Navigation

← Previous Changeset
Next Changeset →

Changeset 1431

Timestamp:

04/02/08 22:26:01 (4 months ago)

Author:

kindlund

Message:

Updated Agent unit tests.

Files:

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

honeyclient/branches/exp/kindlund-simpler_agent/etc/honeyclient.xml

r1420	r1431
163	163	/tmp/realtime-changes.txt
164	164	</realtime_changes_file>
	165	<!-- HoneyClient::Agent::Integrity::Test Options -->
	166	<Test>
	167	<!--
	168	Note: you should never need to change any values
	169	within this section of the configuration. All contents
	170	are only used for unit testing.
	171	-->
	172	<realtime_changes_file description="When an integrity check fails, all changes will be written to this file within the compromized honeyclient VM's filesystem." default="/tmp/realtime-changes.txt">
	173	t/test_integrity/realtime-changes.txt
	174	</realtime_changes_file>
	175	</Test>
165	176	</Integrity>
166	177	</Agent>

honeyclient/branches/exp/kindlund-simpler_agent/lib/HoneyClient/Agent.pm

r1430	r1431
520	520	=back
521	521
522		~~# XXX: Verify this.~~
523
524	522	I<Inputs>:
525	523	B<$driverName> is the name of the Driver to use, when running this
…	…
531	529	an Integrity check.
532	530
533		~~# XXX: Describe this hashtable output.~~
534
535	531	I<Output>:
	532	A hashtable containing the following information:
	533
	534	{
	535	# Status information about the Win32::Job.
	536	'status' => {
	537	# The PID of the job, when it was ran.
	538	'21252' => {
	539	# How much time the job consumed...
	540	'time' => {
	541	# ... in kernel space.
	542	'kernel' => '0.801152',
	543	# ... in user space.
	544	'user' => '0.3304752',
	545	# ... total elapsed.
	546	'elapsed' => '20.1489728'
	547	},
	548	'exitcode' => '293'
	549	}
	550	},
	551	# Any fingerprint information, if the job caused
	552	# an integrity check failure.
	553	'fingerprint' => {
	554	'os_processes' => []
	555	},
	556	# Time inside VM when job was executed.
	557	'time_at' => '2008-04-02 22:17:00.889667987'
	558	};
536	559
537	560	=back
…	…
542	565	use Config;
543	566	SKIP: {
544		# TODO: Update number!
545		skip 'HoneyClient::Agent only works in Cygwin environment.', 5 if ($Config{osname} !~ /^cygwin$/);
	567	skip 'HoneyClient::Agent only works in Cygwin environment.', 11 if ($Config{osname} !~ /^cygwin$/);
546	568
547	569	# Shared test variables.
…	…
561	583	my $realtime_changes_file = getVar(name => 'realtime_changes_file',
562	584	namespace => 'HoneyClient::Agent::Integrity');
	585	unlink($realtime_changes_file);
563	586	open(REALTIME_CHANGES_FILE, ">", $realtime_changes_file);
564	587	close(REALTIME_CHANGES_FILE);
…	…
572	595	my $changes = $som->result();
573	596
574		# XXX: Remove this.
575		use Data::Dumper;
576		diag(Dumper($changes));
	597	# Check to see if the drive operation completed properly.
	598	ok($changes, "drive(driver_name => 'HoneyClient::Agent::Driver::Browser::IE')") or diag("The drive() call failed.");
	599	ok(exists($changes->{'status'}), "drive(driver_name => 'HoneyClient::Agent::Driver::Browser::IE')") or diag("The drive() call failed.");
	600	ok(exists($changes->{'time_at'}), "drive(driver_name => 'HoneyClient::Agent::Driver::Browser::IE')") or diag("The drive() call failed.");
	601	ok(exists($changes->{'fingerprint'}), "drive(driver_name => 'HoneyClient::Agent::Driver::Browser::IE')") or diag("The drive() call failed.");
	602
	603	# Check that os_processes is empty.
	604	ok(!scalar(@{$changes->{'fingerprint'}->{os_processes}}), "drive(driver_name => 'HoneyClient::Agent::Driver::Browser::IE')") or diag("The drive() call failed.");
	605
	606	diag("Driving HoneyClient::Agent::Driver::Browser::IE with no parameters and artificial changes...");
	607
	608	my $test_realtime_changes_file = getVar(name => 'realtime_changes_file',
	609	namespace => 'HoneyClient::Agent::Integrity::Test');
	610
	611	system("cp " . $test_realtime_changes_file . " " . $realtime_changes_file);
	612
	613	my $expectedFingerprint = {
	614	'os_processes' => [
	615	{
	616	'parent_name' => 'C:\\WINDOWS\\explorer.exe',
