Navigation

← Previous Change
Next Change →

Changeset 1499 for honeyclient/trunk/t

Timestamp:

04/09/08 15:47:11 (4 months ago)

Author:

kindlund

Message:

Merging simpler_agent branch into trunk.

Files:

honeyclient/trunk/t/honeyclient_agent.t (modified) (5 diffs)
honeyclient/trunk/t/honeyclient_agent_driver.t (deleted)
honeyclient/trunk/t/honeyclient_agent_driver_activecontent.t (deleted)
honeyclient/trunk/t/honeyclient_agent_driver_activecontent_flash.t (deleted)
honeyclient/trunk/t/honeyclient_agent_driver_browser.t (deleted)
honeyclient/trunk/t/honeyclient_agent_driver_browser_ff.t (deleted)
honeyclient/trunk/t/honeyclient_agent_driver_browser_ie.t (deleted)
honeyclient/trunk/t/honeyclient_manager.t (modified) (3 diffs)
honeyclient/trunk/t/honeyclient_manager_database.t (modified) (1 diff)
honeyclient/trunk/t/honeyclient_manager_vm.t (modified) (20 diffs)
honeyclient/trunk/t/honeyclient_manager_vm_clone.t (modified) (9 diffs)
honeyclient/trunk/t/test_integrity (copied) (copied from honeyclient/branches/exp/kindlund-simpler_agent/t/test_integrity)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

