plaso-rubanetra/plaso/parsers/winreg_plugins/msie_zones_test.py

385 lines
16 KiB
Python
Raw Normal View History

2020-04-06 16:48:34 +00:00
#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Tests for the MSIE Zone settings Windows Registry plugin."""
import unittest
# pylint: disable=unused-import
from plaso.formatters import winreg as winreg_formatter
from plaso.lib import timelib_test
from plaso.parsers.winreg_plugins import msie_zones
from plaso.parsers.winreg_plugins import test_lib
class MsieZoneSettingsSoftwareZonesPluginTest(test_lib.RegistryPluginTestCase):
"""Tests for Internet Settings Zones plugin on the Software hive."""
def setUp(self):
"""Sets up the needed objects used throughout the test."""
self._plugin = msie_zones.MsieZoneSettingsSoftwareZonesPlugin()
self._test_file = self._GetTestFilePath(['SOFTWARE'])
def testProcessForZone(self):
"""Tests the Process function."""
key_path = u'\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones'
winreg_key = self._GetKeyFromFile(self._test_file, key_path)
event_queue_consumer = self._ParseKeyWithPlugin(self._plugin, winreg_key)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEquals(len(event_objects), 6)
event_object = event_objects[1]
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEquals(event_object.parser, self._plugin.plugin_name)
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2011-08-28 21:32:44.937675')
self.assertEquals(event_object.timestamp, expected_timestamp)
regvalue_identifier = u'[1200] Run ActiveX controls and plug-ins'
expected_value = u'0 (Allow)'
self._TestRegvalue(event_object, regvalue_identifier, expected_value)
expected_msg = (
u'[{0:s}\\0 (My Computer)] '
u'[1001] Download signed ActiveX controls: 0 (Allow) '
u'[1004] Download unsigned ActiveX controls: 0 (Allow) '
u'[1200] Run ActiveX controls and plug-ins: 0 (Allow) '
u'[1201] Initialize and script ActiveX controls not marked as safe: 1 '
u'(Prompt User) '
u'[1206] Allow scripting of IE Web browser control: 0 '
u'[1207] Reserved: 0 '
u'[1208] Allow previously unused ActiveX controls to run without '
u'prompt: 0 '
u'[1209] Allow Scriptlets: 0 '
u'[120A] Override Per-Site (domain-based) ActiveX restrictions: 0 '
u'[120B] Override Per-Site (domain-based) ActiveX restrictions: 0 '
u'[1400] Active scripting: 0 (Allow) '
u'[1402] Scripting of Java applets: 0 (Allow) '
u'[1405] Script ActiveX controls marked as safe for scripting: 0 '
u'(Allow) '
u'[1406] Access data sources across domains: 0 (Allow) '
u'[1407] Allow Programmatic clipboard access: 0 (Allow) '
u'[1408] Reserved: 0 '
u'[1409] UNKNOWN: 3 '
u'[1601] Submit non-encrypted form data: 0 (Allow) '
u'[1604] Font download: 0 (Allow) '
u'[1605] Run Java: 0 '
u'[1606] Userdata persistence: 0 (Allow) '
u'[1607] Navigate sub-frames across different domains: 0 (Allow) '
u'[1608] Allow META REFRESH: 0 (Allow) '