	617	'name' => 'C:\\WINDOWS\\system32\\notepad.exe',
	618	'created' => '2008-04-02 21:44:40.376',
	619	'stopped' => '2008-04-02 21:44:57.94',
	620	'pid' => '2496',
	621	'regkeys' => [
	622	{
	623	'value_type' => 'REG_SZ',
	624	'value_name' => 'Recent',
	625	'value' => 'C:\\Documents and Settings\\Administrator\\Recent',
	626	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders',
	627	'event' => 'SetValueKey',
	628	'time_at' => '2008-04-02 21:44:48.985'
	629	},
	630	{
	631	'value_type' => 'REG_SZ',
	632	'value_name' => 'BaseClass',
	633	'value' => 'Drive',
	634	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\{259bda13-8b6f-11d7-9c24-806d6172696f}',
	635	'event' => 'SetValueKey',
	636	'time_at' => '2008-04-02 21:44:49.32'
	637	},
	638	{
	639	'value_type' => 'REG_SZ',
	640	'value_name' => 'BaseClass',
	641	'value' => 'Drive',
	642	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\{1bdee3a6-fbab-11dc-9af4-806d6172696f}',
	643	'event' => 'SetValueKey',
	644	'time_at' => '2008-04-02 21:44:49.32'
	645	},
	646	{
	647	'value_type' => 'REG_SZ',
	648	'value_name' => 'BaseClass',
	649	'value' => 'Drive',
	650	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\{259bda11-8b6f-11d7-9c24-806d6172696f}',
	651	'event' => 'SetValueKey',
	652	'time_at' => '2008-04-02 21:44:49.32'
	653	},
	654	{
	655	'value_type' => 'REG_SZ',
	656	'value_name' => 'BaseClass',
	657	'value' => 'Drive',
	658	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\{86efd67e-0a06-11dc-97a7-806d6172696f}',
	659	'event' => 'SetValueKey',
	660	'time_at' => '2008-04-02 21:44:49.32'
	661	},
	662	{
	663	'value_type' => 'REG_SZ',
	664	'value_name' => 'Personal',
	665	'value' => 'C:\\Documents and Settings\\Administrator\\My Documents',
	666	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders',
	667	'event' => 'SetValueKey',
	668	'time_at' => '2008-04-02 21:44:49.329'
	669	},
	670	{
	671	'value_type' => 'REG_SZ',
	672	'value_name' => 'Common Documents',
	673	'value' => 'C:\\Documents and Settings\\All Users\\Documents',
	674	'name' => 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders',
	675	'event' => 'SetValueKey',
	676	'time_at' => '2008-04-02 21:44:49.329'
	677	},
	678	{
	679	'value_type' => 'REG_SZ',
	680	'value_name' => 'Desktop',
	681	'value' => 'C:\\Documents and Settings\\Administrator\\Desktop',
	682	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders',
	683	'event' => 'SetValueKey',
	684	'time_at' => '2008-04-02 21:44:49.344'
	685	},
	686	{
	687	'value_type' => 'REG_SZ',
	688	'value_name' => 'Common Desktop',
	689	'value' => 'C:\\Documents and Settings\\All Users\\Desktop',
	690	'name' => 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders',
	691	'event' => 'SetValueKey',
	692	'time_at' => '2008-04-02 21:44:49.344'
	693	},
	694	{
	695	'value_type' => 'REG_SZ',
	696	'value_name' => 'Favorites',
	697	'value' => 'C:\\Documents and Settings\\Administrator\\Favorites',
	698	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders',
	699	'event' => 'SetValueKey',
	700	'time_at' => '2008-04-02 21:44:49.797'
	701	},
	702	{
	703	'value_type' => 'REG_BINARY',
	704	'value_name' => 'b',
	705	'value' => '6e06f07406507006106402e0650780650004303a05c06307906707706906e05c06806f06d06505c04106406d06906e06907307407206107406f07205c07407207506e06b02d07207705c04306107007407507206503205c06306107007407507206502d06306c06906506e07402d07806506e06f02d06d06f06405c06906e07307406106c06c000',
	706	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\LastVisitedMRU',
	707	'event' => 'SetValueKey',
	708	'time_at' => '2008-04-02 21:44:54.79'
	709	},
	710	{
	711	'value_type' => 'REG_SZ',
	712	'value_name' => 'MRUList',
	713	'value' => 'bac',
	714	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\LastVisitedMRU',
	715	'event' => 'SetValueKey',
	716	'time_at' => '2008-04-02 21:44:54.79'
	717	},
	718	{
	719	'value_type' => 'REG_SZ',
	720	'value_name' => 'a',
	721	'value' => 'C:\\cygwin\\home\\Administrator\\trunk-rw\\Capture2\\capture-client-xeno-mod\\install\\foo.txt',