honeyclient/trunk/t/honeyclient_agent.t

r751	r1499
9	9	# =begin testing
10	10	{
	11	# Make sure Log::Log4perl loads
	12	BEGIN { use_ok('Log::Log4perl', qw(:nowarn))
	13	or diag("Can't load Log::Log4perl package. Check to make sure the package library is correctly listed within the path.");
	14
	15	# Suppress all logging messages, since we need clean output for unit testing.
	16	Log::Log4perl->init({
	17	"log4perl.rootLogger" => "DEBUG, Buffer",
	18	"log4perl.appender.Buffer" => "Log::Log4perl::Appender::TestBuffer",
	19	"log4perl.appender.Buffer.min_level" => "fatal",
	20	"log4perl.appender.Buffer.layout" => "Log::Log4perl::Layout::PatternLayout",
	21	"log4perl.appender.Buffer.layout.ConversionPattern" => "%d{yyyy-MM-dd HH:mm:ss} %5p [%M] (%F:%L) - %m%n",
	22	});
	23	}
	24	require_ok('Log::Log4perl');
	25	use Log::Log4perl qw(:easy);
	26
	27	# Make sure HoneyClient::Util::Config loads.
	28	BEGIN { use_ok('HoneyClient::Util::Config', qw(getVar))
	29	or diag("Can't load HoneyClient::Util::Config package. Check to make sure the package library is correctly listed within the path.");
	30
	31	# Suppress all logging messages, since we need clean output for unit testing.
	32	Log::Log4perl->init({
	33	"log4perl.rootLogger" => "DEBUG, Buffer",
	34	"log4perl.appender.Buffer" => "Log::Log4perl::Appender::TestBuffer",
	35	"log4perl.appender.Buffer.min_level" => "fatal",
	36	"log4perl.appender.Buffer.layout" => "Log::Log4perl::Layout::PatternLayout",
	37	"log4perl.appender.Buffer.layout.ConversionPattern" => "%d{yyyy-MM-dd HH:mm:ss} %5p [%M] (%F:%L) - %m%n",
	38	});
	39	}
	40	require_ok('HoneyClient::Util::Config');
	41	can_ok('HoneyClient::Util::Config', 'getVar');
	42	use HoneyClient::Util::Config qw(getVar);
	43
	44	# Suppress all logging messages, since we need clean output for unit testing.
	45	Log::Log4perl->init({
	46	"log4perl.rootLogger" => "DEBUG, Buffer",
	47	"log4perl.appender.Buffer" => "Log::Log4perl::Appender::TestBuffer",
	48	"log4perl.appender.Buffer.min_level" => "fatal",
	49	"log4perl.appender.Buffer.layout" => "Log::Log4perl::Layout::PatternLayout",
	50	"log4perl.appender.Buffer.layout.ConversionPattern" => "%d{yyyy-MM-dd HH:mm:ss} %5p [%M] (%F:%L) - %m%n",
	51	});
	52
11	53	# Make sure the module loads properly, with the exportable
12	54	# functions shared.
13		BEGIN { use_ok('HoneyClient::Agent') or diag("Can't load HoneyClient::Agent package. Check to make sure the package library is correctly listed within the path."); }
14		require_ok('HoneyClient::Agent');
15		can_ok('HoneyClient::Agent', 'init');
16		can_ok('HoneyClient::Agent', 'destroy');
17		use HoneyClient::Agent;
	55	BEGIN {
	56	# Check to make sure we're in a suitable environment.
	57	use Config;
	58	SKIP: {
	59	skip 'HoneyClient::Agent only works in Cygwin environment.', 1 if ($Config{osname} !~ /^cygwin$/);
	60
	61	use_ok('HoneyClient::Agent') or diag("Can't load HoneyClient::Agent package. Check to make sure the package library is correctly listed within the path.");
	62	}
	63	}
	64
	65	# Check to make sure we're in a suitable environment.
	66	use Config;
	67	SKIP: {
	68	skip 'HoneyClient::Agent only works in Cygwin environment.', 3 if ($Config{osname} !~ /^cygwin$/);
	69
	70	require_ok('HoneyClient::Agent');
	71	can_ok('HoneyClient::Agent', 'init');
	72	can_ok('HoneyClient::Agent', 'destroy');
	73	if ($Config{osname} =~ /^cygwin$/) {
	74	require HoneyClient::Agent;
	75	}
	76	}
18	77
19	78	# Make sure HoneyClient::Util::SOAP loads.
…	…
24	83	use HoneyClient::Util::SOAP qw(getServerHandle getClientHandle);
25	84
26		# Make sure HoneyClient::Util::Config loads.
27		BEGIN { use_ok('HoneyClient::Util::Config', qw(getVar)) or diag("Can't load HoneyClient::Util::Config package. Check to make sure the package library is correctly listed within the path."); }
28		require_ok('HoneyClient::Util::Config');
29		can_ok('HoneyClient::Util::Config', 'getVar');
30		use HoneyClient::Util::Config qw(getVar);
31
32		# TODO: Include FF
33		# Make sure HoneyClient::Agent::Driver::Browser::IE loads.
34		BEGIN { use_ok('HoneyClient::Agent::Driver::Browser::IE') or diag("Can't load HoneyClient::Agent::Driver::Browser::IE package. Check to make sure the package library is correctly listed within the path."); }
