385 lines
16 KiB
Python
385 lines
16 KiB
Python
#!/usr/bin/python
|
|
# -*- coding: utf-8 -*-
|
|
#
|
|
# Copyright 2013 The Plaso Project Authors.
|
|
# Please see the AUTHORS file for details on individual authors.
|
|
#
|
|
# Licensed under the Apache License, Version 2.0 (the "License");
|
|
# you may not use this file except in compliance with the License.
|
|
# You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing, software
|
|
# distributed under the License is distributed on an "AS IS" BASIS,
|
|
# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
# See the License for the specific language governing permissions and
|
|
# limitations under the License.
|
|
"""Tests for the MSIE Zone settings Windows Registry plugin."""
|
|
|
|
import unittest
|
|
|
|
# pylint: disable=unused-import
|
|
from plaso.formatters import winreg as winreg_formatter
|
|
from plaso.lib import timelib_test
|
|
from plaso.parsers.winreg_plugins import msie_zones
|
|
from plaso.parsers.winreg_plugins import test_lib
|
|
|
|
|
|
class MsieZoneSettingsSoftwareZonesPluginTest(test_lib.RegistryPluginTestCase):
|
|
"""Tests for Internet Settings Zones plugin on the Software hive."""
|
|
|
|
def setUp(self):
|
|
"""Sets up the needed objects used throughout the test."""
|
|
self._plugin = msie_zones.MsieZoneSettingsSoftwareZonesPlugin()
|
|
self._test_file = self._GetTestFilePath(['SOFTWARE'])
|
|
|
|
def testProcessForZone(self):
|
|
"""Tests the Process function."""
|
|
key_path = u'\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Zones'
|
|
winreg_key = self._GetKeyFromFile(self._test_file, key_path)
|
|
event_queue_consumer = self._ParseKeyWithPlugin(self._plugin, winreg_key)
|
|
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
|
|
|
|
self.assertEquals(len(event_objects), 6)
|
|
|
|
event_object = event_objects[1]
|
|
|
|
# This should just be the plugin name, as we're invoking it directly,
|
|
# and not through the parser.
|
|
self.assertEquals(event_object.parser, self._plugin.plugin_name)
|
|
|
|
expected_timestamp = timelib_test.CopyStringToTimestamp(
|
|
'2011-08-28 21:32:44.937675')
|
|
self.assertEquals(event_object.timestamp, expected_timestamp)
|
|
|
|
regvalue_identifier = u'[1200] Run ActiveX controls and plug-ins'
|
|
expected_value = u'0 (Allow)'
|
|
self._TestRegvalue(event_object, regvalue_identifier, expected_value)
|
|
|
|
expected_msg = (
|
|
u'[{0:s}\\0 (My Computer)] '
|
|
u'[1001] Download signed ActiveX controls: 0 (Allow) '
|
|
u'[1004] Download unsigned ActiveX controls: 0 (Allow) '
|
|
u'[1200] Run ActiveX controls and plug-ins: 0 (Allow) '
|
|
u'[1201] Initialize and script ActiveX controls not marked as safe: 1 '
|
|
u'(Prompt User) '
|
|
u'[1206] Allow scripting of IE Web browser control: 0 '
|
|
u'[1207] Reserved: 0 '
|
|
u'[1208] Allow previously unused ActiveX controls to run without '
|
|
u'prompt: 0 '
|
|
u'[1209] Allow Scriptlets: 0 '
|
|
u'[120A] Override Per-Site (domain-based) ActiveX restrictions: 0 '
|
|
u'[120B] Override Per-Site (domain-based) ActiveX restrictions: 0 '
|
|
u'[1400] Active scripting: 0 (Allow) '
|
|
u'[1402] Scripting of Java applets: 0 (Allow) '
|
|
u'[1405] Script ActiveX controls marked as safe for scripting: 0 '
|
|
u'(Allow) '
|
|
u'[1406] Access data sources across domains: 0 (Allow) '
|
|
u'[1407] Allow Programmatic clipboard access: 0 (Allow) '
|
|
u'[1408] Reserved: 0 '
|
|
u'[1409] UNKNOWN: 3 '
|
|
u'[1601] Submit non-encrypted form data: 0 (Allow) '