u'[1609] Display mixed content: 1 (Prompt User) '
u'[160A] Include local directory path when uploading files to a '
u'server: 0 '
u'[1802] Drag and drop or copy and paste files: 0 (Allow) '
u'[1803] File Download: 0 (Allow) '
u'[1804] Launching programs and files in an IFRAME: 0 (Allow) '
u'[1805] Launching programs and files in webview: 0 '
u'[1806] Launching applications and unsafe files: 0 '
u'[1807] Reserved: 0 '
u'[1808] Reserved: 0 '
u'[1809] Use Pop-up Blocker: 3 (Not Allowed) '
u'[180A] Reserved: 0 '
u'[180C] Reserved: 0 '
u'[180D] Reserved: 0 '
u'[180E] UNKNOWN: 0 '
u'[180F] UNKNOWN: 0 '
u'[1A00] User Authentication: Logon: 0x00000000 (Automatic logon with '
u'current user name and password) '
u'[1A02] Allow persistent cookies that are stored on your computer: 0 '
u'[1A03] Allow per-session cookies (not stored): 0 '
u'[1A04] Don\'t prompt for client cert selection when no certs exists: '
u'0 (Allow) '
u'[1A05] Allow 3rd party persistent cookies: 0 '
u'[1A06] Allow 3rd party session cookies: 0 '
u'[1A10] Privacy Settings: 0 '
u'[1C00] Java permissions: 0x00020000 (Medium safety) '
u'[2000] Binary and script behaviors: 0 (Allow) '
u'[2001] .NET: Run components signed with Authenticode: '
u'3 (Not Allowed) '
u'[2004] .NET: Run components not signed with Authenticode: '
u'3 (Not Allowed) '
u'[2005] UNKNOWN: 0 '
u'[2007] UNKNOWN: 3 '
u'[2100] Open files based on content, not file extension: 0 (Allow) '
u'[2101] Web sites in less privileged zone can navigate into this '
u'zone: 3 (Not Allowed) '
u'[2102] Allow script initiated windows without size/position '
u'constraints: 0 (Allow) '
u'[2103] Allow status bar updates via script: 0 '
u'[2104] Allow websites to open windows without address or status '
u'bars: 0 '
u'[2105] Allow websites to prompt for information using scripted '
u'windows: 0 '
u'[2106] UNKNOWN: 0 '
u'[2107] UNKNOWN: 0 '
u'[2200] Automatic prompting for file downloads: 0 (Allow) '
u'[2201] Automatic prompting for ActiveX controls: 0 (Allow) '
u'[2300] Allow web pages to use restricted protocols for active '
u'content: 1 (Prompt User) '
u'[2301] Use Phishing Filter: 3 '
u'[2400] .NET: XAML browser applications: 0 '
u'[2401] .NET: XPS documents: 0 '
u'[2402] .NET: Loose XAML: 0 '
u'[2500] Turn on Protected Mode: 3 '
u'[2600] Enable .NET Framework setup: 0 '
u'[2700] UNKNOWN: 3 '
u'[2701] UNKNOWN: 0 '
u'[2702] UNKNOWN: 3 '
u'[2703] UNKNOWN: 3 '
u'[2708] UNKNOWN: 0 '
u'[2709] UNKNOWN: 0 '
u'[CurrentLevel]: 0 '
u'[Description]: Your computer '
u'[DisplayName]: Computer '
u'[Flags]: 33 '
u'[Icon]: shell32.dll#0016 '
u'[LowIcon]: inetcpl.cpl#005422 '
u'[PMDisplayName]: Computer '
u'[Protected Mode]').format(key_path)
expected_msg_short = u'[{0:s}\\0 (My Computer)] [...'.format(key_path)
self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testProcessForLockDown(self):
"""Tests the Process function for the lockdown zone key."""
