stefan/plaso-rubanetra
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity
master
plaso-rubanetra/plaso/parsers/winprefetch_test.py
Stefan 0da6783a45 Import from old repository
2020-04-06 18:48:34 +02:00

379 lines
17 KiB
Python
Raw Permalink Blame History

#!/usr/bin/python
# -*- coding: utf-8 -*-
#
# Copyright 2013 The Plaso Project Authors.
# Please see the AUTHORS file for details on individual authors.
#
# Licensed under the Apache License, Version 2.0 (the "License");
# you may not use this file except in compliance with the License.
# You may obtain a copy of the License at
#
# http://www.apache.org/licenses/LICENSE-2.0
#
# Unless required by applicable law or agreed to in writing, software
# distributed under the License is distributed on an "AS IS" BASIS,
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
# See the License for the specific language governing permissions and
# limitations under the License.
"""Tests for the Windows prefetch parser."""
import unittest
# pylint: disable=unused-import
from plaso.formatters import winprefetch as winprefetch_formatter
from plaso.lib import eventdata
from plaso.lib import timelib_test
from plaso.parsers import test_lib
from plaso.parsers import winprefetch
class WinPrefetchParserTest(test_lib.ParserTestCase):
"""Tests for the Windows prefetch parser."""
def setUp(self):
"""Sets up the needed objects used throughout the test."""
self._parser = winprefetch.WinPrefetchParser()
def testParse17(self):
"""Tests the Parse function on a version 17 Prefetch file."""
test_file = self._GetTestFilePath(['CMD.EXE-087B4001.pf'])
event_queue_consumer = self._ParseFile(self._parser, test_file)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEquals(len(event_objects), 2)
# The prefetch last run event.
event_object = event_objects[1]
self.assertEquals(event_object.version, 17)
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2013-03-10 10:11:49.281250')
self.assertEquals(event_object.timestamp, expected_timestamp)
self.assertEquals(
event_object.timestamp_desc, eventdata.EventTimestamp.LAST_RUNTIME)
self.assertEquals(event_object.executable, u'CMD.EXE')
self.assertEquals(event_object.prefetch_hash, 0x087b4001)
self.assertEquals(event_object.volume_serial_numbers[0], 0x24cb074b)
expected_mapped_files = [
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\NTDLL.DLL',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\KERNEL32.DLL',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\UNICODE.NLS',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\LOCALE.NLS',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\SORTTBLS.NLS',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\MSVCRT.DLL',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\CMD.EXE',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\USER32.DLL',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\GDI32.DLL',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\SHIMENG.DLL',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\APPPATCH\\SYSMAIN.SDB',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\APPPATCH\\ACGENRAL.DLL',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\ADVAPI32.DLL',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\RPCRT4.DLL',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\WINMM.DLL',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\OLE32.DLL',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\OLEAUT32.DLL',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\MSACM32.DLL',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\VERSION.DLL',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\SHELL32.DLL',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\SHLWAPI.DLL',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\USERENV.DLL',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\UXTHEME.DLL',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\CTYPE.NLS',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\SORTKEY.NLS',
(u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\WINSXS\\X86_MICROSOFT.WINDOWS.'
u'COMMON-CONTROLS_6595B64144CCF1DF_6.0.2600.2180_X-WW_A84F1FF9\\'
u'COMCTL32.DLL'),
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\WINDOWSSHELL.MANIFEST',
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\SYSTEM32\\COMCTL32.DLL',
(u'\\DEVICE\\HARDDISKVOLUME1\\D50FF1E628137B1A251B47AB9466\\UPDATE\\'
u'UPDATE.EXE.MANIFEST'),
u'\\DEVICE\\HARDDISKVOLUME1\\$MFT',
(u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\IE7\\SPUNINST\\SPUNINST.EXE.'
u'MANIFEST'),
(u'\\DEVICE\\HARDDISKVOLUME1\\D50FF1E628137B1A251B47AB9466\\UPDATE\\'
u'IERESETICONS.EXE'),
u'\\DEVICE\\HARDDISKVOLUME1\\WINDOWS\\IE7\\SPUNINST\\IERESETICONS.EXE']
self.assertEquals(event_object.mapped_files, expected_mapped_files)
# The volume creation event.
event_object = event_objects[0]
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2013-03-10 10:19:46.234375')
self.assertEquals(event_object.timestamp, expected_timestamp)
self.assertEquals(
event_object.timestamp_desc, eventdata.EventTimestamp.CREATION_TIME)
expected_msg = (
u'\\DEVICE\\HARDDISKVOLUME1 '
u'Serial number: 0x24CB074B '
u'Origin: CMD.EXE-087B4001.pf')
expected_msg_short = (
u'\\DEVICE\\HARDDISKVOLUME1 '
u'Origin: CMD.EXE-087B4001.pf')
self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testParse23(self):
"""Tests the Parse function on a version 23 Prefetch file."""
