193 lines
7.2 KiB
Python
193 lines
7.2 KiB
Python
#!/usr/bin/python
|
|
# -*- coding: utf-8 -*-
|
|
#
|
|
# Copyright 2014 The Plaso Project Authors.
|
|
# Please see the AUTHORS file for details on individual authors.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
"""Tests for the windows services analysis plugin."""
|
|
|
|
import argparse
|
|
import unittest
|
|
|
|
from dfvfs.path import fake_path_spec
|
|
|
|
from plaso.analysis import test_lib
|
|
from plaso.analysis import windows_services
|
|
from plaso.engine import queue
|
|
from plaso.engine import single_process
|
|
from plaso.events import windows_events
|
|
from plaso.parsers import winreg
|
|
|
|
|
|
class WindowsServicesTest(test_lib.AnalysisPluginTestCase):
|
|
"""Tests for the Windows Services analysis plugin."""
|
|
|
|
SERVICE_EVENTS = [
|
|
{u'path': u'\\ControlSet001\\services\\TestbDriver',
|
|
u'text_dict': {u'ImagePath': u'C:\\Dell\\testdriver.sys', u'Type': 2,
|
|
u'Start': 2, u'ObjectName': u''},
|
|
u'timestamp': 1346145829002031},
|
|
# This is almost the same, but different timestamp and source, so that
|
|
# we can test the service de-duplication.
|
|
{u'path': u'\\ControlSet003\\services\\TestbDriver',
|
|
u'text_dict': {u'ImagePath': u'C:\\Dell\\testdriver.sys', u'Type': 2,
|
|
u'Start': 2, u'ObjectName': u''},
|
|
u'timestamp': 1346145839002031},
|
|
]
|
|
|
|
def _CreateAnalysisPlugin(self, input_queue, output_mode):
|
|
"""Create an analysis plugin to test with.
|
|
|
|
Args:
|
|
input_queue: A queue the plugin will read events from.
|
|
output_mode: The output format the plugin will use.
|
|
Valid options are 'text' and 'yaml'.
|
|
|
|
Returns:
|
|
An instance of AnalyzeWindowsServicesPlugin.
|
|
"""
|
|
argument_parser = argparse.ArgumentParser()
|
|
plugin_args = windows_services.AnalyzeWindowsServicesPlugin.ARGUMENTS
|
|
for parameter, config in plugin_args:
|
|
argument_parser.add_argument(parameter, **config)
|
|
arguments = ['--windows-services-output', output_mode]
|
|
options = argument_parser.parse_args(arguments)
|
|
analysis_plugin = windows_services.AnalyzeWindowsServicesPlugin(
|
|
input_queue, options)
|
|
return analysis_plugin
|
|
|
|
|
|
def _CreateTestEventObject(self, service_event):
|
|
"""Create a test event object with a particular path.
|
|
|
|
Args:
|
|
service_event: A hash containing attributes of an event to add to the
|
|
queue.
|
|
|
|
Returns:
|
|
An EventObject representing the service to be created.
|
|
"""
|
|
test_pathspec = fake_path_spec.FakePathSpec(
|
|
location=u'C:\\WINDOWS\\system32\\SYSTEM')
|
|
event_object = windows_events.WindowsRegistryServiceEvent(
|
|
service_event[u'timestamp'], service_event[u'path'],
|
|
service_event[u'text_dict'])
|
|
event_object.pathspec = test_pathspec
|
|
return event_object
|
|
|
|
def testSyntheticKeysText(self):
|
|
"""Test the plugin against mock events."""
|
|
event_queue = single_process.SingleProcessQueue()
|
|
|
|
# Fill the incoming queue with events.
|
|
test_queue_producer = queue.ItemQueueProducer(event_queue)
|
|
events = [self._CreateTestEventObject(service_event)
|
|
for service_event
|
|
in self.SERVICE_EVENTS]
|
|
test_queue_producer.ProduceItems(events)
|
|
test_queue_producer.SignalEndOfInput()
|
|
|
|
# Initialize plugin.
|
|
analysis_plugin = self._CreateAnalysisPlugin(event_queue, u'text')
