honeyclient_agent.t

Revision 1443, 41.5 kB (checked in by kindlund, 9 months ago)
Finalized light-weight Agent design. Additional Housekeeping.

Line
1	#!/usr/bin/perl -w
2
3	use strict;
4	use Test::More 'no_plan';
5	$\| = 1;
6
7
8
9	# =begin testing
10	{
11	# Make sure Log::Log4perl loads
12	BEGIN { use_ok('Log::Log4perl', qw(:nowarn))
13	or diag("Can't load Log::Log4perl package. Check to make sure the package library is correctly listed within the path.");
14
15	# Suppress all logging messages, since we need clean output for unit testing.
16	Log::Log4perl->init({
17	"log4perl.rootLogger" => "DEBUG, Buffer",
18	"log4perl.appender.Buffer" => "Log::Log4perl::Appender::TestBuffer",
19	"log4perl.appender.Buffer.min_level" => "fatal",
20	"log4perl.appender.Buffer.layout" => "Log::Log4perl::Layout::PatternLayout",
21	"log4perl.appender.Buffer.layout.ConversionPattern" => "%d{yyyy-MM-dd HH:mm:ss} %5p [%M] (%F:%L) - %m%n",
22	});
23	}
24	require_ok('Log::Log4perl');
25	use Log::Log4perl qw(:easy);
26
27	# Make sure HoneyClient::Util::Config loads.
28	BEGIN { use_ok('HoneyClient::Util::Config', qw(getVar))
29	or diag("Can't load HoneyClient::Util::Config package. Check to make sure the package library is correctly listed within the path.");
30
31	# Suppress all logging messages, since we need clean output for unit testing.
32	Log::Log4perl->init({
33	"log4perl.rootLogger" => "DEBUG, Buffer",
34	"log4perl.appender.Buffer" => "Log::Log4perl::Appender::TestBuffer",
35	"log4perl.appender.Buffer.min_level" => "fatal",
36	"log4perl.appender.Buffer.layout" => "Log::Log4perl::Layout::PatternLayout",
37	"log4perl.appender.Buffer.layout.ConversionPattern" => "%d{yyyy-MM-dd HH:mm:ss} %5p [%M] (%F:%L) - %m%n",
38	});
39	}
40	require_ok('HoneyClient::Util::Config');
41	can_ok('HoneyClient::Util::Config', 'getVar');
42	use HoneyClient::Util::Config qw(getVar);
43
44	# Suppress all logging messages, since we need clean output for unit testing.
45	Log::Log4perl->init({
46	"log4perl.rootLogger" => "DEBUG, Buffer",
47	"log4perl.appender.Buffer" => "Log::Log4perl::Appender::TestBuffer",
48	"log4perl.appender.Buffer.min_level" => "fatal",
49	"log4perl.appender.Buffer.layout" => "Log::Log4perl::Layout::PatternLayout",
50	"log4perl.appender.Buffer.layout.ConversionPattern" => "%d{yyyy-MM-dd HH:mm:ss} %5p [%M] (%F:%L) - %m%n",
51	});
52
53	# Make sure the module loads properly, with the exportable
54	# functions shared.
55	BEGIN {
56	# Check to make sure we're in a suitable environment.
57	use Config;
58	SKIP: {
59	skip 'HoneyClient::Agent only works in Cygwin environment.', 1 if ($Config{osname} !~ /^cygwin$/);
60
61	use_ok('HoneyClient::Agent') or diag("Can't load HoneyClient::Agent package. Check to make sure the package library is correctly listed within the path.");
62	}
63	}
64
65	# Check to make sure we're in a suitable environment.
66	use Config;
67	SKIP: {
68	skip 'HoneyClient::Agent only works in Cygwin environment.', 3 if ($Config{osname} !~ /^cygwin$/);
69
70	require_ok('HoneyClient::Agent');
71	can_ok('HoneyClient::Agent', 'init');
72	can_ok('HoneyClient::Agent', 'destroy');
73	if ($Config{osname} =~ /^cygwin$/) {
74	require HoneyClient::Agent;
75	}
76	}
77
78	# Make sure HoneyClient::Util::SOAP loads.
79	BEGIN { use_ok('HoneyClient::Util::SOAP', qw(getServerHandle getClientHandle)) or diag("Can't load HoneyClient::Util::SOAP package. Check to make sure the package library is correctly listed within the path."); }
80	require_ok('HoneyClient::Util::SOAP');
81	can_ok('HoneyClient::Util::SOAP', 'getServerHandle');
82	can_ok('HoneyClient::Util::SOAP', 'getClientHandle');
83	use HoneyClient::Util::SOAP qw(getServerHandle getClientHandle);
84
85	# Make sure HoneyClient::Agent::Integrity loads.