key_path = (
u'\\Microsoft\\Windows\\CurrentVersion\\Internet Settings'
u'\\Lockdown_Zones')
winreg_key = self._GetKeyFromFile(self._test_file, key_path)
event_queue_consumer = self._ParseKeyWithPlugin(self._plugin, winreg_key)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEquals(len(event_objects), 6)
event_object = event_objects[1]
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEquals(event_object.parser, self._plugin.plugin_name)
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2011-08-28 21:32:44.937675')
self.assertEquals(event_object.timestamp, expected_timestamp)
regvalue_identifier = u'[1200] Run ActiveX controls and plug-ins'
expected_value = u'3 (Not Allowed)'
self._TestRegvalue(event_object, regvalue_identifier, expected_value)
expected_msg = (
u'[{0:s}\\0 (My Computer)] '
u'[1001] Download signed ActiveX controls: 1 (Prompt User) '
u'[1004] Download unsigned ActiveX controls: 3 (Not Allowed) '
u'[1200] Run ActiveX controls and plug-ins: 3 (Not Allowed) '
u'[1201] Initialize and script ActiveX controls not marked as safe: 3 '
u'(Not Allowed) '
u'[1206] Allow scripting of IE Web browser control: 0 '
u'[1207] Reserved: 3 '
u'[1208] Allow previously unused ActiveX controls to run without '
u'prompt: 3 '
u'[1209] Allow Scriptlets: 3 '
u'[120A] Override Per-Site (domain-based) ActiveX restrictions: 3 '
u'[120B] Override Per-Site (domain-based) ActiveX restrictions: 0 '
u'[1400] Active scripting: 1 (Prompt User) '
u'[1402] Scripting of Java applets: 0 (Allow) '
u'[1405] Script ActiveX controls marked as safe for scripting: 0 '
u'(Allow) '
u'[1406] Access data sources across domains: 0 (Allow) '
u'[1407] Allow Programmatic clipboard access: 1 (Prompt User) '
u'[1408] Reserved: 3 '
u'[1409] UNKNOWN: 3 '
u'[1601] Submit non-encrypted form data: 0 (Allow) '
u'[1604] Font download: 0 (Allow) '
u'[1605] Run Java: 0 '
u'[1606] Userdata persistence: 0 (Allow) '
u'[1607] Navigate sub-frames across different domains: 0 (Allow) '
u'[1608] Allow META REFRESH: 0 (Allow) '
u'[1609] Display mixed content: 1 (Prompt User) '
u'[160A] Include local directory path when uploading files to a '
u'server: 0 '
u'[1802] Drag and drop or copy and paste files: 0 (Allow) '
u'[1803] File Download: 0 (Allow) '
u'[1804] Launching programs and files in an IFRAME: 0 (Allow) '
u'[1805] Launching programs and files in webview: 0 '
u'[1806] Launching applications and unsafe files: 0 '
u'[1807] Reserved: 0 '
u'[1808] Reserved: 0 '
u'[1809] Use Pop-up Blocker: 3 (Not Allowed) '
u'[180A] Reserved: 0 '
u'[180C] Reserved: 0 '
u'[180D] Reserved: 0 '
u'[180E] UNKNOWN: 0 '
u'[180F] UNKNOWN: 0 '
u'[1A00] User Authentication: Logon: 0x00000000 (Automatic logon with '
u'current user name and password) '
u'[1A02] Allow persistent cookies that are stored on your computer: 0 '
u'[1A03] Allow per-session cookies (not stored): 0 '
u'[1A04] Don\'t prompt for client cert selection when no certs exists: '
u'3 (Not Allowed) '
u'[1A05] Allow 3rd party persistent cookies: 0 '
u'[1A06] Allow 3rd party session cookies: 0 '
u'[1A10] Privacy Settings: 0 '
u'[1C00] Java permissions: 0x00000000 (Disable Java) '
u'[2000] Binary and script behaviors: 0x00010000 '
u'(Administrator approved) '
u'[2005] UNKNOWN: 3 '
u'[2100] Open files based on content, not file extension: 3 '
u'(Not Allowed) '
u'[2101] Web sites in less privileged zone can navigate into this '
u'zone: 3 (Not Allowed) '
u'[2102] Allow script initiated windows without size/position '
u'constraints: '
u'3 (Not Allowed) '
u'[2103] Allow status bar updates via script: 3 '
u'[2104] Allow websites to open windows without address or status '
u'bars: 3 '
u'[2105] Allow websites to prompt for information using scripted '
u'windows: 3 '
u'[2106] UNKNOWN: 3 '
u'[2107] UNKNOWN: 3 '
u'[2200] Automatic prompting for file downloads: 3 (Not Allowed) '
u'[2201] Automatic prompting for ActiveX controls: 3 (Not Allowed) '
u'[2301] Use Phishing Filter: 3 '
u'[2400] .NET: XAML browser applications: 0 '
u'[2401] .NET: XPS documents: 0 '
u'[2402] .NET: Loose XAML: 0 '
u'[2500] Turn on Protected Mode: 3 '
u'[2600] Enable .NET Framework setup: 0 '
u'[2700] UNKNOWN: 3 '
u'[2701] UNKNOWN: 3 '
u'[2702] UNKNOWN: 3 '
u'[2703] UNKNOWN: 3 '
u'[2708] UNKNOWN: 0 '
u'[2709] UNKNOWN: 0 '
u'[CurrentLevel]: 0 '
u'[Description]: Your computer '
u'[DisplayName]: Computer '
u'[Flags]: 33 '
u'[Icon]: shell32.dll#0016 '
u'[LowIcon]: inetcpl.cpl#005422 '
u'[PMDisplayName]: Computer '
u'[Protected Mode]').format(key_path)
expected_msg_short = u'[{0:s}\\0 (My Com...'.format(key_path)
self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
class MsieZoneSettingsUserZonesPluginTest(test_lib.RegistryPluginTestCase):
"""Tests for Internet Settings Zones plugin on the User hive."""