test_file = self._GetTestFilePath(['PING.EXE-B29F6629.pf'])
event_queue_consumer = self._ParseFile(self._parser, test_file)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEquals(len(event_objects), 2)
# The prefetch last run event.
event_object = event_objects[1]
self.assertEquals(event_object.version, 23)
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2012-04-06 19:00:55.932955')
self.assertEquals(event_object.timestamp, expected_timestamp)
self.assertEquals(
event_object.timestamp_desc, eventdata.EventTimestamp.LAST_RUNTIME)
self.assertEquals(event_object.executable, u'PING.EXE')
self.assertEquals(event_object.prefetch_hash, 0xb29f6629)
self.assertEquals(
event_object.path, u'\\WINDOWS\\SYSTEM32\\PING.EXE')
self.assertEquals(event_object.run_count, 14)
self.assertEquals(
event_object.volume_device_paths[0], u'\\DEVICE\\HARDDISKVOLUME1')
self.assertEquals(event_object.volume_serial_numbers[0], 0xac036525)
expected_msg = (
u'Prefetch [PING.EXE] was executed - run count 14 path: '
u'\\WINDOWS\\SYSTEM32\\PING.EXE '
u'hash: 0xB29F6629 '
u'volume: 1 [serial number: 0xAC036525, '
u'device path: \\DEVICE\\HARDDISKVOLUME1]')
expected_msg_short = u'PING.EXE was run 14 time(s)'
self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
# The volume creation event.
event_object = event_objects[0]
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2010-11-10 17:37:26.484375')
self.assertEquals(event_object.timestamp, expected_timestamp)
self.assertEquals(
event_object.timestamp_desc, eventdata.EventTimestamp.CREATION_TIME)
def testParse23MultiVolume(self):
"""Tests the Parse function on a mulit volume version 23 Prefetch file."""
test_file = self._GetTestFilePath(['WUAUCLT.EXE-830BCC14.pf'])
event_queue_consumer = self._ParseFile(self._parser, test_file)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEquals(len(event_objects), 6)
# The prefetch last run event.
event_object = event_objects[5]
self.assertEquals(event_object.version, 23)
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2012-03-15 21:17:39.807996')
self.assertEquals(event_object.timestamp, expected_timestamp)
self.assertEquals(
event_object.timestamp_desc, eventdata.EventTimestamp.LAST_RUNTIME)
self.assertEquals(event_object.executable, u'WUAUCLT.EXE')
self.assertEquals(event_object.prefetch_hash, 0x830bcc14)
self.assertEquals(
event_object.path, u'\\WINDOWS\\SYSTEM32\\WUAUCLT.EXE')
self.assertEquals(event_object.run_count, 25)
self.assertEquals(
event_object.volume_device_paths[0], u'\\DEVICE\\HARDDISKVOLUME1')
self.assertEquals(event_object.volume_serial_numbers[0], 0xac036525)
expected_msg = (
u'Prefetch [WUAUCLT.EXE] was executed - run count 25 path: '
u'\\WINDOWS\\SYSTEM32\\WUAUCLT.EXE '
u'hash: 0x830BCC14 '
u'volume: 1 [serial number: 0xAC036525, '
u'device path: \\DEVICE\\HARDDISKVOLUME1], '
u'volume: 2 [serial number: 0xAC036525, '
u'device path: \\DEVICE\\HARDDISKVOLUMESHADOWCOPY2], '
u'volume: 3 [serial number: 0xAC036525, '
u'device path: \\DEVICE\\HARDDISKVOLUMESHADOWCOPY4], '
u'volume: 4 [serial number: 0xAC036525, '
u'device path: \\DEVICE\\HARDDISKVOLUMESHADOWCOPY7], '
u'volume: 5 [serial number: 0xAC036525, '
u'device path: \\DEVICE\\HARDDISKVOLUMESHADOWCOPY8]')
expected_msg_short = u'WUAUCLT.EXE was run 25 time(s)'
self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
# The volume creation event.
event_object = event_objects[0]
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2010-11-10 17:37:26.484375')
self.assertEquals(event_object.timestamp, expected_timestamp)
self.assertEquals(
event_object.timestamp_desc, eventdata.EventTimestamp.CREATION_TIME)
expected_msg = (
u'\\DEVICE\\HARDDISKVOLUME1 '
u'Serial number: 0xAC036525 '
u'Origin: WUAUCLT.EXE-830BCC14.pf')
expected_msg_short = (
u'\\DEVICE\\HARDDISKVOLUME1 '
u'Origin: WUAUCLT.EXE-830BCC14.pf')
self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
def testParse26(self):
"""Tests the Parse function on a version 26 Prefetch file."""
