Added Windows Registry plugin interface tests #2566 (#2633)

log2timeline · Jun 28, 2019 · cfa4c8f · cfa4c8f
1 parent bddd2da
commit cfa4c8f
Show file tree

Hide file tree

Showing 2 changed files with 168 additions and 17 deletions.
diff --git a/plaso/parsers/winreg_plugins/interface.py b/plaso/parsers/winreg_plugins/interface.py
@@ -13,7 +13,7 @@ class BaseWindowsRegistryKeyFilter(object):
 
   @property
   def key_paths(self):
-    """List of key paths defined by the filter."""
+    """list[str]: key paths defined by the filter."""
     return []
 
   # pylint: disable=redundant-returns-doc
@@ -81,10 +81,13 @@ def __init__(self, key_path):
 
       if wow64_prefix:
         key_path_suffix = self._key_path[len(wow64_prefix):]
+        self._wow64_key_path = '\\'.join([wow64_prefix, 'Wow6432Node'])
+
         if key_path_suffix.startswith('\\'):
           key_path_suffix = key_path_suffix[1:]
-        self._wow64_key_path = '\\'.join([
-            wow64_prefix, 'Wow6432Node', key_path_suffix])
+        if key_path_suffix:
+          self._wow64_key_path = '\\'.join([
+              self._wow64_key_path, key_path_suffix])
         self._wow64_key_path_upper = self._wow64_key_path.upper()
 
   @property

diff --git a/tests/parsers/winreg_plugins/interface.py b/tests/parsers/winreg_plugins/interface.py
@@ -6,6 +6,9 @@
 
 import unittest
 
+from dfwinreg import definitions as dfwinreg_definitions
+from dfwinreg import fake as dfwinreg_fake
+
 from plaso.parsers.winreg_plugins import interface
 
 from tests.parsers.winreg_plugins import test_lib
@@ -14,61 +17,206 @@
 class BaseWindowsRegistryKeyFilterTest(test_lib.RegistryPluginTestCase):
   """Tests for the Windows Registry key filter interface."""
 
-  # TODO: add tests for key_paths
+  def testKeyPaths(self):
+    """Tests the key_paths property."""
+    path_filter = interface.BaseWindowsRegistryKeyFilter()
+    self.assertEqual(path_filter.key_paths, [])
 
 
 class WindowsRegistryKeyPathFilterTest(test_lib.RegistryPluginTestCase):
   """Tests for the Windows Registry key path filter."""
 
   def testInitialize(self):
     """Tests the __init__ function."""
-    path_filter = interface.WindowsRegistryKeyPathFilter('')
+    path_filter = interface.WindowsRegistryKeyPathFilter(
+        'HKEY_LOCAL_MACHINE\\System')
     self.assertIsNotNone(path_filter)
 
-  # TODO: add tests for key_paths
-  # TODO: add tests for Match
+  def testKeyPaths(self):
+    """Tests the key_paths property."""
+    path_filter = interface.WindowsRegistryKeyPathFilter(
+        'HKEY_LOCAL_MACHINE\\System')
+    self.assertEqual(path_filter.key_paths, ['HKEY_LOCAL_MACHINE\\System'])
+
+    path_filter = interface.WindowsRegistryKeyPathFilter(
+        'HKEY_CURRENT_USER\\Software\\Microsoft')
+    self.assertEqual(path_filter.key_paths, [
+        'HKEY_CURRENT_USER\\Software\\Microsoft',
+        'HKEY_CURRENT_USER\\Software\\Wow6432Node\\Microsoft'])
+
+  def testMatch(self):
+    """Tests the Match function."""
+    path_filter = interface.WindowsRegistryKeyPathFilter(
+        'HKEY_LOCAL_MACHINE\\System')
+
+    registry_key = dfwinreg_fake.FakeWinRegistryKey(
+        'System', key_path='HKEY_LOCAL_MACHINE\\System')
+
+    result = path_filter.Match(registry_key)
+    self.assertTrue(result)
+
+    registry_key = dfwinreg_fake.FakeWinRegistryKey(
+        'Select', key_path='HKEY_LOCAL_MACHINE\\System\\Select')
+
+    result = path_filter.Match(registry_key)
+    self.assertFalse(result)
+
+    registry_key = dfwinreg_fake.FakeWinRegistryKey(
+        'Software', key_path='HKEY_LOCAL_MACHINE\\Software')
+
+    result = path_filter.Match(registry_key)
+    self.assertFalse(result)
 
 
 class WindowsRegistryKeyPathPrefixFilterTest(test_lib.RegistryPluginTestCase):
   """Tests for Windows Registry key path prefix filter."""
 
   def testInitialize(self):
     """Tests the __init__ function."""
-    path_filter = interface.WindowsRegistryKeyPathPrefixFilter('')
+    path_filter = interface.WindowsRegistryKeyPathPrefixFilter(
+        'HKEY_LOCAL_MACHINE\\System')
     self.assertIsNotNone(path_filter)
 
-  # TODO: add tests for key_paths
-  # TODO: add tests for Match
+  def testKeyPaths(self):
+    """Tests the key_paths property."""
+    path_filter = interface.WindowsRegistryKeyPathPrefixFilter(
+        'HKEY_LOCAL_MACHINE\\System')
+    self.assertEqual(path_filter.key_paths, [])
+
+  def testMatch(self):
+    """Tests the Match function."""
+    path_filter = interface.WindowsRegistryKeyPathPrefixFilter(
+        'HKEY_LOCAL_MACHINE\\System')
+
+    registry_key = dfwinreg_fake.FakeWinRegistryKey(
+        'System', key_path='HKEY_LOCAL_MACHINE\\System')
+
+    result = path_filter.Match(registry_key)
+    self.assertTrue(result)
+
+    registry_key = dfwinreg_fake.FakeWinRegistryKey(
+        'Select', key_path='HKEY_LOCAL_MACHINE\\System\\Select')
+
+    result = path_filter.Match(registry_key)
+    self.assertTrue(result)
+
+    registry_key = dfwinreg_fake.FakeWinRegistryKey(
+        'Software', key_path='HKEY_LOCAL_MACHINE\\Software')
+
+    result = path_filter.Match(registry_key)
+    self.assertFalse(result)
 
 
 class WindowsRegistryKeyPathSuffixFilterTest(test_lib.RegistryPluginTestCase):
   """Tests for Windows Registry key path suffix filter."""
 