	722	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\OpenSaveMRU\\txt',
	723	'event' => 'SetValueKey',
	724	'time_at' => '2008-04-02 21:44:54.94'
	725	},
	726	{
	727	'value_type' => 'REG_SZ',
	728	'value_name' => 'MRUList',
	729	'value' => 'a',
	730	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\OpenSaveMRU\\txt',
	731	'event' => 'SetValueKey',
	732	'time_at' => '2008-04-02 21:44:54.94'
	733	},
	734	{
	735	'value_type' => 'REG_SZ',
	736	'value_name' => 'e',
	737	'value' => 'C:\\cygwin\\home\\Administrator\\trunk-rw\\Capture2\\capture-client-xeno-mod\\install\\foo.txt',
	738	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\OpenSaveMRU\\*',
	739	'event' => 'SetValueKey',
	740	'time_at' => '2008-04-02 21:44:54.94'
	741	},
	742	{
	743	'value_type' => 'REG_SZ',
	744	'value_name' => 'MRUList',
	745	'value' => 'edcbjihagf',
	746	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\OpenSaveMRU\\*',
	747	'event' => 'SetValueKey',
	748	'time_at' => '2008-04-02 21:44:54.94'
	749	},
	750	{
	751	'value_type' => 'REG_DWORD',
	752	'value_name' => 'lfEscapement',
	753	'value' => '0',
	754	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	755	'event' => 'SetValueKey',
	756	'time_at' => '2008-04-02 21:44:57.63'
	757	},
	758	{
	759	'value_type' => 'REG_DWORD',
	760	'value_name' => 'lfOrientation',
	761	'value' => '0',
	762	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	763	'event' => 'SetValueKey',
	764	'time_at' => '2008-04-02 21:44:57.63'
	765	},
	766	{
	767	'value_type' => 'REG_DWORD',
	768	'value_name' => 'lfWeight',
	769	'value' => '190',
	770	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	771	'event' => 'SetValueKey',
	772	'time_at' => '2008-04-02 21:44:57.63'
	773	},
	774	{
	775	'value_type' => 'REG_DWORD',
	776	'value_name' => 'lfItalic',
	777	'value' => '0',
	778	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	779	'event' => 'SetValueKey',
	780	'time_at' => '2008-04-02 21:44:57.63'
	781	},
	782	{
	783	'value_type' => 'REG_DWORD',
	784	'value_name' => 'lfUnderline',
	785	'value' => '0',
	786	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	787	'event' => 'SetValueKey',
	788	'time_at' => '2008-04-02 21:44:57.63'
	789	},
	790	{
	791	'value_type' => 'REG_DWORD',
	792	'value_name' => 'lfStrikeOut',
	793	'value' => '0',
	794	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	795	'event' => 'SetValueKey',
	796	'time_at' => '2008-04-02 21:44:57.63'
	797	},
	798	{
	799	'value_type' => 'REG_DWORD',
	800	'value_name' => 'lfCharSet',
	801	'value' => '0',
	802	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	803	'event' => 'SetValueKey',
	804	'time_at' => '2008-04-02 21:44:57.63'
	805	},
	806	{
	807	'value_type' => 'REG_DWORD',
	808	'value_name' => 'lfOutPrecision',
	809	'value' => '3',
	810	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	811	'event' => 'SetValueKey',
	812	'time_at' => '2008-04-02 21:44:57.63'
	813	},
	814	{
	815	'value_type' => 'REG_DWORD',
	816	'value_name' => 'lfClipPrecision',
	817	'value' => '2',
	818	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	819	'event' => 'SetValueKey',
	820	'time_at' => '2008-04-02 21:44:57.63'
	821	},
	822	{
	823	'value_type' => 'REG_DWORD',
	824	'value_name' => 'lfQuality',
	825	'value' => '1',
	826	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	827	'event' => 'SetValueKey',
	828	'time_at' => '2008-04-02 21:44:57.63'
	829	},
	830	{
	831	'value_type' => 'REG_DWORD',
	832	'value_name' => 'lfPitchAndFamily',
	833	'value' => '31',
	834	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	835	'event' => 'SetValueKey',
	836	'time_at' => '2008-04-02 21:44:57.63'
	837	},
	838	{
	839	'value_type' => 'REG_DWORD',
	840	'value_name' => 'iPointSize',
	841	'value' => '8c',
	842	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	843	'event' => 'SetValueKey',
	844	'time_at' => '2008-04-02 21:44:57.63'
	845	},
	846	{
	847	'value_type' => 'REG_DWORD',
	848	'value_name' => 'fWrap',
	849	'value' => '0',
	850	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	851	'event' => 'SetValueKey',