|
|
|
|
# Run the analysis plugin.
|
|
knowledge_base = self._SetUpKnowledgeBase()
|
|
analysis_report_queue_consumer = self._RunAnalysisPlugin(
|
|
analysis_plugin, knowledge_base)
|
|
analysis_reports = self._GetAnalysisReportsFromQueue(
|
|
analysis_report_queue_consumer)
|
|
|
|
self.assertEquals(len(analysis_reports), 1)
|
|
|
|
analysis_report = analysis_reports[0]
|
|
|
|
expected_text = (
|
|
u'Listing Windows Services\n'
|
|
u'TestbDriver\n'
|
|
u'\tImage Path = C:\\Dell\\testdriver.sys\n'
|
|
u'\tService Type = File System Driver (0x2)\n'
|
|
u'\tStart Type = Auto Start (2)\n'
|
|
u'\tService Dll = \n'
|
|
u'\tObject Name = \n'
|
|
u'\tSources:\n'
|
|
u'\t\tC:\\WINDOWS\\system32\\SYSTEM:'
|
|
u'\\ControlSet001\\services\\TestbDriver\n'
|
|
u'\t\tC:\\WINDOWS\\system32\\SYSTEM:'
|
|
u'\\ControlSet003\\services\\TestbDriver\n\n')
|
|
|
|
self.assertEquals(expected_text, analysis_report.text)
|
|
self.assertEquals(analysis_report.plugin_name, 'windows_services')
|
|
|
|
def testRealEvents(self):
|
|
"""Test the plugin with text output against real events from the parser."""
|
|
parser = winreg.WinRegistryParser()
|
|
# We could remove the non-Services plugins, but testing shows that the
|
|
# performance gain is negligible.
|
|
|
|
knowledge_base = self._SetUpKnowledgeBase()
|
|
test_path = self._GetTestFilePath(['SYSTEM'])
|
|
event_queue = self._ParseFile(parser, test_path, knowledge_base)
|
|
|
|
# Run the analysis plugin.
|
|
analysis_plugin = self._CreateAnalysisPlugin(event_queue, u'text')
|
|
analysis_report_queue_consumer = self._RunAnalysisPlugin(
|
|
analysis_plugin, knowledge_base)
|
|
analysis_reports = self._GetAnalysisReportsFromQueue(
|
|
analysis_report_queue_consumer)
|
|
|
|
report = analysis_reports[0]
|
|
text = report.text
|
|
|
|
# We'll check that a few strings are in the report, like they're supposed
|
|
# to be, rather than checking for the exact content of the string,
|
|
# as that's dependent on the full path to the test files.
|
|
test_strings = [u'1394ohci', u'WwanSvc', u'Sources:', u'ControlSet001',
|
|
u'ControlSet002']
|
|
for string in test_strings:
|
|
self.assertTrue(string in text)
|
|
|
|
def testRealEventsYAML(self):
|
|
"""Test the plugin with YAML output against real events from the parser."""
|
|
parser = winreg.WinRegistryParser()
|
|
# We could remove the non-Services plugins, but testing shows that the
|
|
# performance gain is negligible.
|
|
|
|
knowledge_base = self._SetUpKnowledgeBase()
|
|
test_path = self._GetTestFilePath(['SYSTEM'])
|
|
event_queue = self._ParseFile(parser, test_path, knowledge_base)
|
|
|
|
# Run the analysis plugin.
|
|
analysis_plugin = self._CreateAnalysisPlugin(event_queue, 'yaml')
|
|
analysis_report_queue_consumer = self._RunAnalysisPlugin(
|
|
analysis_plugin, knowledge_base)
|
|
analysis_reports = self._GetAnalysisReportsFromQueue(
|
|
analysis_report_queue_consumer)
|
|
|
|
report = analysis_reports[0]
|
|
text = report.text
|
|
|
|
# We'll check that a few strings are in the report, like they're supposed
|
|
# to be, rather than checking for the exact content of the string,
|
|
# as that's dependent on the full path to the test files.
|
|
test_strings = [windows_services.WindowsService.yaml_tag, u'1394ohci',
|
|
u'WwanSvc', u'ControlSet001', u'ControlSet002']
|
|
|
|
for string in test_strings:
|
|
self.assertTrue(string in text, u'{0:s} not found in report text'.format(
|
|
string))
|
|
|
|
|
|
if __name__ == '__main__':
|
|
unittest.main()
|