86	BEGIN { use_ok('HoneyClient::Agent::Integrity') or diag("Can't load HoneyClient::Agent::Integrity package. Check to make sure the package library is correctly listed within the path."); }
87	require_ok('HoneyClient::Agent::Integrity');
88	use HoneyClient::Agent::Integrity;
89
90	# Make sure Storable loads.
91	BEGIN { use_ok('Storable', qw(nfreeze thaw)) or diag("Can't load Storable package. Check to make sure the package library is correctly listed within the path."); }
92	require_ok('Storable');
93	can_ok('Storable', 'nfreeze');
94	can_ok('Storable', 'thaw');
95	use Storable qw(nfreeze thaw);
96
97	# Make sure MIME::Base64 loads.
98	BEGIN { use_ok('MIME::Base64', qw(encode_base64 decode_base64)) or diag("Can't load MIME::Base64 package. Check to make sure the package library is correctly listed within the path."); }
99	require_ok('MIME::Base64');
100	can_ok('MIME::Base64', 'encode_base64');
101	can_ok('MIME::Base64', 'decode_base64');
102	use MIME::Base64 qw(encode_base64 decode_base64);
103
104	# Make sure DateTime::HiRes loads.
105	BEGIN { use_ok('DateTime::HiRes') or diag("Can't load DateTime::HiRes package. Check to make sure the package library is correctly listed within the path."); }
106	require_ok('DateTime::HiRes');
107	use DateTime::HiRes;
108
109	# Make sure Data::Dumper loads.
110	BEGIN { use_ok('Data::Dumper') or diag("Can't load Data::Dumper package. Check to make sure the package library is correctly listed within the path."); }
111	require_ok('Data::Dumper');
112	use Data::Dumper;
113
114	BEGIN {
115
116	# Check to make sure we're in a suitable environment.
117	use Config;
118	SKIP: {
119	skip 'Win32 libraries only work in a Cygwin environment.', 1 if ($Config{osname} !~ /^cygwin$/);
120
121	# Make sure Win32::Job loads.
122	use_ok('Win32::Job') or diag("Can't load Win32::Job package. Check to make sure the package library is correctly listed within the path.");
123	}
124	}
125
126	# Check to make sure we're in a suitable environment.
127	use Config;
128	SKIP: {
129	skip 'Win32 libraries only work in a Cygwin environment.', 1 if ($Config{osname} !~ /^cygwin$/);
130
131	require_ok('Win32::Job');
132	if ($Config{osname} =~ /^cygwin$/) {
133	require Win32::Job;
134	}
135	}
136
137	# Global test variables.
138	our $PORT = getVar(name => "port",
139	namespace => "HoneyClient::Agent");
140	our ($stub, $som);
141	}
142
143
144
145	# =begin testing
146	{
147	# Check to make sure we're in a suitable environment.
148	use Config;
149	SKIP: {
150	skip 'HoneyClient::Agent only works in Cygwin environment.', 1 if ($Config{osname} !~ /^cygwin$/);
151
152	our $URL = HoneyClient::Agent->init();
153	our $PORT = getVar(name => "port",
154	namespace => "HoneyClient::Agent");
155	our $HOST = getVar(name => "address",
156	namespace => "HoneyClient::Agent");
157	is($URL, "http://$HOST:$PORT/HoneyClient/Agent", "init()") or diag("Failed to start up the VM SOAP server. Check to see if any other daemon is listening on TCP port $PORT.");
158	}
159	}
160
161
162
163	# =begin testing
164	{
165	# Check to make sure we're in a suitable environment.
166	use Config;
167	SKIP: {
168	skip 'HoneyClient::Agent only works in Cygwin environment.', 1 if ($Config{osname} !~ /^cygwin$/);
169
170	is(HoneyClient::Agent->destroy(), 1, "destroy()") or diag("Unable to terminate Agent SOAP server. Be sure to check for any stale or lingering processes.");
171	}
172	}
173
174
175
176	# =begin testing
177	{
178	# Check to make sure we're in a suitable environment.
179	use Config;
180	SKIP: {
181	skip 'HoneyClient::Agent only works in Cygwin environment.', 11 if ($Config{osname} !~ /^cygwin$/);
182
183	# Shared test variables.
184	my ($stub, $som, $URL);
185
186	# Catch all errors, in order to make sure child processes are
187	# properly killed.
188	eval {
189
190	$URL = HoneyClient::Agent->init();
191
192	# Connect to daemon as a client.
193	$stub = getClientHandle(namespace => "HoneyClient::Agent",
194	address => "localhost");
195
196	# Make sure the realtime_changes_file exists and is 0 bytes.