|
|
u'[1604] Font download: 0 (Allow) '
|
|
u'[1605] Run Java: 0 '
|
|
u'[1606] Userdata persistence: 0 (Allow) '
|
|
u'[1607] Navigate sub-frames across different domains: 0 (Allow) '
|
|
u'[1608] Allow META REFRESH: 0 (Allow) '
|
|
u'[1609] Display mixed content: 1 (Prompt User) '
|
|
u'[160A] Include local directory path when uploading files to a '
|
|
u'server: 0 '
|
|
u'[1802] Drag and drop or copy and paste files: 0 (Allow) '
|
|
u'[1803] File Download: 0 (Allow) '
|
|
u'[1804] Launching programs and files in an IFRAME: 0 (Allow) '
|
|
u'[1805] Launching programs and files in webview: 0 '
|
|
u'[1806] Launching applications and unsafe files: 0 '
|
|
u'[1807] Reserved: 0 '
|
|
u'[1808] Reserved: 0 '
|
|
u'[1809] Use Pop-up Blocker: 3 (Not Allowed) '
|
|
u'[180A] Reserved: 0 '
|
|
u'[180C] Reserved: 0 '
|
|
u'[180D] Reserved: 0 '
|
|
u'[180E] UNKNOWN: 0 '
|
|
u'[180F] UNKNOWN: 0 '
|
|
u'[1A00] User Authentication: Logon: 0x00000000 (Automatic logon with '
|
|
u'current user name and password) '
|
|
u'[1A02] Allow persistent cookies that are stored on your computer: 0 '
|
|
u'[1A03] Allow per-session cookies (not stored): 0 '
|
|
u'[1A04] Don\'t prompt for client cert selection when no certs exists: '
|
|
u'0 (Allow) '
|
|
u'[1A05] Allow 3rd party persistent cookies: 0 '
|
|
u'[1A06] Allow 3rd party session cookies: 0 '
|
|
u'[1A10] Privacy Settings: 0 '
|
|
u'[1C00] Java permissions: 0x00020000 (Medium safety) '
|
|
u'[2000] Binary and script behaviors: 0 (Allow) '
|
|
u'[2001] .NET: Run components signed with Authenticode: '
|
|
u'3 (Not Allowed) '
|
|
u'[2004] .NET: Run components not signed with Authenticode: '
|
|
u'3 (Not Allowed) '
|
|
u'[2005] UNKNOWN: 0 '
|
|
u'[2007] UNKNOWN: 3 '
|
|
u'[2100] Open files based on content, not file extension: 0 (Allow) '
|
|
u'[2101] Web sites in less privileged zone can navigate into this '
|
|
u'zone: 3 (Not Allowed) '
|
|
u'[2102] Allow script initiated windows without size/position '
|
|
u'constraints: 0 (Allow) '
|
|
u'[2103] Allow status bar updates via script: 0 '
|
|
u'[2104] Allow websites to open windows without address or status '
|
|
u'bars: 0 '
|
|
u'[2105] Allow websites to prompt for information using scripted '
|
|
u'windows: 0 '
|
|
u'[2106] UNKNOWN: 0 '
|
|
u'[2107] UNKNOWN: 0 '
|
|
u'[2200] Automatic prompting for file downloads: 0 (Allow) '
|
|
u'[2201] Automatic prompting for ActiveX controls: 0 (Allow) '
|
|
u'[2300] Allow web pages to use restricted protocols for active '
|
|
u'content: 1 (Prompt User) '
|
|
u'[2301] Use Phishing Filter: 3 '
|
|
u'[2400] .NET: XAML browser applications: 0 '
|
|
u'[2401] .NET: XPS documents: 0 '
|
|
u'[2402] .NET: Loose XAML: 0 '
|
|
u'[2500] Turn on Protected Mode: 3 '
|
|
u'[2600] Enable .NET Framework setup: 0 '
|
|
u'[2700] UNKNOWN: 3 '
|
|
u'[2701] UNKNOWN: 0 '
|
|
u'[2702] UNKNOWN: 3 '
|
|
u'[2703] UNKNOWN: 3 '
|
|
u'[2708] UNKNOWN: 0 '
|
|
u'[2709] UNKNOWN: 0 '
|
|
u'[CurrentLevel]: 0 '
|
|
u'[Description]: Your computer '
|
|
u'[DisplayName]: Computer '
|
|
u'[Flags]: 33 '
|
|
u'[Icon]: shell32.dll#0016 '
|
|
u'[LowIcon]: inetcpl.cpl#005422 '
|
|
u'[PMDisplayName]: Computer '
|
|
u'[Protected Mode]').format(key_path)
|
|
|
|
expected_msg_short = u'[{0:s}\\0 (My Computer)] [...'.format(key_path)
|
|
|
|
self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
|
|
|
|
def testProcessForLockDown(self):
|
|
"""Tests the Process function for the lockdown zone key."""
