written_time=filetime.timestamp, offset=153) value_data = u'C:\\Downloads\\plaso-static.rar'.encode(u'utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( u'1', data=value_data, data_type=dfwinreg_definitions.REG_SZ, offset=612) registry_key.AddValue(registry_value) value_data = b'\xff\xff\xff\xc4' registry_value = dfwinreg_fake.FakeWinRegistryValue( u'ActiveTimeBias', data=value_data, data_type=dfwinreg_definitions.REG_DWORD_BIG_ENDIAN) registry_key.AddValue(registry_value) value_data = b'\xff\xff\xff\xc4' registry_value = dfwinreg_fake.FakeWinRegistryValue( u'Bias', data=value_data, data_type=dfwinreg_definitions.REG_DWORD_BIG_ENDIAN) registry_key.AddValue(registry_value) value_data = b'\xff\xff\xff\xc4' registry_value = dfwinreg_fake.FakeWinRegistryValue( u'DaylightBias', data=value_data, data_type=dfwinreg_definitions.REG_DWORD_BIG_ENDIAN) registry_key.AddValue(registry_value) value_data = u'@tzres.dll,-321'.encode(u'utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( u'DaylightName', data=value_data, data_type=dfwinreg_definitions.REG_SZ) registry_key.AddValue(registry_value) value_data = ( b'\x00\x00\x03\x00\x05\x00\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00') registry_value = dfwinreg_fake.FakeWinRegistryValue( u'DaylightStart', data=value_data, data_type=dfwinreg_definitions.REG_BINARY) registry_key.AddValue(registry_value) value_data = b'\x00\x00\x00\x00' registry_value = dfwinreg_fake.FakeWinRegistryValue( u'DynamicDaylightTimeDisabled', data=value_data, data_type=dfwinreg_definitions.REG_DWORD_BIG_ENDIAN) registry_key.AddValue(registry_value) value_data = b'\x00\x00\x00\x00' registry_value = dfwinreg_fake.FakeWinRegistryValue( u'StandardBias', data=value_data, data_type=dfwinreg_definitions.REG_DWORD_BIG_ENDIAN) registry_key.AddValue(registry_value) value_data = u'@tzres.dll,-322'.encode(u'utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( u'StandardName', data=value_data, data_type=dfwinreg_definitions.REG_SZ) registry_key.AddValue(registry_value) value_data = ( b'\x00\x00\x0A\x00\x05\x00\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00') registry_value = dfwinreg_fake.FakeWinRegistryValue( u'StandardStart', data=value_data, data_type=dfwinreg_definitions.REG_BINARY) registry_key.AddValue(registry_value) value_data = u'W. Europe Standard Time'.encode(u'utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( u'TimeZoneKeyName', data=value_data, data_type=dfwinreg_definitions.REG_SZ) registry_key.AddValue(registry_value) return registry_key
def _CreateTestKey(self, key_path, time_string): """Creates Registry keys and values for testing. Args: key_path: the Windows Registry key path. time_string: string containing the key last written date and time. Returns: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ filetime = dfwinreg_fake.Filetime() filetime.CopyFromString(time_string) registry_key = dfwinreg_fake.FakeWinRegistryKey( u'TestDriver', key_path=key_path, last_written_time=filetime.timestamp, offset=1456) value_data = b'\x02\x00\x00\x00' registry_value = dfwinreg_fake.FakeWinRegistryValue( u'Type', data=value_data, data_type=dfwinreg_definitions.REG_DWORD, offset=123) registry_key.AddValue(registry_value) value_data = b'\x02\x00\x00\x00' registry_value = dfwinreg_fake.FakeWinRegistryValue( u'Start', data=value_data, data_type=dfwinreg_definitions.REG_DWORD, offset=127) registry_key.AddValue(registry_value) value_data = b'\x01\x00\x00\x00' registry_value = dfwinreg_fake.FakeWinRegistryValue( u'ErrorControl', data=value_data, data_type=dfwinreg_definitions.REG_DWORD, offset=131) registry_key.AddValue(registry_value) value_data = u'Pnp Filter'.encode(u'utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( u'Group', data=value_data, data_type=dfwinreg_definitions.REG_SZ, offset=140) registry_key.AddValue(registry_value) value_data = u'Test Driver'.encode(u'utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( u'DisplayName', data=value_data, data_type=dfwinreg_definitions.REG_SZ, offset=160) registry_key.AddValue(registry_value) value_data = u'testdriver.inf_x86_neutral_dd39b6b0a45226c4'.encode( u'utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( u'DriverPackageId', data=value_data, data_type=dfwinreg_definitions.REG_SZ, offset=180) registry_key.AddValue(registry_value) value_data = u'C:\\Dell\\testdriver.sys'.encode(u'utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( u'ImagePath', data=value_data, data_type=dfwinreg_definitions.REG_SZ, offset=200) registry_key.AddValue(registry_value) return registry_key
def _CreateTestKey(self, key_path, time_string): """Creates Registry keys and values for testing. Args: key_path: the Windows Registry key path. time_string: string containing the key last written date and time. Returns: A Windows Registry key (instance of dfwinreg.WinRegistryKey). """ filetime = dfwinreg_fake.Filetime() filetime.CopyFromString(time_string) registry_key = dfwinreg_fake.FakeWinRegistryKey( u'Session Manager', key_path=key_path, last_written_time=filetime.timestamp, offset=153) value_data = u'autocheck autochk *\x00'.encode(u'utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( u'BootExecute', data=value_data, data_type=dfwinreg_definitions.REG_MULTI_SZ, offset=123) registry_key.AddValue(registry_value) value_data = u'2592000'.encode(u'utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( u'CriticalSectionTimeout', data=value_data, data_type=dfwinreg_definitions.REG_SZ, offset=153) registry_key.AddValue(registry_value) value_data = u'\x00'.encode(u'utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( u'ExcludeFromKnownDlls', data=value_data, data_type=dfwinreg_definitions.REG_MULTI_SZ, offset=163) registry_key.AddValue(registry_value) value_data = u'0'.encode(u'utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( u'GlobalFlag', data=value_data, data_type=dfwinreg_definitions.REG_SZ, offset=173) registry_key.AddValue(registry_value) value_data = u'0'.encode(u'utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( u'HeapDeCommitFreeBlockThreshold', data=value_data, data_type=dfwinreg_definitions.REG_SZ, offset=183) registry_key.AddValue(registry_value) value_data = u'0'.encode(u'utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( u'HeapDeCommitTotalFreeThreshold', data=value_data, data_type=dfwinreg_definitions.REG_SZ, offset=203) registry_key.AddValue(registry_value) value_data = u'0'.encode(u'utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( u'HeapSegmentCommit', data=value_data, data_type=dfwinreg_definitions.REG_SZ, offset=213) registry_key.AddValue(registry_value) value_data = u'0'.encode(u'utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( u'HeapSegmentReserve', data=value_data, data_type=dfwinreg_definitions.REG_SZ, offset=223) registry_key.AddValue(registry_value) value_data = u'2'.encode(u'utf_16_le') registry_value = dfwinreg_fake.FakeWinRegistryValue( u'NumberOfInitialSessions', data=value_data, data_type=dfwinreg_definitions.REG_SZ, offset=243) registry_key.AddValue(registry_value) return registry_key