def setUp(self):
"""Sets up the needed objects used throughout the test."""
self._plugin = msie_zones.MsieZoneSettingsPlugin()
self._test_file = self._GetTestFilePath(['NTUSER-WIN7.DAT'])
def testProcessForZone(self):
"""Tests the Process function."""
key_path = (
u'\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings'
u'\\Zones')
winreg_key = self._GetKeyFromFile(self._test_file, key_path)
event_queue_consumer = self._ParseKeyWithPlugin(self._plugin, winreg_key)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEquals(len(event_objects), 6)
event_object = event_objects[1]
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEquals(event_object.parser, self._plugin.plugin_name)
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2011-09-16 21:12:40.145514')
self.assertEquals(event_object.timestamp, expected_timestamp)
regvalue_identifier = u'[1200] Run ActiveX controls and plug-ins'
expected_value = u'0 (Allow)'
self._TestRegvalue(event_object, regvalue_identifier, expected_value)
expected_msg = (
u'[{0:s}\\0 (My Computer)] '
u'[1200] Run ActiveX controls and plug-ins: 0 (Allow) '
u'[1400] Active scripting: 0 (Allow) '
u'[2001] .NET: Run components signed with Authenticode: 3 (Not '
u'Allowed) '
u'[2004] .NET: Run components not signed with Authenticode: 3 (Not '
u'Allowed) '
u'[2007] UNKNOWN: 3 '
u'[CurrentLevel]: 0 '
u'[Description]: Your computer '
u'[DisplayName]: Computer '
u'[Flags]: 33 [Icon]: shell32.dll#0016 '
u'[LowIcon]: inetcpl.cpl#005422 '
u'[PMDisplayName]: Computer '
u'[Protected Mode]').format(key_path)
expected_msg_short = u'[{0:s}\\0 (My Com...'.format(key_path)
self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testProcessForLockDown(self):
"""Tests the Process function."""
key_path = (
u'\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings'
u'\\Lockdown_Zones')
winreg_key = self._GetKeyFromFile(self._test_file, key_path)
event_queue_consumer = self._ParseKeyWithPlugin(self._plugin, winreg_key)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEquals(len(event_objects), 6)
event_object = event_objects[1]
# This should just be the plugin name, as we're invoking it directly,
# and not through the parser.
self.assertEquals(event_object.parser, self._plugin.plugin_name)
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2011-09-16 21:12:40.145514')
self.assertEquals(event_object.timestamp, expected_timestamp)
regvalue_identifier = u'[1200] Run ActiveX controls and plug-ins'
expected_value = u'3 (Not Allowed)'
self._TestRegvalue(event_object, regvalue_identifier, expected_value)
expected_msg = (
u'[{0:s}\\0 (My Computer)] '
u'[1200] Run ActiveX controls and plug-ins: 3 (Not Allowed) '
u'[1400] Active scripting: 1 (Prompt User) '
u'[CurrentLevel]: 0 '
u'[Description]: Your computer '
u'[DisplayName]: Computer '
u'[Flags]: 33 '
u'[Icon]: shell32.dll#0016 '
u'[LowIcon]: inetcpl.cpl#005422 '
u'[PMDisplayName]: Computer '
u'[Protected Mode]').format(key_path)
expected_msg_short = u'[{0:s}\\...'.format(key_path)
self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
if __name__ == '__main__':
unittest.main()