|
|
key_path = (
|
|
u'\\Microsoft\\Windows\\CurrentVersion\\Internet Settings'
|
|
u'\\Lockdown_Zones')
|
|
winreg_key = self._GetKeyFromFile(self._test_file, key_path)
|
|
event_queue_consumer = self._ParseKeyWithPlugin(self._plugin, winreg_key)
|
|
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
|
|
|
|
self.assertEquals(len(event_objects), 6)
|
|
|
|
event_object = event_objects[1]
|
|
|
|
# This should just be the plugin name, as we're invoking it directly,
|
|
# and not through the parser.
|
|
self.assertEquals(event_object.parser, self._plugin.plugin_name)
|
|
|
|
expected_timestamp = timelib_test.CopyStringToTimestamp(
|
|
'2011-08-28 21:32:44.937675')
|
|
self.assertEquals(event_object.timestamp, expected_timestamp)
|
|
|
|
regvalue_identifier = u'[1200] Run ActiveX controls and plug-ins'
|
|
expected_value = u'3 (Not Allowed)'
|
|
self._TestRegvalue(event_object, regvalue_identifier, expected_value)
|
|
|
|
expected_msg = (
|
|
u'[{0:s}\\0 (My Computer)] '
|
|
u'[1001] Download signed ActiveX controls: 1 (Prompt User) '
|
|
u'[1004] Download unsigned ActiveX controls: 3 (Not Allowed) '
|
|
u'[1200] Run ActiveX controls and plug-ins: 3 (Not Allowed) '
|
|
u'[1201] Initialize and script ActiveX controls not marked as safe: 3 '
|
|
u'(Not Allowed) '
|
|
u'[1206] Allow scripting of IE Web browser control: 0 '
|
|
u'[1207] Reserved: 3 '
|
|
u'[1208] Allow previously unused ActiveX controls to run without '
|
|
u'prompt: 3 '
|
|
u'[1209] Allow Scriptlets: 3 '
|
|
u'[120A] Override Per-Site (domain-based) ActiveX restrictions: 3 '
|
|
u'[120B] Override Per-Site (domain-based) ActiveX restrictions: 0 '
|
|
u'[1400] Active scripting: 1 (Prompt User) '
|
|
u'[1402] Scripting of Java applets: 0 (Allow) '
|
|
u'[1405] Script ActiveX controls marked as safe for scripting: 0 '
|
|
u'(Allow) '
|
|
u'[1406] Access data sources across domains: 0 (Allow) '
|
|
u'[1407] Allow Programmatic clipboard access: 1 (Prompt User) '
|
|
u'[1408] Reserved: 3 '
|
|
u'[1409] UNKNOWN: 3 '
|
|
u'[1601] Submit non-encrypted form data: 0 (Allow) '
|
|
u'[1604] Font download: 0 (Allow) '
|
|
u'[1605] Run Java: 0 '
|
|
u'[1606] Userdata persistence: 0 (Allow) '
|
|
u'[1607] Navigate sub-frames across different domains: 0 (Allow) '
|
|
u'[1608] Allow META REFRESH: 0 (Allow) '
|
|
u'[1609] Display mixed content: 1 (Prompt User) '
|
|
u'[160A] Include local directory path when uploading files to a '
|
|
u'server: 0 '
|
|
u'[1802] Drag and drop or copy and paste files: 0 (Allow) '
|
|
u'[1803] File Download: 0 (Allow) '
|
|
u'[1804] Launching programs and files in an IFRAME: 0 (Allow) '
|
|
u'[1805] Launching programs and files in webview: 0 '
|
|
u'[1806] Launching applications and unsafe files: 0 '
|
|
u'[1807] Reserved: 0 '
|
|
u'[1808] Reserved: 0 '
|
|