197	my $realtime_changes_file = getVar(name => 'realtime_changes_file',
198	namespace => 'HoneyClient::Agent::Integrity');
199	unlink($realtime_changes_file);
200	open(REALTIME_CHANGES_FILE, ">", $realtime_changes_file);
201	close(REALTIME_CHANGES_FILE);
202
203	diag("Driving HoneyClient::Agent::Driver::Browser::IE with no parameters and no changes...");
204
205	# Drive the Agent using IE.
206	$som = $stub->drive(driver_name => "HoneyClient::Agent::Driver::Browser::IE");
207
208	# Verify changes.
209	my $changes = thaw(decode_base64($som->result()));
210
211	# Check to see if the drive operation completed properly.
212	ok($changes, "drive(driver_name => 'HoneyClient::Agent::Driver::Browser::IE')") or diag("The drive() call failed.");
213	ok(exists($changes->{'status'}), "drive(driver_name => 'HoneyClient::Agent::Driver::Browser::IE')") or diag("The drive() call failed.");
214	ok(exists($changes->{'time_at'}), "drive(driver_name => 'HoneyClient::Agent::Driver::Browser::IE')") or diag("The drive() call failed.");
215	ok(exists($changes->{'fingerprint'}), "drive(driver_name => 'HoneyClient::Agent::Driver::Browser::IE')") or diag("The drive() call failed.");
216
217	# Check that os_processes is empty.
218	ok(!scalar(@{$changes->{'fingerprint'}->{os_processes}}), "drive(driver_name => 'HoneyClient::Agent::Driver::Browser::IE')") or diag("The drive() call failed.");
219
220	diag("Driving HoneyClient::Agent::Driver::Browser::IE with no parameters and artificial changes...");
221
222	my $test_realtime_changes_file = getVar(name => 'realtime_changes_file',
223	namespace => 'HoneyClient::Agent::Integrity::Test');
224
225	system("cp " . $test_realtime_changes_file . " " . $realtime_changes_file);
226
227	my $expectedFingerprint = {
228	'os_processes' => [
229	{
230	'parent_name' => 'C:\\WINDOWS\\explorer.exe',
231	'name' => 'C:\\WINDOWS\\system32\\notepad.exe',
232	'created' => '2008-04-02 21:44:40.376',
233	'stopped' => '2008-04-02 21:44:57.94',
234	'pid' => '2496',
235	'regkeys' => [
236	{
237	'value_type' => 'REG_SZ',
238	'value_name' => 'Recent',
239	'value' => 'C:\\Documents and Settings\\Administrator\\Recent',
240	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders',
241	'event' => 'SetValueKey',
242	'time_at' => '2008-04-02 21:44:48.985'
243	},
244	{
245	'value_type' => 'REG_SZ',
246	'value_name' => 'BaseClass',
247	'value' => 'Drive',
248	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\{259bda13-8b6f-11d7-9c24-806d6172696f}',
249	'event' => 'SetValueKey',
250	'time_at' => '2008-04-02 21:44:49.32'
251	},
252	{
253	'value_type' => 'REG_SZ',
254	'value_name' => 'BaseClass',
255	'value' => 'Drive',
256	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\{1bdee3a6-fbab-11dc-9af4-806d6172696f}',
257	'event' => 'SetValueKey',
258	'time_at' => '2008-04-02 21:44:49.32'
259	},
260	{
261	'value_type' => 'REG_SZ',
262	'value_name' => 'BaseClass',
263	'value' => 'Drive',
264	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\{259bda11-8b6f-11d7-9c24-806d6172696f}',
265	'event' => 'SetValueKey',
266	'time_at' => '2008-04-02 21:44:49.32'
267	},
268	{
269	'value_type' => 'REG_SZ',
270	'value_name' => 'BaseClass',
271	'value' => 'Drive',
272	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\{86efd67e-0a06-11dc-97a7-806d6172696f}',
273	'event' => 'SetValueKey',
274	'time_at' => '2008-04-02 21:44:49.32'
275	},
276	{
277	'value_type' => 'REG_SZ',
278	'value_name' => 'Personal',
279	'value' => 'C:\\Documents and Settings\\Administrator\\My Documents',
280	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders',
281	'event' => 'SetValueKey',
282	'time_at' => '2008-04-02 21:44:49.329'
283	},
284	{
285	'value_type' => 'REG_SZ',
286	'value_name' => 'Common Documents',
287	'value' => 'C:\\Documents and Settings\\All Users\\Documents',
288	'name' => 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders',
289	'event' => 'SetValueKey',
290	'time_at' => '2008-04-02 21:44:49.329'
291	},
292	{
293	'value_type' => 'REG_SZ',