35		require_ok('HoneyClient::Agent::Driver::Browser::IE');
36		# TODO: Update this list of function names.
37		can_ok('HoneyClient::Agent::Driver::Browser::IE', 'new');
38		can_ok('HoneyClient::Agent::Driver::Browser::IE', 'drive');
39		can_ok('HoneyClient::Agent::Driver::Browser::IE', 'getNextLink');
40		can_ok('HoneyClient::Agent::Driver::Browser::IE', 'next');
41		can_ok('HoneyClient::Agent::Driver::Browser::IE', 'isFinished');
42		can_ok('HoneyClient::Agent::Driver::Browser::IE', 'status');
43		use HoneyClient::Agent::Driver::Browser::IE;
	85	# Make sure HoneyClient::Agent::Integrity loads.
	86	BEGIN { use_ok('HoneyClient::Agent::Integrity') or diag("Can't load HoneyClient::Agent::Integrity package. Check to make sure the package library is correctly listed within the path."); }
	87	require_ok('HoneyClient::Agent::Integrity');
	88	use HoneyClient::Agent::Integrity;
44	89
45	90	# Make sure Storable loads.
46		BEGIN { use_ok('Storable', qw(~~freeze nfreeze thaw dclone~~)) or diag("Can't load Storable package. Check to make sure the package library is correctly listed within the path."); }
	91	BEGIN { use_ok('Storable', qw(nfreeze thaw)) or diag("Can't load Storable package. Check to make sure the package library is correctly listed within the path."); }
47	92	require_ok('Storable');
48		~~can_ok('Storable', 'freeze');~~
49	93	can_ok('Storable', 'nfreeze');
50	94	can_ok('Storable', 'thaw');
51		can_ok('Storable', 'dclone');
52		use Storable qw(freeze nfreeze thaw dclone);
	95	use Storable qw(nfreeze thaw);
53	96
54	97	# Make sure MIME::Base64 loads.
…	…
59	102	use MIME::Base64 qw(encode_base64 decode_base64);
60	103
61		#XXX: Check to see if the port number should be externalized.
	104	# Make sure DateTime::HiRes loads.
	105	BEGIN { use_ok('DateTime::HiRes') or diag("Can't load DateTime::HiRes package. Check to make sure the package library is correctly listed within the path."); }
	106	require_ok('DateTime::HiRes');
	107	use DateTime::HiRes;
	108
	109	# Make sure Data::Dumper loads.
	110	BEGIN { use_ok('Data::Dumper') or diag("Can't load Data::Dumper package. Check to make sure the package library is correctly listed within the path."); }
	111	require_ok('Data::Dumper');
	112	use Data::Dumper;
	113
	114	BEGIN {
	115
	116	# Check to make sure we're in a suitable environment.
	117	use Config;
	118	SKIP: {
	119	skip 'Win32 libraries only work in a Cygwin environment.', 1 if ($Config{osname} !~ /^cygwin$/);
	120
	121	# Make sure Win32::Job loads.
	122	use_ok('Win32::Job') or diag("Can't load Win32::Job package. Check to make sure the package library is correctly listed within the path.");
	123	}
	124	}
	125
	126	# Check to make sure we're in a suitable environment.
	127	use Config;
	128	SKIP: {
	129	skip 'Win32 libraries only work in a Cygwin environment.', 1 if ($Config{osname} !~ /^cygwin$/);
	130
	131	require_ok('Win32::Job');
	132	if ($Config{osname} =~ /^cygwin$/) {
	133	require Win32::Job;
	134	}
	135	}
	136
62	137	# Global test variables.
63	138	our $PORT = getVar(name => "port",
…	…
70	145	# =begin testing
71	146	{
72		# XXX: Test init() method.
73		our $URL = HoneyClient::Agent->init();
74		our $PORT = getVar(name => "port",
75		namespace => "HoneyClient::Agent");
76		our $HOST = getVar(name => "address",
77		namespace => "HoneyClient::Agent");
78		is($URL, "http://$HOST:$PORT/HoneyClient/Agent", "init()") or diag("Failed to start up the VM SOAP server. Check to see if any other daemon is listening on TCP port $PORT.");
	147	# Check to make sure we're in a suitable environment.
	148	use Config;
	149	SKIP: {
	150	skip 'HoneyClient::Agent only works in Cygwin environment.', 1 if ($Config{osname} !~ /^cygwin$/);
	151
	152	our $URL = HoneyClient::Agent->init();
	153	our $PORT = getVar(name => "port",
	154	namespace => "HoneyClient::Agent");
	155	our $HOST = getVar(name => "address",
	156	namespace => "HoneyClient::Agent");
	157	is($URL, "http://$HOST:$PORT/HoneyClient/Agent", "init()") or diag("Failed to start up the VM SOAP server. Check to see if any other daemon is listening on TCP port $PORT.");
	158	}