	852	'time_at' => '2008-04-02 21:44:57.63'
	853	},
	854	{
	855	'value_type' => 'REG_DWORD',
	856	'value_name' => 'StatusBar',
	857	'value' => '0',
	858	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	859	'event' => 'SetValueKey',
	860	'time_at' => '2008-04-02 21:44:57.63'
	861	},
	862	{
	863	'value_type' => 'REG_DWORD',
	864	'value_name' => 'fSaveWindowPositions',
	865	'value' => '0',
	866	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	867	'event' => 'SetValueKey',
	868	'time_at' => '2008-04-02 21:44:57.63'
	869	},
	870	{
	871	'value_type' => 'REG_SZ',
	872	'value_name' => 'lfFaceName',
	873	'value' => 'Lucida Console',
	874	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	875	'event' => 'SetValueKey',
	876	'time_at' => '2008-04-02 21:44:57.63'
	877	},
	878	{
	879	'value_type' => 'REG_SZ',
	880	'value_name' => 'szHeader',
	881	'value' => '&f',
	882	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	883	'event' => 'SetValueKey',
	884	'time_at' => '2008-04-02 21:44:57.63'
	885	},
	886	{
	887	'value_type' => 'REG_SZ',
	888	'value_name' => 'szTrailer',
	889	'value' => 'Page &p',
	890	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	891	'event' => 'SetValueKey',
	892	'time_at' => '2008-04-02 21:44:57.63'
	893	},
	894	{
	895	'value_type' => 'REG_DWORD',
	896	'value_name' => 'iMarginTop',
	897	'value' => '3e8',
	898	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	899	'event' => 'SetValueKey',
	900	'time_at' => '2008-04-02 21:44:57.63'
	901	},
	902	{
	903	'value_type' => 'REG_DWORD',
	904	'value_name' => 'iMarginBottom',
	905	'value' => '3e8',
	906	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	907	'event' => 'SetValueKey',
	908	'time_at' => '2008-04-02 21:44:57.63'
	909	},
	910	{
	911	'value_type' => 'REG_DWORD',
	912	'value_name' => 'iMarginLeft',
	913	'value' => '2ee',
	914	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	915	'event' => 'SetValueKey',
	916	'time_at' => '2008-04-02 21:44:57.63'
	917	},
	918	{
	919	'value_type' => 'REG_DWORD',
	920	'value_name' => 'iMarginRight',
	921	'value' => '2ee',
	922	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	923	'event' => 'SetValueKey',
	924	'time_at' => '2008-04-02 21:44:57.63'
	925	},
	926	{
	927	'value_type' => 'REG_DWORD',
	928	'value_name' => 'fMLE_is_broken',
	929	'value' => '0',
	930	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	931	'event' => 'SetValueKey',
	932	'time_at' => '2008-04-02 21:44:57.63'
	933	},
	934	{
	935	'value_type' => 'REG_DWORD',
	936	'value_name' => 'iWindowPosX',
	937	'value' => 'fffffff9',
	938	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	939	'event' => 'SetValueKey',
	940	'time_at' => '2008-04-02 21:44:57.63'
	941	},
	942	{
	943	'value_type' => 'REG_DWORD',
	944	'value_name' => 'iWindowPosY',
	945	'value' => '38',
	946	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	947	'event' => 'SetValueKey',
	948	'time_at' => '2008-04-02 21:44:57.63'
	949	},
	950	{
	951	'value_type' => 'REG_DWORD',
	952	'value_name' => 'iWindowPosDX',
	953	'value' => '40c',
	954	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	955	'event' => 'SetValueKey',
	956	'time_at' => '2008-04-02 21:44:57.63'
	957	},
	958	{
	959	'value_type' => 'REG_DWORD',
	960	'value_name' => 'iWindowPosDY',
	961	'value' => '299',
	962	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	963	'event' => 'SetValueKey',
	964	'time_at' => '2008-04-02 21:44:57.63'
	965	}
	966	],
	967	'parent_pid' => '1380',
	968	'process_files' => [
	969	{
	970	'name' => 'C:\\cygwin\\home\\Administrator\\trunk-rw\\Capture2\\capture-client-xeno-mod\\install\\foo.txt',
	971	'time_at' => '2008-04-02 21:44:54.79',
	972	'event' => 'Delete'
	973	},
	974	{
	975	'name' => 'C:\\cygwin\\home\\Administrator\\trunk-rw\\Capture2\\capture-client-xeno-mod\\install\\foo.txt',
	976	'file_content' => {
	977	'sha1' => 'C:\\cygwin\\home\\Administrator\\trunk-rw\\Capture2\\capture-client-xeno-mod\\install\\foo.txt2008-04-02 21:44:54.172',