294	'value_name' => 'Desktop',
295	'value' => 'C:\\Documents and Settings\\Administrator\\Desktop',
296	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders',
297	'event' => 'SetValueKey',
298	'time_at' => '2008-04-02 21:44:49.344'
299	},
300	{
301	'value_type' => 'REG_SZ',
302	'value_name' => 'Common Desktop',
303	'value' => 'C:\\Documents and Settings\\All Users\\Desktop',
304	'name' => 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders',
305	'event' => 'SetValueKey',
306	'time_at' => '2008-04-02 21:44:49.344'
307	},
308	{
309	'value_type' => 'REG_SZ',
310	'value_name' => 'Favorites',
311	'value' => 'C:\\Documents and Settings\\Administrator\\Favorites',
312	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders',
313	'event' => 'SetValueKey',
314	'time_at' => '2008-04-02 21:44:49.797'
315	},
316	{
317	'value_type' => 'REG_BINARY',
318	'value_name' => 'b',
319	'value' => '6e06f07406507006106402e0650780650004303a05c06307906707706906e05c06806f06d06505c04106406d06906e06907307407206107406f07205c07407207506e06b02d07207705c04306107007407507206503205c06306107007407507206502d06306c06906506e07402d07806506e06f02d06d06f06405c06906e07307406106c06c000',
320	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\LastVisitedMRU',
321	'event' => 'SetValueKey',
322	'time_at' => '2008-04-02 21:44:54.79'
323	},
324	{
325	'value_type' => 'REG_SZ',
326	'value_name' => 'MRUList',
327	'value' => 'bac',
328	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\LastVisitedMRU',
329	'event' => 'SetValueKey',
330	'time_at' => '2008-04-02 21:44:54.79'
331	},
332	{
333	'value_type' => 'REG_SZ',
334	'value_name' => 'a',
335	'value' => 'C:\\cygwin\\home\\Administrator\\trunk-rw\\Capture2\\capture-client-xeno-mod\\install\\foo.txt',
336	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\OpenSaveMRU\\txt',
337	'event' => 'SetValueKey',
338	'time_at' => '2008-04-02 21:44:54.94'
339	},
340	{
341	'value_type' => 'REG_SZ',
342	'value_name' => 'MRUList',
343	'value' => 'a',
344	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\OpenSaveMRU\\txt',
345	'event' => 'SetValueKey',
346	'time_at' => '2008-04-02 21:44:54.94'
347	},
348	{
349	'value_type' => 'REG_SZ',
350	'value_name' => 'e',
351	'value' => 'C:\\cygwin\\home\\Administrator\\trunk-rw\\Capture2\\capture-client-xeno-mod\\install\\foo.txt',
352	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\OpenSaveMRU\\*',
353	'event' => 'SetValueKey',
354	'time_at' => '2008-04-02 21:44:54.94'
355	},
356	{
357	'value_type' => 'REG_SZ',
358	'value_name' => 'MRUList',
359	'value' => 'edcbjihagf',
360	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\OpenSaveMRU\\*',
361	'event' => 'SetValueKey',
362	'time_at' => '2008-04-02 21:44:54.94'
363	},
364	{
365	'value_type' => 'REG_DWORD',
366	'value_name' => 'lfEscapement',
367	'value' => '0',
368	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
369	'event' => 'SetValueKey',
370	'time_at' => '2008-04-02 21:44:57.63'
371	},
372	{
373	'value_type' => 'REG_DWORD',
374	'value_name' => 'lfOrientation',
375	'value' => '0',
376	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
377	'event' => 'SetValueKey',
378	'time_at' => '2008-04-02 21:44:57.63'
379	},
380	{
381	'value_type' => 'REG_DWORD',
382	'value_name' => 'lfWeight',
383	'value' => '190',
384	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
385	'event' => 'SetValueKey',
386	'time_at' => '2008-04-02 21:44:57.63'
387	},
388	{
389	'value_type' => 'REG_DWORD',
390	'value_name' => 'lfItalic',
391	'value' => '0',
392	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
393	'event' => 'SetValueKey',
394	'time_at' => '2008-04-02 21:44:57.63'
395	},
396	{
397	'value_type' => 'REG_DWORD',
398	'value_name' => 'lfUnderline',
399	'value' => '0',
400	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
401	'event' => 'SetValueKey',
402	'time_at' => '2008-04-02 21:44:57.63'
403	},
404	{
405	'value_type' => 'REG_DWORD',
406	'value_name' => 'lfStrikeOut',
407	'value' => '0',