test_file = self._GetTestFilePath(['TASKHOST.EXE-3AE259FC.pf'])
event_queue_consumer = self._ParseFile(self._parser, test_file)
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
self.assertEquals(len(event_objects), 5)
# The prefetch last run event.
event_object = event_objects[1]
self.assertEquals(event_object.version, 26)
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2013-10-04 15:40:09.037833')
self.assertEquals(event_object.timestamp, expected_timestamp)
self.assertEquals(
event_object.timestamp_desc, eventdata.EventTimestamp.LAST_RUNTIME)
self.assertEquals(event_object.executable, u'TASKHOST.EXE')
self.assertEquals(event_object.prefetch_hash, 0x3ae259fc)
# The prefetch previous last run event.
event_object = event_objects[2]
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2013-10-04 15:28:09.010356')
self.assertEquals(event_object.timestamp, expected_timestamp)
self.assertEquals(
event_object.timestamp_desc,
u'Previous {0:s}'.format(eventdata.EventTimestamp.LAST_RUNTIME))
expected_mapped_files = [
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\NTDLL.DLL '
u'[MFT entry: 46299, sequence: 1]'),
u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\TASKHOST.EXE',
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\KERNEL32.DLL '
u'[MFT entry: 45747, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\KERNELBASE.DLL '
u'[MFT entry: 45734, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\LOCALE.NLS '
u'[MFT entry: 45777, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\MSVCRT.DLL '
u'[MFT entry: 46033, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\RPCRT4.DLL '
u'[MFT entry: 46668, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\COMBASE.DLL '
u'[MFT entry: 44616, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\OLEAUT32.DLL '
u'[MFT entry: 46309, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\OLE32.DLL '
u'[MFT entry: 46348, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\RPCSS.DLL '
u'[MFT entry: 46654, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\KERNEL.APPCORE.DLL '
u'[MFT entry: 45698, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\CRYPTBASE.DLL '
u'[MFT entry: 44560, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\BCRYPTPRIMITIVES.DLL '
u'[MFT entry: 44355, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\USER32.DLL '
u'[MFT entry: 47130, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\GDI32.DLL '
u'[MFT entry: 45344, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\EN-US\\'
u'TASKHOST.EXE.MUI'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SECHOST.DLL '
u'[MFT entry: 46699, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\CLBCATQ.DLL '
u'[MFT entry: 44511, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\RACENGN.DLL '
u'[MFT entry: 46549, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\NTMARTA.DLL '
u'[MFT entry: 46262, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\WEVTAPI.DLL '
u'[MFT entry: 47223, sequence: 1]'),
u'\\DEVICE\\HARDDISKVOLUME2\\$MFT',
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SQMAPI.DLL '
u'[MFT entry: 46832, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\AEPIC.DLL '
u'[MFT entry: 43991, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\WINTRUST.DLL '
u'[MFT entry: 47372, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SLWGA.DLL '
u'[MFT entry: 46762, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\DXGI.DLL '
u'[MFT entry: 44935, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\ESENT.DLL '
u'[MFT entry: 45256, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\WMICLNT.DLL '
u'[MFT entry: 47413, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\ADVAPI32.DLL '
u'[MFT entry: 43994, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SFC_OS.DLL '
u'[MFT entry: 46729, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\VERSION.DLL '
u'[MFT entry: 47120, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\CRYPT32.DLL '
u'[MFT entry: 44645, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\MSASN1.DLL '
u'[MFT entry: 45909, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\WTSAPI32.DLL '
u'[MFT entry: 47527, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SPPC.DLL '
u'[MFT entry: 46803, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\POWRPROF.DLL '
u'[MFT entry: 46413, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\PROFAPI.DLL '
u'[MFT entry: 46441, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\PROGRAMDATA\\MICROSOFT\\RAC\\STATEDATA\\'
u'RACMETADATA.DAT [MFT entry: 39345, sequence: 2]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\GLOBALIZATION\\SORTING\\'
u'SORTDEFAULT.NLS [MFT entry: 37452, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\RACRULES.XML '
u'[MFT entry: 46509, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\TASKSCHD.DLL '
u'[MFT entry: 47043, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\SSPICLI.DLL '
u'[MFT entry: 46856, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\XMLLITE.DLL '
u'[MFT entry: 47569, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\PROGRAMDATA\\MICROSOFT\\RAC\\STATEDATA\\'
u'RACWMIEVENTDATA.DAT [MFT entry: 23870, sequence: 3]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\PROGRAMDATA\\MICROSOFT\\RAC\\STATEDATA\\'
u'RACWMIDATABOOKMARKS.DAT [MFT entry: 23871, sequence: 2]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\TPMTASKS.DLL '
u'[MFT entry: 47003, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\NCRYPT.DLL '
u'[MFT entry: 46073, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\BCRYPT.DLL '
u'[MFT entry: 44346, sequence: 1]'),
(u'\\DEVICE\\HARDDISKVOLUME2\\WINDOWS\\SYSTEM32\\NTASN1.DLL '
u'[MFT entry: 46261, sequence: 1]')]
self.assertEquals(event_object.mapped_files, expected_mapped_files)
# The volume creation event.
event_object = event_objects[0]
expected_timestamp = timelib_test.CopyStringToTimestamp(
'2013-10-04 15:57:26.146547')
self.assertEquals(event_object.timestamp, expected_timestamp)
self.assertEquals(
event_object.timestamp_desc, eventdata.EventTimestamp.CREATION_TIME)
if __name__ == '__main__':
unittest.main()
Reference in New Issue View Git Blame Copy Permalink