	978	'md5' => 'C:\\cygwin\\home\\Administrator\\trunk-rw\\Capture2\\capture-client-xeno-mod\\install\\foo.txt2008-04-02 21:44:54.172',
	979	'mime_type' => 'UNKNOWN',
	980	'size' => -1
	981	},
	982	'time_at' => '2008-04-02 21:44:54.172',
	983	'event' => 'Write'
	984	}
	985	]
	986	},
	987	{
	988	'regkeys' => [],
	989	'pid' => '984',
	990	'name' => 'C:\\WINDOWS\\system32\\svchost.exe',
	991	'process_files' => [
	992	{
	993	'name' => 'C:\\Documents and Settings\\Administrator\\SendTo',
	994	'file_content' => {
	995	'sha1' => 'C:\\Documents and Settings\\Administrator\\SendTo2008-04-02 21:44:42.766',
	996	'md5' => 'C:\\Documents and Settings\\Administrator\\SendTo2008-04-02 21:44:42.766',
	997	'mime_type' => 'UNKNOWN',
	998	'size' => -1
	999	},
	1000	'time_at' => '2008-04-02 21:44:42.766',
	1001	'event' => 'Write'
	1002	},
	1003	{
	1004	'name' => 'C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data',
	1005	'file_content' => {
	1006	'sha1' => 'C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data2008-04-02 21:44:42.782',
	1007	'md5' => 'C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data2008-04-02 21:44:42.782',
	1008	'mime_type' => 'UNKNOWN',
	1009	'size' => -1
	1010	},
	1011	'time_at' => '2008-04-02 21:44:42.782',
	1012	'event' => 'Write'
	1013	}
	1014	]
	1015	},
	1016	{
	1017	'regkeys' => [
	1018	{
	1019	'value_type' => 'REG_EXPAND_SZ',
	1020	'value_name' => 'CachePath',
	1021	'value' => '%USERPROFILE%\\Local Settings\\History\\History.IE5\\MSHist012008040220080403',
	1022	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012008040220080403',
	1023	'event' => 'SetValueKey',
	1024	'time_at' => '2008-04-02 21:44:54.376'
	1025	},
	1026	{
	1027	'value_type' => 'REG_SZ',
	1028	'value_name' => 'CachePrefix',
	1029	'value' => ':2008040220080403: ',
	1030	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012008040220080403',
	1031	'event' => 'SetValueKey',
	1032	'time_at' => '2008-04-02 21:44:54.376'
	1033	},
	1034	{
	1035	'value_type' => 'REG_DWORD',
	1036	'value_name' => 'CacheLimit',
	1037	'value' => '2000',
	1038	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012008040220080403',
	1039	'event' => 'SetValueKey',
	1040	'time_at' => '2008-04-02 21:44:54.376'
	1041	},
	1042	{
	1043	'value_type' => 'REG_DWORD',
	1044	'value_name' => 'CacheOptions',
	1045	'value' => 'b',
	1046	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012008040220080403',
	1047	'event' => 'SetValueKey',
	1048	'time_at' => '2008-04-02 21:44:54.376'
	1049	},
	1050	{
	1051	'value_type' => 'REG_EXPAND_SZ',
	1052	'value_name' => 'CachePath',
	1053	'value' => '%USERPROFILE%\\Local Settings\\History\\History.IE5\\MSHist012008040220080403',
	1054	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012008040220080403',
	1055	'event' => 'SetValueKey',
	1056	'time_at' => '2008-04-02 21:44:54.376'
	1057	},
	1058	{
	1059	'value_type' => 'REG_DWORD',
	1060	'value_name' => 'CacheRepair',
	1061	'value' => '0',
	1062	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012008040220080403',
	1063	'event' => 'SetValueKey',
	1064	'time_at' => '2008-04-02 21:44:54.376'
	1065	}
	1066	],
	1067	'pid' => '1380',
	1068	'name' => 'C:\\WINDOWS\\explorer.exe',
	1069	'process_files' => [
	1070	{
	1071	'name' => 'C:\\Documents and Settings\\Administrator\\Recent\\foo.txt.lnk',
	1072	'file_content' => {
	1073	'sha1' => 'C:\\Documents and Settings\\Administrator\\Recent\\foo.txt.lnk2008-04-02 21:44:54.282',
	1074	'md5' => 'C:\\Documents and Settings\\Administrator\\Recent\\foo.txt.lnk2008-04-02 21:44:54.282',
	1075	'mime_type' => 'UNKNOWN',
	1076	'size' => -1
	1077	},
	1078	'time_at' => '2008-04-02 21:44:54.282',
	1079	'event' => 'Write'
	1080	},
	1081	{
	1082	'name' => 'C:\\cygwin\\home\\Administrator\\src\\honeyclient-trunk\\thirdparty\\capture-mod\\logs\\deleted_files\\C\\Documents and Settings\\Administrator\\Recent\\install.lnk',
	1083	'file_content' => {
	1084	'sha1' => 'C:\\cygwin\\home\\Administrator\\src\\honeyclient-trunk\\thirdparty\\capture-mod\\logs\\deleted_files\\C\\Documents and Settings\\Administrator\\Recent\\install.lnk2008-04-02 21:44:54.516',