408	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
409	'event' => 'SetValueKey',
410	'time_at' => '2008-04-02 21:44:57.63'
411	},
412	{
413	'value_type' => 'REG_DWORD',
414	'value_name' => 'lfCharSet',
415	'value' => '0',
416	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
417	'event' => 'SetValueKey',
418	'time_at' => '2008-04-02 21:44:57.63'
419	},
420	{
421	'value_type' => 'REG_DWORD',
422	'value_name' => 'lfOutPrecision',
423	'value' => '3',
424	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
425	'event' => 'SetValueKey',
426	'time_at' => '2008-04-02 21:44:57.63'
427	},
428	{
429	'value_type' => 'REG_DWORD',
430	'value_name' => 'lfClipPrecision',
431	'value' => '2',
432	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
433	'event' => 'SetValueKey',
434	'time_at' => '2008-04-02 21:44:57.63'
435	},
436	{
437	'value_type' => 'REG_DWORD',
438	'value_name' => 'lfQuality',
439	'value' => '1',
440	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
441	'event' => 'SetValueKey',
442	'time_at' => '2008-04-02 21:44:57.63'
443	},
444	{
445	'value_type' => 'REG_DWORD',
446	'value_name' => 'lfPitchAndFamily',
447	'value' => '31',
448	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
449	'event' => 'SetValueKey',
450	'time_at' => '2008-04-02 21:44:57.63'
451	},
452	{
453	'value_type' => 'REG_DWORD',
454	'value_name' => 'iPointSize',
455	'value' => '8c',
456	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
457	'event' => 'SetValueKey',
458	'time_at' => '2008-04-02 21:44:57.63'
459	},
460	{
461	'value_type' => 'REG_DWORD',
462	'value_name' => 'fWrap',
463	'value' => '0',
464	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
465	'event' => 'SetValueKey',
466	'time_at' => '2008-04-02 21:44:57.63'
467	},
468	{
469	'value_type' => 'REG_DWORD',
470	'value_name' => 'StatusBar',
471	'value' => '0',
472	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
473	'event' => 'SetValueKey',
474	'time_at' => '2008-04-02 21:44:57.63'
475	},
476	{
477	'value_type' => 'REG_DWORD',
478	'value_name' => 'fSaveWindowPositions',
479	'value' => '0',
480	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
481	'event' => 'SetValueKey',
482	'time_at' => '2008-04-02 21:44:57.63'
483	},
484	{
485	'value_type' => 'REG_SZ',
486	'value_name' => 'lfFaceName',
487	'value' => 'Lucida Console',
488	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
489	'event' => 'SetValueKey',
490	'time_at' => '2008-04-02 21:44:57.63'
491	},
492	{
493	'value_type' => 'REG_SZ',
494	'value_name' => 'szHeader',
495	'value' => '&f',
496	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
497	'event' => 'SetValueKey',
498	'time_at' => '2008-04-02 21:44:57.63'
499	},
500	{
501	'value_type' => 'REG_SZ',
502	'value_name' => 'szTrailer',
503	'value' => 'Page &p',
504	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
505	'event' => 'SetValueKey',
506	'time_at' => '2008-04-02 21:44:57.63'
507	},
508	{
509	'value_type' => 'REG_DWORD',
510	'value_name' => 'iMarginTop',
511	'value' => '3e8',
512	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
513	'event' => 'SetValueKey',
514	'time_at' => '2008-04-02 21:44:57.63'
515	},
516	{
517	'value_type' => 'REG_DWORD',
518	'value_name' => 'iMarginBottom',
519	'value' => '3e8',
520	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
521	'event' => 'SetValueKey',
522	'time_at' => '2008-04-02 21:44:57.63'
523	},
524	{
525	'value_type' => 'REG_DWORD',
526	'value_name' => 'iMarginLeft',
527	'value' => '2ee',
528	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
529	'event' => 'SetValueKey',
530	'time_at' => '2008-04-02 21:44:57.63'
531	},
532	{
533	'value_type' => 'REG_DWORD',
534	'value_name' => 'iMarginRight',
535	'value' => '2ee',
536	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
537	'event' => 'SetValueKey',
538	'time_at' => '2008-04-02 21:44:57.63'
539	},
540	{
541	'value_type' => 'REG_DWORD',
542	'value_name' => 'fMLE_is_broken',
543	'value' => '0',