u'[1809] Use Pop-up Blocker: 3 (Not Allowed) '
|
|
u'[180A] Reserved: 0 '
|
|
u'[180C] Reserved: 0 '
|
|
u'[180D] Reserved: 0 '
|
|
u'[180E] UNKNOWN: 0 '
|
|
u'[180F] UNKNOWN: 0 '
|
|
u'[1A00] User Authentication: Logon: 0x00000000 (Automatic logon with '
|
|
u'current user name and password) '
|
|
u'[1A02] Allow persistent cookies that are stored on your computer: 0 '
|
|
u'[1A03] Allow per-session cookies (not stored): 0 '
|
|
u'[1A04] Don\'t prompt for client cert selection when no certs exists: '
|
|
u'3 (Not Allowed) '
|
|
u'[1A05] Allow 3rd party persistent cookies: 0 '
|
|
u'[1A06] Allow 3rd party session cookies: 0 '
|
|
u'[1A10] Privacy Settings: 0 '
|
|
u'[1C00] Java permissions: 0x00000000 (Disable Java) '
|
|
u'[2000] Binary and script behaviors: 0x00010000 '
|
|
u'(Administrator approved) '
|
|
u'[2005] UNKNOWN: 3 '
|
|
u'[2100] Open files based on content, not file extension: 3 '
|
|
u'(Not Allowed) '
|
|
u'[2101] Web sites in less privileged zone can navigate into this '
|
|
u'zone: 3 (Not Allowed) '
|
|
u'[2102] Allow script initiated windows without size/position '
|
|
u'constraints: '
|
|
u'3 (Not Allowed) '
|
|
u'[2103] Allow status bar updates via script: 3 '
|
|
u'[2104] Allow websites to open windows without address or status '
|
|
u'bars: 3 '
|
|
u'[2105] Allow websites to prompt for information using scripted '
|
|
u'windows: 3 '
|
|
u'[2106] UNKNOWN: 3 '
|
|
u'[2107] UNKNOWN: 3 '
|
|
u'[2200] Automatic prompting for file downloads: 3 (Not Allowed) '
|
|
u'[2201] Automatic prompting for ActiveX controls: 3 (Not Allowed) '
|
|
u'[2301] Use Phishing Filter: 3 '
|
|
u'[2400] .NET: XAML browser applications: 0 '
|
|
u'[2401] .NET: XPS documents: 0 '
|
|
u'[2402] .NET: Loose XAML: 0 '
|
|
u'[2500] Turn on Protected Mode: 3 '
|
|
u'[2600] Enable .NET Framework setup: 0 '
|
|
u'[2700] UNKNOWN: 3 '
|
|
u'[2701] UNKNOWN: 3 '
|
|
u'[2702] UNKNOWN: 3 '
|
|
u'[2703] UNKNOWN: 3 '
|
|
u'[2708] UNKNOWN: 0 '
|
|
u'[2709] UNKNOWN: 0 '
|
|
u'[CurrentLevel]: 0 '
|
|
u'[Description]: Your computer '
|
|
u'[DisplayName]: Computer '
|
|
u'[Flags]: 33 '
|
|
u'[Icon]: shell32.dll#0016 '
|
|
u'[LowIcon]: inetcpl.cpl#005422 '
|
|
u'[PMDisplayName]: Computer '
|
|
u'[Protected Mode]').format(key_path)
|
|
|
|
expected_msg_short = u'[{0:s}\\0 (My Com...'.format(key_path)
|
|
|
|
self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
|
|
|
|
|
|
class MsieZoneSettingsUserZonesPluginTest(test_lib.RegistryPluginTestCase):
|
|
"""Tests for Internet Settings Zones plugin on the User hive."""
|
|
|
|
def setUp(self):
|
|
"""Sets up the needed objects used throughout the test."""
|
|
self._plugin = msie_zones.MsieZoneSettingsPlugin()
|
|
self._test_file = self._GetTestFilePath(['NTUSER-WIN7.DAT'])
|
|
|
|
def testProcessForZone(self):
|
|
"""Tests the Process function."""