	1085	'md5' => 'C:\\cygwin\\home\\Administrator\\src\\honeyclient-trunk\\thirdparty\\capture-mod\\logs\\deleted_files\\C\\Documents and Settings\\Administrator\\Recent\\install.lnk2008-04-02 21:44:54.516',
	1086	'mime_type' => 'UNKNOWN',
	1087	'size' => -1
	1088	},
	1089	'time_at' => '2008-04-02 21:44:54.516',
	1090	'event' => 'Write'
	1091	},
	1092	{
	1093	'name' => 'C:\\Documents and Settings\\Administrator\\Recent\\install.lnk',
	1094	'time_at' => '2008-04-02 21:44:54.516',
	1095	'event' => 'Delete'
	1096	},
	1097	{
	1098	'name' => 'C:\\Documents and Settings\\Administrator\\Recent\\install.lnk',
	1099	'file_content' => {
	1100	'sha1' => 'C:\\Documents and Settings\\Administrator\\Recent\\install.lnk2008-04-02 21:44:54.547',
	1101	'md5' => 'C:\\Documents and Settings\\Administrator\\Recent\\install.lnk2008-04-02 21:44:54.547',
	1102	'mime_type' => 'UNKNOWN',
	1103	'size' => -1
	1104	},
	1105	'time_at' => '2008-04-02 21:44:54.547',
	1106	'event' => 'Write'
	1107	}
	1108	]
	1109	},
	1110	{
	1111	'regkeys' => [],
	1112	'pid' => '4',
	1113	'name' => 'System',
	1114	'process_files' => [
	1115	{
	1116	'name' => 'C:\\Documents and Settings\\Administrator\\Recent\\foo.txt.lnk',
	1117	'file_content' => {
	1118	'sha1' => 'C:\\Documents and Settings\\Administrator\\Recent\\foo.txt.lnk2008-04-02 21:44:54.579',
	1119	'md5' => 'C:\\Documents and Settings\\Administrator\\Recent\\foo.txt.lnk2008-04-02 21:44:54.579',
	1120	'mime_type' => 'UNKNOWN',
	1121	'size' => -1
	1122	},
	1123	'time_at' => '2008-04-02 21:44:54.579',
	1124	'event' => 'Write'
	1125	},
	1126	{
	1127	'name' => 'C:\\cygwin\\home\\Administrator\\src\\honeyclient-trunk\\thirdparty\\capture-mod\\logs\\deleted_files\\C\\Documents and Settings\\Administrator\\Recent\\install.lnk',
	1128	'file_content' => {
	1129	'sha1' => 'C:\\cygwin\\home\\Administrator\\src\\honeyclient-trunk\\thirdparty\\capture-mod\\logs\\deleted_files\\C\\Documents and Settings\\Administrator\\Recent\\install.lnk2008-04-02 21:44:54.579',
	1130	'md5' => 'C:\\cygwin\\home\\Administrator\\src\\honeyclient-trunk\\thirdparty\\capture-mod\\logs\\deleted_files\\C\\Documents and Settings\\Administrator\\Recent\\install.lnk2008-04-02 21:44:54.579',
	1131	'mime_type' => 'UNKNOWN',
	1132	'size' => -1
	1133	},
	1134	'time_at' => '2008-04-02 21:44:54.579',
	1135	'event' => 'Write'
	1136	},
	1137	{
	1138	'name' => 'C:\\Documents and Settings\\Administrator\\Recent\\install.lnk',
	1139	'file_content' => {
	1140	'sha1' => 'C:\\Documents and Settings\\Administrator\\Recent\\install.lnk2008-04-02 21:44:54.579',
	1141	'md5' => 'C:\\Documents and Settings\\Administrator\\Recent\\install.lnk2008-04-02 21:44:54.579',
	1142	'mime_type' => 'UNKNOWN',
	1143	'size' => -1
	1144	},
	1145	'time_at' => '2008-04-02 21:44:54.579',
	1146	'event' => 'Write'
	1147	}
	1148	]
	1149	},
	1150	{
	1151	'parent_name' => 'C:\\WINDOWS\\explorer.exe',
	1152	'name' => 'C:\\WINDOWS\\regedit.exe',
	1153	'created' => '2008-04-02 21:45:07.829',
	1154	'stopped' => '2008-04-02 21:45:22.344',
	1155	'pid' => '2648',
	1156	'regkeys' => [
	1157	{
	1158	'value_type' => 'REG_SZ',
	1159	'value_name' => 'New Value #1',
	1160	'value' => '',
	1161	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer',
	1162	'event' => 'SetValueKey',
	1163	'time_at' => '2008-04-02 21:45:15.985'
	1164	},
	1165	{
	1166	'value_type' => 'REG_SZ',
	1167	'value_name' => 'foo',
	1168	'value' => '',
	1169	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer',
	1170	'event' => 'SetValueKey',
	1171	'time_at' => '2008-04-02 21:45:17.266'
	1172	},
	1173	{
	1174	'value_type' => 'REG_NONE',
	1175	'value_name' => 'New Value #1',
	1176	'value' => '',
	1177	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer',
	1178	'event' => 'DeleteValueKey',
	1179	'time_at' => '2008-04-02 21:45:17.266'
	1180	},
	1181	{
	1182	'value_type' => 'REG_SZ',
	1183	'value_name' => 'foo',
	1184	'value' => 'bar',
	1185	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer',
	1186	'event' => 'SetValueKey',
	1187	'time_at' => '2008-04-02 21:45:19.204'