544	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
545	'event' => 'SetValueKey',
546	'time_at' => '2008-04-02 21:44:57.63'
547	},
548	{
549	'value_type' => 'REG_DWORD',
550	'value_name' => 'iWindowPosX',
551	'value' => 'fffffff9',
552	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
553	'event' => 'SetValueKey',
554	'time_at' => '2008-04-02 21:44:57.63'
555	},
556	{
557	'value_type' => 'REG_DWORD',
558	'value_name' => 'iWindowPosY',
559	'value' => '38',
560	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
561	'event' => 'SetValueKey',
562	'time_at' => '2008-04-02 21:44:57.63'
563	},
564	{
565	'value_type' => 'REG_DWORD',
566	'value_name' => 'iWindowPosDX',
567	'value' => '40c',
568	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
569	'event' => 'SetValueKey',
570	'time_at' => '2008-04-02 21:44:57.63'
571	},
572	{
573	'value_type' => 'REG_DWORD',
574	'value_name' => 'iWindowPosDY',
575	'value' => '299',
576	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
577	'event' => 'SetValueKey',
578	'time_at' => '2008-04-02 21:44:57.63'
579	}
580	],
581	'parent_pid' => '1380',
582	'process_files' => [
583	{
584	'name' => 'C:\\cygwin\\home\\Administrator\\trunk-rw\\Capture2\\capture-client-xeno-mod\\install\\foo.txt',
585	'time_at' => '2008-04-02 21:44:54.79',
586	'event' => 'Delete'
587	},
588	{
589	'name' => 'C:\\cygwin\\home\\Administrator\\trunk-rw\\Capture2\\capture-client-xeno-mod\\install\\foo.txt',
590	'file_content' => {
591	'sha1' => 'C:\\cygwin\\home\\Administrator\\trunk-rw\\Capture2\\capture-client-xeno-mod\\install\\foo.txt2008-04-02 21:44:54.172',
592	'md5' => 'C:\\cygwin\\home\\Administrator\\trunk-rw\\Capture2\\capture-client-xeno-mod\\install\\foo.txt2008-04-02 21:44:54.172',
593	'mime_type' => 'UNKNOWN',
594	'size' => -1
595	},
596	'time_at' => '2008-04-02 21:44:54.172',
597	'event' => 'Write'
598	}
599	]
600	},
601	{
602	'regkeys' => [],
603	'pid' => '984',
604	'name' => 'C:\\WINDOWS\\system32\\svchost.exe',
605	'process_files' => [
606	{
607	'name' => 'C:\\Documents and Settings\\Administrator\\SendTo',
608	'file_content' => {
609	'sha1' => 'C:\\Documents and Settings\\Administrator\\SendTo2008-04-02 21:44:42.766',
610	'md5' => 'C:\\Documents and Settings\\Administrator\\SendTo2008-04-02 21:44:42.766',
611	'mime_type' => 'UNKNOWN',
612	'size' => -1
613	},
614	'time_at' => '2008-04-02 21:44:42.766',
615	'event' => 'Write'
616	},
617	{
618	'name' => 'C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data',
619	'file_content' => {
620	'sha1' => 'C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data2008-04-02 21:44:42.782',
621	'md5' => 'C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data2008-04-02 21:44:42.782',
622	'mime_type' => 'UNKNOWN',
623	'size' => -1
624	},
625	'time_at' => '2008-04-02 21:44:42.782',
626	'event' => 'Write'
627	}
628	]
629	},
630	{
631	'regkeys' => [
632	{
633	'value_type' => 'REG_EXPAND_SZ',
634	'value_name' => 'CachePath',
635	'value' => '%USERPROFILE%\\Local Settings\\History\\History.IE5\\MSHist012008040220080403',
636	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012008040220080403',
637	'event' => 'SetValueKey',
638	'time_at' => '2008-04-02 21:44:54.376'
639	},
640	{
641	'value_type' => 'REG_SZ',
642	'value_name' => 'CachePrefix',
643	'value' => ':2008040220080403: ',
644	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012008040220080403',
645	'event' => 'SetValueKey',
646	'time_at' => '2008-04-02 21:44:54.376'
647	},
648	{
649	'value_type' => 'REG_DWORD',
650	'value_name' => 'CacheLimit',
651	'value' => '2000',
652	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012008040220080403',
653	'event' => 'SetValueKey',
654	'time_at' => '2008-04-02 21:44:54.376'
655	},
656	{
657	'value_type' => 'REG_DWORD',
658	'value_name' => 'CacheOptions',
659	'value' => 'b',
660	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012008040220080403',
661	'event' => 'SetValueKey',
662	'time_at' => '2008-04-02 21:44:54.376'
663	},
664	{