   def testInitialize(self):
     """Tests the __init__ function."""
-    path_filter = interface.WindowsRegistryKeyPathSuffixFilter('')
+    path_filter = interface.WindowsRegistryKeyPathSuffixFilter(
+        'Windows\\Explorer')
     self.assertIsNotNone(path_filter)
 
-  # TODO: add tests for key_paths
-  # TODO: add tests for Match
+  def testKeyPaths(self):
+    """Tests the key_paths property."""
+    path_filter = interface.WindowsRegistryKeyPathSuffixFilter(
+        'Windows\\Explorer')
+    self.assertEqual(path_filter.key_paths, [])
+
+  def testMatch(self):
+    """Tests the Match function."""
+    path_filter = interface.WindowsRegistryKeyPathSuffixFilter(
+        'Windows\\Explorer')
+
+    registry_key = dfwinreg_fake.FakeWinRegistryKey(
+        'Explorer', key_path='HKEY_LOCAL_MACHINE\\Software\\Windows\\Explorer')
+
+    result = path_filter.Match(registry_key)
+    self.assertTrue(result)
+
+    registry_key = dfwinreg_fake.FakeWinRegistryKey(
+        'Windows', key_path='HKEY_LOCAL_MACHINE\\Software\\Windows')
+
+    result = path_filter.Match(registry_key)
+    self.assertFalse(result)
+
+    key_path = 'HKEY_LOCAL_MACHINE\\Software\\Windows\\Explorer\\Zones'
+    registry_key = dfwinreg_fake.FakeWinRegistryKey(
+        'Explorer', key_path=key_path)
+
+    result = path_filter.Match(registry_key)
+    self.assertFalse(result)
 
 
 class WindowsRegistryKeyWithValuesFilterTest(test_lib.RegistryPluginTestCase):
   """Tests for Windows Registry key with values filter."""
 
   def testInitialize(self):
     """Tests the __init__ function."""
-    path_filter = interface.WindowsRegistryKeyWithValuesFilter([])
+    path_filter = interface.WindowsRegistryKeyWithValuesFilter(
+        ('a', 'MRUList'))
     self.assertIsNotNone(path_filter)
 
-  # TODO: add tests for key_paths
-  # TODO: add tests for Match
+  def testKeyPaths(self):
+    """Tests the key_paths property."""
+    path_filter = interface.WindowsRegistryKeyWithValuesFilter(
+        ('a', 'MRUList'))
+    self.assertEqual(path_filter.key_paths, [])
+
+  def testMatch(self):
+    """Tests the Match function."""
+    path_filter = interface.WindowsRegistryKeyWithValuesFilter(
+        ('a', 'MRUList'))
+
+    registry_key = dfwinreg_fake.FakeWinRegistryKey(
+        'Explorer', key_path='HKEY_LOCAL_MACHINE\\Software\\Windows\\MRU')
+
+    result = path_filter.Match(registry_key)
+    self.assertFalse(result)
+
+    registry_value = dfwinreg_fake.FakeWinRegistryValue(
+        'MRUList', data_type=dfwinreg_definitions.REG_BINARY)
+    registry_key.AddValue(registry_value)
+
+    result = path_filter.Match(registry_key)
+    self.assertFalse(result)
+
+    registry_value = dfwinreg_fake.FakeWinRegistryValue(
+        'a', data_type=dfwinreg_definitions.REG_SZ)
+    registry_key.AddValue(registry_value)
+
+    result = path_filter.Match(registry_key)
+    self.assertTrue(result)
 
 
 class WindowsRegistryPluginTest(test_lib.RegistryPluginTestCase):
   """Tests for the Windows Registry plugin interface."""
 
-  # TODO: add tests for _GetValuesFromKey
+  # pylint: disable=protected-access
+
+  def testGetValuesFromKey(self):
+    """Tests the _GetValuesFromKey function."""
+    registry_key = dfwinreg_fake.FakeWinRegistryKey(
+        'Explorer', key_path='HKEY_LOCAL_MACHINE\\Software\\Windows\\MRU')
+
+    value_data = b'a\x00'
+    registry_value = dfwinreg_fake.FakeWinRegistryValue(
+        'MRUList', data=value_data, data_type=dfwinreg_definitions.REG_BINARY)
+    registry_key.AddValue(registry_value)
+
+    value_data = b'o\x00n\x00e\x00'
+    registry_value = dfwinreg_fake.FakeWinRegistryValue(
+        'a', data=value_data, data_type=dfwinreg_definitions.REG_SZ)
+    registry_key.AddValue(registry_value)
+
+    plugin = interface.WindowsRegistryPlugin()
+
+    expected_value_dict = {
+        'a': '[REG_SZ] one',
+        'MRUList': '[REG_BINARY] (2 bytes)'}
+
+    values_dict = plugin._GetValuesFromKey(registry_key)
+    self.assertEqual(
+        sorted(values_dict.items()), sorted(expected_value_dict.items()))
 
 
 if __name__ == '__main__':