	1188	},
	1189	{
	1190	'value_type' => 'REG_BINARY',
	1191	'value_name' => 'View',
	1192	'value' => '2c00000001000ffffffffffffffffffffffffffffffff500005c000c43008f200d8000c200078000201001000',
	1193	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Applets\\Regedit',
	1194	'event' => 'SetValueKey',
	1195	'time_at' => '2008-04-02 21:45:22.344'
	1196	},
	1197	{
	1198	'value_type' => 'REG_DWORD',
	1199	'value_name' => 'FindFlags',
	1200	'value' => 'e',
	1201	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Applets\\Regedit',
	1202	'event' => 'SetValueKey',
	1203	'time_at' => '2008-04-02 21:45:22.344'
	1204	},
	1205	{
	1206	'value_type' => 'REG_SZ',
	1207	'value_name' => 'LastKey',
	1208	'value' => 'My Computer\\HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer',
	1209	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Applets\\Regedit',
	1210	'event' => 'SetValueKey',
	1211	'time_at' => '2008-04-02 21:45:22.344'
	1212	}
	1213	],
	1214	'parent_pid' => '1380',
	1215	'process_files' => []
	1216	}
	1217	],
	1218	'time_at' => '2008-04-02 21:44:40.376'
	1219	};
	1220
	1221	# Drive the Agent using IE.
	1222	$som = $stub->drive(driver_name => "HoneyClient::Agent::Driver::Browser::IE");
	1223
	1224	# Verify changes.
	1225	$changes = $som->result();
577	1226
578	1227	# Check to see if the drive operation completed properly.
579	1228	ok($changes, "drive(driver_name => 'HoneyClient::Agent::Driver::Browser::IE')") or diag("The drive() call failed.");
580	1229	ok(exists($changes->{'status'}), "drive(driver_name => 'HoneyClient::Agent::Driver::Browser::IE')") or diag("The drive() call failed.");
581		ok(exists($changes->{'~~driven~~_at'}), "drive(driver_name => 'HoneyClient::Agent::Driver::Browser::IE')") or diag("The drive() call failed.");
	1230	ok(exists($changes->{'time_at'}), "drive(driver_name => 'HoneyClient::Agent::Driver::Browser::IE')") or diag("The drive() call failed.");
582	1231	ok(exists($changes->{'fingerprint'}), "drive(driver_name => 'HoneyClient::Agent::Driver::Browser::IE')") or diag("The drive() call failed.");
583	1232
584		# Check that os_processes is empty.
585		ok(!scalar(@{$changes->{'fingerprint'}->{os_processes}}), "drive(driver_name => 'HoneyClient::Agent::Driver::Browser::IE')") or diag("The drive() call failed.");
586
587		diag("Driving HoneyClient::Agent::Driver::Browser::IE with no parameters and artificial changes...");
588
589		# Drive the Agent using IE.
590		$som = $stub->drive(driver_name => "HoneyClient::Agent::Driver::Browser::IE");
591
592		# Verify changes.
593		$changes = $som->result();
594
595		# XXX: Remove this.
596		use Data::Dumper;
597		diag(Dumper($changes));
598
599		# Check to see if the drive operation completed properly.
600		ok($changes, "drive(driver_name => 'HoneyClient::Agent::Driver::Browser::IE')") or diag("The drive() call failed.");
601		ok(exists($changes->{'status'}), "drive(driver_name => 'HoneyClient::Agent::Driver::Browser::IE')") or diag("The drive() call failed.");
602		ok(exists($changes->{'driven_at'}), "drive(driver_name => 'HoneyClient::Agent::Driver::Browser::IE')") or diag("The drive() call failed.");
603		ok(exists($changes->{'fingerprint'}), "drive(driver_name => 'HoneyClient::Agent::Driver::Browser::IE')") or diag("The drive() call failed.");
604
605		# Check that os_processes is empty.
	1233	# Check that os_processes is not empty.
606	1234	ok(scalar(@{$changes->{'fingerprint'}->{os_processes}}), "drive(driver_name => 'HoneyClient::Agent::Driver::Browser::IE')") or diag("The drive() call failed.");
	1235
	1236	# Check that fingerprint matches.
	1237	is_deeply($expectedFingerprint, $changes->{'fingerprint'}, "drive(driver_name => 'HoneyClient::Agent::Driver::Browser::IE')") or diag("The drive() call failed.");
607	1238
608	1239	# Delete the mock realtime_changes_file.
…	…
673	1304	my $ret = {
674	1305	# Time when application was driven.
675		'~~driven~~_at' => _getTimestamp(),
	1306	'time_at' => _getTimestamp(),
676	1307
677	1308	# Fingerprint information found (if any).