665	'value_type' => 'REG_EXPAND_SZ',
666	'value_name' => 'CachePath',
667	'value' => '%USERPROFILE%\\Local Settings\\History\\History.IE5\\MSHist012008040220080403',
668	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012008040220080403',
669	'event' => 'SetValueKey',
670	'time_at' => '2008-04-02 21:44:54.376'
671	},
672	{
673	'value_type' => 'REG_DWORD',
674	'value_name' => 'CacheRepair',
675	'value' => '0',
676	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012008040220080403',
677	'event' => 'SetValueKey',
678	'time_at' => '2008-04-02 21:44:54.376'
679	}
680	],
681	'pid' => '1380',
682	'name' => 'C:\\WINDOWS\\explorer.exe',
683	'process_files' => [
684	{
685	'name' => 'C:\\Documents and Settings\\Administrator\\Recent\\foo.txt.lnk',
686	'file_content' => {
687	'sha1' => 'C:\\Documents and Settings\\Administrator\\Recent\\foo.txt.lnk2008-04-02 21:44:54.282',
688	'md5' => 'C:\\Documents and Settings\\Administrator\\Recent\\foo.txt.lnk2008-04-02 21:44:54.282',
689	'mime_type' => 'UNKNOWN',
690	'size' => -1
691	},
692	'time_at' => '2008-04-02 21:44:54.282',
693	'event' => 'Write'
694	},
695	{
696	'name' => 'C:\\cygwin\\home\\Administrator\\src\\honeyclient-trunk\\thirdparty\\capture-mod\\logs\\deleted_files\\C\\Documents and Settings\\Administrator\\Recent\\install.lnk',
697	'file_content' => {
698	'sha1' => 'C:\\cygwin\\home\\Administrator\\src\\honeyclient-trunk\\thirdparty\\capture-mod\\logs\\deleted_files\\C\\Documents and Settings\\Administrator\\Recent\\install.lnk2008-04-02 21:44:54.516',
699	'md5' => 'C:\\cygwin\\home\\Administrator\\src\\honeyclient-trunk\\thirdparty\\capture-mod\\logs\\deleted_files\\C\\Documents and Settings\\Administrator\\Recent\\install.lnk2008-04-02 21:44:54.516',
700	'mime_type' => 'UNKNOWN',
701	'size' => -1
702	},
703	'time_at' => '2008-04-02 21:44:54.516',
704	'event' => 'Write'
705	},
706	{
707	'name' => 'C:\\Documents and Settings\\Administrator\\Recent\\install.lnk',
708	'time_at' => '2008-04-02 21:44:54.516',
709	'event' => 'Delete'
710	},
711	{
712	'name' => 'C:\\Documents and Settings\\Administrator\\Recent\\install.lnk',
713	'file_content' => {
714	'sha1' => 'C:\\Documents and Settings\\Administrator\\Recent\\install.lnk2008-04-02 21:44:54.547',
715	'md5' => 'C:\\Documents and Settings\\Administrator\\Recent\\install.lnk2008-04-02 21:44:54.547',
716	'mime_type' => 'UNKNOWN',
717	'size' => -1
718	},
719	'time_at' => '2008-04-02 21:44:54.547',
720	'event' => 'Write'
721	}
722	]
723	},
724	{
725	'regkeys' => [],
726	'pid' => '4',
727	'name' => 'System',
728	'process_files' => [
729	{
730	'name' => 'C:\\Documents and Settings\\Administrator\\Recent\\foo.txt.lnk',
731	'file_content' => {
732	'sha1' => 'C:\\Documents and Settings\\Administrator\\Recent\\foo.txt.lnk2008-04-02 21:44:54.579',
733	'md5' => 'C:\\Documents and Settings\\Administrator\\Recent\\foo.txt.lnk2008-04-02 21:44:54.579',
734	'mime_type' => 'UNKNOWN',
735	'size' => -1
736	},
737	'time_at' => '2008-04-02 21:44:54.579',
738	'event' => 'Write'
739	},
740	{
741	'name' => 'C:\\cygwin\\home\\Administrator\\src\\honeyclient-trunk\\thirdparty\\capture-mod\\logs\\deleted_files\\C\\Documents and Settings\\Administrator\\Recent\\install.lnk',
742	'file_content' => {
743	'sha1' => 'C:\\cygwin\\home\\Administrator\\src\\honeyclient-trunk\\thirdparty\\capture-mod\\logs\\deleted_files\\C\\Documents and Settings\\Administrator\\Recent\\install.lnk2008-04-02 21:44:54.579',
744	'md5' => 'C:\\cygwin\\home\\Administrator\\src\\honeyclient-trunk\\thirdparty\\capture-mod\\logs\\deleted_files\\C\\Documents and Settings\\Administrator\\Recent\\install.lnk2008-04-02 21:44:54.579',
745	'mime_type' => 'UNKNOWN',
746	'size' => -1
747	},
748	'time_at' => '2008-04-02 21:44:54.579',
749	'event' => 'Write'
750	},
751	{
752	'name' => 'C:\\Documents and Settings\\Administrator\\Recent\\install.lnk',
753	'file_content' => {
754	'sha1' => 'C:\\Documents and Settings\\Administrator\\Recent\\install.lnk2008-04-02 21:44:54.579',