|
|
key_path = (
|
|
u'\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings'
|
|
u'\\Zones')
|
|
winreg_key = self._GetKeyFromFile(self._test_file, key_path)
|
|
event_queue_consumer = self._ParseKeyWithPlugin(self._plugin, winreg_key)
|
|
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
|
|
|
|
self.assertEquals(len(event_objects), 6)
|
|
|
|
event_object = event_objects[1]
|
|
|
|
# This should just be the plugin name, as we're invoking it directly,
|
|
# and not through the parser.
|
|
self.assertEquals(event_object.parser, self._plugin.plugin_name)
|
|
|
|
expected_timestamp = timelib_test.CopyStringToTimestamp(
|
|
'2011-09-16 21:12:40.145514')
|
|
self.assertEquals(event_object.timestamp, expected_timestamp)
|
|
|
|
regvalue_identifier = u'[1200] Run ActiveX controls and plug-ins'
|
|
expected_value = u'0 (Allow)'
|
|
self._TestRegvalue(event_object, regvalue_identifier, expected_value)
|
|
|
|
expected_msg = (
|
|
u'[{0:s}\\0 (My Computer)] '
|
|
u'[1200] Run ActiveX controls and plug-ins: 0 (Allow) '
|
|
u'[1400] Active scripting: 0 (Allow) '
|
|
u'[2001] .NET: Run components signed with Authenticode: 3 (Not '
|
|
u'Allowed) '
|
|
u'[2004] .NET: Run components not signed with Authenticode: 3 (Not '
|
|
u'Allowed) '
|
|
u'[2007] UNKNOWN: 3 '
|
|
u'[CurrentLevel]: 0 '
|
|
u'[Description]: Your computer '
|
|
u'[DisplayName]: Computer '
|
|
u'[Flags]: 33 [Icon]: shell32.dll#0016 '
|
|
u'[LowIcon]: inetcpl.cpl#005422 '
|
|
u'[PMDisplayName]: Computer '
|
|
u'[Protected Mode]').format(key_path)
|
|
|
|
expected_msg_short = u'[{0:s}\\0 (My Com...'.format(key_path)
|
|
|
|
self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
|
|
|
|
def testProcessForLockDown(self):
|
|
"""Tests the Process function."""
|
|
key_path = (
|
|
u'\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings'
|
|
u'\\Lockdown_Zones')
|
|
winreg_key = self._GetKeyFromFile(self._test_file, key_path)
|
|
event_queue_consumer = self._ParseKeyWithPlugin(self._plugin, winreg_key)
|
|
event_objects = self._GetEventObjectsFromQueue(event_queue_consumer)
|
|
|
|
self.assertEquals(len(event_objects), 6)
|
|
|
|
event_object = event_objects[1]
|
|
|
|
# This should just be the plugin name, as we're invoking it directly,
|
|
# and not through the parser.
|
|
self.assertEquals(event_object.parser, self._plugin.plugin_name)
|
|
|
|
expected_timestamp = timelib_test.CopyStringToTimestamp(
|
|
'2011-09-16 21:12:40.145514')
|
|
self.assertEquals(event_object.timestamp, expected_timestamp)
|
|
|
|
regvalue_identifier = u'[1200] Run ActiveX controls and plug-ins'
|
|
expected_value = u'3 (Not Allowed)'
|
|
self._TestRegvalue(event_object, regvalue_identifier, expected_value)
|
|
|
|
expected_msg = (
|
|
u'[{0:s}\\0 (My Computer)] '
|
|
u'[1200] Run ActiveX controls and plug-ins: 3 (Not Allowed) '
|
|
u'[1400] Active scripting: 1 (Prompt User) '
|
|
u'[CurrentLevel]: 0 '
|
|
u'[Description]: Your computer '
|
|
u'[DisplayName]: Computer '
|
|
u'[Flags]: 33 '
|
|
u'[Icon]: shell32.dll#0016 '
|
|
u'[LowIcon]: inetcpl.cpl#005422 '
|
|
u'[PMDisplayName]: Computer '
|
|
u'[Protected Mode]').format(key_path)
|
|
|
|
expected_msg_short = u'[{0:s}\\...'.format(key_path)
|
|
|
|
self._TestGetMessageStrings(event_object, expected_msg, expected_msg_short)
|
|
|
|
|
|
if __name__ == '__main__':
|
|
unittest.main()
|