honeyclient/branches/exp/kindlund-simpler_agent/lib/HoneyClient/Agent/Integrity.pm

r1419	r1431
609	609
610	610	my @toks = split("\",\"", $line, $TOTAL_REG_TOKENS+1);
611		print "toks = @toks\n";
	611	#print "toks = @toks\n";
612	612	my $index = undef;
613	613	my $proc_obj = undef;
…	…
771	771	$Data::Dumper::Indent = 1;
772	772	print CHANGE_FILE Dumper(\%changes);
773		print Dumper(\%changes);
	773	#print Dumper(\%changes);
774	774	close CHANGE_FILE;
775	775	}

honeyclient/branches/exp/kindlund-simpler_agent/t/honeyclient_agent.t

r1429	r1431
171	171	use Config;
172	172	SKIP: {
173		skip 'HoneyClient::Agent only works in Cygwin environment.', 5 if ($Config{osname} !~ /^cygwin$/);
	173	skip 'HoneyClient::Agent only works in Cygwin environment.', 11 if ($Config{osname} !~ /^cygwin$/);
174	174
175	175	# Shared test variables.
…	…
189	189	my $realtime_changes_file = getVar(name => 'realtime_changes_file',
190	190	namespace => 'HoneyClient::Agent::Integrity');
	191	unlink($realtime_changes_file);
191	192	open(REALTIME_CHANGES_FILE, ">", $realtime_changes_file);
192	193	close(REALTIME_CHANGES_FILE);
…	…
200	201	my $changes = $som->result();
201	202
202		# XXX: Remove this.
203		use Data::Dumper;
204		diag(Dumper($changes));
	203	# Check to see if the drive operation completed properly.
	204	ok($changes, "drive(driver_name => 'HoneyClient::Agent::Driver::Browser::IE')") or diag("The drive() call failed.");
	205	ok(exists($changes->{'status'}), "drive(driver_name => 'HoneyClient::Agent::Driver::Browser::IE')") or diag("The drive() call failed.");
	206	ok(exists($changes->{'time_at'}), "drive(driver_name => 'HoneyClient::Agent::Driver::Browser::IE')") or diag("The drive() call fa