755	'md5' => 'C:\\Documents and Settings\\Administrator\\Recent\\install.lnk2008-04-02 21:44:54.579',
756	'mime_type' => 'UNKNOWN',
757	'size' => -1
758	},
759	'time_at' => '2008-04-02 21:44:54.579',
760	'event' => 'Write'
761	}
762	]
763	},
764	{
765	'parent_name' => 'C:\\WINDOWS\\explorer.exe',
766	'name' => 'C:\\WINDOWS\\regedit.exe',
767	'created' => '2008-04-02 21:45:07.829',
768	'stopped' => '2008-04-02 21:45:22.344',
769	'pid' => '2648',
770	'regkeys' => [
771	{
772	'value_type' => 'REG_SZ',
773	'value_name' => 'New Value #1',
774	'value' => '',
775	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer',
776	'event' => 'SetValueKey',
777	'time_at' => '2008-04-02 21:45:15.985'
778	},
779	{
780	'value_type' => 'REG_SZ',
781	'value_name' => 'foo',
782	'value' => '',
783	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer',
784	'event' => 'SetValueKey',
785	'time_at' => '2008-04-02 21:45:17.266'
786	},
787	{
788	'value_type' => 'REG_NONE',
789	'value_name' => 'New Value #1',
790	'value' => '',
791	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer',
792	'event' => 'DeleteValueKey',
793	'time_at' => '2008-04-02 21:45:17.266'
794	},
795	{
796	'value_type' => 'REG_SZ',
797	'value_name' => 'foo',
798	'value' => 'bar',
799	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer',
800	'event' => 'SetValueKey',
801	'time_at' => '2008-04-02 21:45:19.204'
802	},
803	{
804	'value_type' => 'REG_BINARY',
805	'value_name' => 'View',
806	'value' => '2c00000001000ffffffffffffffffffffffffffffffff500005c000c43008f200d8000c200078000201001000',
807	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Applets\\Regedit',
808	'event' => 'SetValueKey',
809	'time_at' => '2008-04-02 21:45:22.344'
810	},
811	{
812	'value_type' => 'REG_DWORD',
813	'value_name' => 'FindFlags',
814	'value' => 'e',
815	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Applets\\Regedit',
816	'event' => 'SetValueKey',
817	'time_at' => '2008-04-02 21:45:22.344'
818	},
819	{
820	'value_type' => 'REG_SZ',
821	'value_name' => 'LastKey',
822	'value' => 'My Computer\\HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer',
823	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Applets\\Regedit',
824	'event' => 'SetValueKey',
825	'time_at' => '2008-04-02 21:45:22.344'
826	}
827	],
828	'parent_pid' => '1380',
829	'process_files' => []
830	}
831	],
832	'time_at' => '2008-04-02 21:44:40.376'
833	};
834
835	# Drive the Agent using IE.
836	$som = $stub->drive(driver_name => "HoneyClient::Agent::Driver::Browser::IE");
837
838	# Verify changes.
839	$changes = thaw(decode_base64($som->result()));
840
841	# Check to see if the drive operation completed properly.
842	ok($changes, "drive(driver_name => 'HoneyClient::Agent::Driver::Browser::IE')") or diag("The drive() call failed.");
843	ok(exists($changes->{'status'}), "drive(driver_name => 'HoneyClient::Agent::Driver::Browser::IE')") or diag("The drive() call failed.");
844	ok(exists($changes->{'time_at'}), "drive(driver_name => 'HoneyClient::Agent::Driver::Browser::IE')") or diag("The drive() call failed.");
845	ok(exists($changes->{'fingerprint'}), "drive(driver_name => 'HoneyClient::Agent::Driver::Browser::IE')") or diag("The drive() call failed.");
846
847	# Check that os_processes is not empty.
848	ok(scalar(@{$changes->{'fingerprint'}->{os_processes}}), "drive(driver_name => 'HoneyClient::Agent::Driver::Browser::IE')") or diag("The drive() call failed.");
849
850	# Check that fingerprint matches.
851	is_deeply($expectedFingerprint, $changes->{'fingerprint'}, "drive(driver_name => 'HoneyClient::Agent::Driver::Browser::IE')") or diag("The drive() call failed.");
852
853	# Delete the mock realtime_changes_file.
854	unlink($realtime_changes_file);
855	};
856
857	# Kill the child daemon, if it still exists.
858	HoneyClient::Agent->destroy();
859
860	# Report any failure found.
861	if ($@) {
862	fail($@);
863	}
864	}
865	}
866
867
868
869	# =begin testing
870	{
871	# Check to make sure we're in a suitable environment.