79	159	}
80	160
…	…
83	163	# =begin testing
84	164	{
85		# XXX: Test destroy() method.
86		is(HoneyClient::Agent->destroy(), 1, "destroy()") or diag("Unable to terminate Agent SOAP server. Be sure to check for any stale or lingering processes.");
87
88		# TODO: delete this.
89		#exit;
	165	# Check to make sure we're in a suitable environment.
	166	use Config;
	167	SKIP: {
	168	skip 'HoneyClient::Agent only works in Cygwin environment.', 1 if ($Config{osname} !~ /^cygwin$/);
	169
	170	is(HoneyClient::Agent->destroy(), 1, "destroy()") or diag("Unable to terminate Agent SOAP server. Be sure to check for any stale or lingering processes.");
	171	}
	172	}
	173
	174
	175
	176	# =begin testing
	177	{
	178	# Check to make sure we're in a suitable environment.
	179	use Config;
	180	SKIP: {
	181	skip 'HoneyClient::Agent only works in Cygwin environment.', 11 if ($Config{osname} !~ /^cygwin$/);
	182
	183	# Shared test variables.
	184	my ($stub, $som, $URL);
	185
	186	# Catch all errors, in order to make sure child processes are
	187	# properly killed.
	188	eval {
	189
	190	$URL = HoneyClient::Agent->init();
	191
	192	# Connect to daemon as a client.
	193	$stub = getClientHandle(namespace => "HoneyClient::Agent",
	194	address => "localhost");
	195
	196	# Make sure the realtime_changes_file exists and is 0 bytes.
	197	my $realtime_changes_file = getVar(name => 'realtime_changes_file',
	198	namespace => 'HoneyClient::Agent::Integrity');
	199	unlink($realtime_changes_file);
	200	open(REALTIME_CHANGES_FILE, ">", $realtime_changes_file);
	201	close(REALTIME_CHANGES_FILE);
	202
	203	diag("Driving HoneyClient::Agent::Driver::Browser::IE with no parameters and no changes...");
	204
	205	# Drive the Agent using IE.
	206	$som = $stub->drive(driver_name => "HoneyClient::Agent::Driver::Browser::IE");
	207
	208	# Verify changes.
	209	my $changes = thaw(decode_base64($som->result()));
	210
	211	# Check to see if the drive operation completed properly.
	212	ok($changes, "drive(driver_name => 'HoneyClient::Agent::Driver::Browser::IE')") or diag("The drive() call failed.");
	213	ok(exists($changes->{'status'}), "drive(driver_name => 'HoneyClient::Agent::Driver::Browser::IE')") or diag("The drive() call failed.");
	214	ok(exists($changes->{'time_at'}), "drive(driver_name => 'HoneyClient::Agent::Driver::Browser::IE')") or diag("The drive() call failed.");
	215	ok(exists($changes->{'fingerprint'}), "drive(driver_name => 'HoneyClient::Agent::Driver::Browser::IE')") or diag("The drive() call failed.");
	216
	217	# Check that os_processes is empty.
	218	ok(!scalar(@{$changes->{'fingerprint'}->{os_processes}}), "drive(driver_name => 'HoneyClient::Agent::Driver::Browser::IE')") or diag("The drive() call failed.");
	219
	220	diag("Driving HoneyClient::Agent::Driver::Browser::IE with no parameters and artificial changes...");
	221
	222	my $test_realtime_changes_file = getVar(name => 'realtime_changes_file',
	223	namespace => 'HoneyClient::Agent::Integrity::Test');
	224
	225	system("cp " . $test_realtime_changes_file . " " . $realtime_changes_file);
	226
	227	my $expectedFingerprint = {
	228	'os_processes' => [
	229	{
	230	'parent_name' => 'C:\\WINDOWS\\explorer.exe',
	231	'name' => 'C:\\WINDOWS\\system32\\notepad.exe',
	232	'created' => '2008-04-02 21:44:40.376',
	233	'stopped' => '2008-04-02 21:44:57.94',
	234	'pid' => '2496',
	235	'regkeys' => [
	236	{
	237	'value_type' => 'REG_SZ',
	238	'value_name' => 'Recent',
	239	'value' => 'C:\\Documents and Settings\\Administrator\\Recent',
	240	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders',
	241	'event' => 'SetValueKey',
	242	'time_at' => '2008-04-02 21:44:48.985'
	243	},
	244	{
	245	'value_type' => 'REG_SZ',
	246	'value_name' => 'BaseClass',
	247	'value' => 'Drive',
	248	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\{259bda13-8b6f-11d7-9c24-806d6172696f}',
	249	'event' => 'SetValueKey',
	250	'time_at' => '2008-04-02 21:44:49.32'
	251	},
	252	{
	253	'value_type' => 'REG_SZ',
	254	'value_name' => 'BaseClass',
	255	'value' => 'Drive',
	256	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\{1bdee3a6-fbab-11dc-9af4-806d6172696f}',
	257	'event' => 'SetValueKey',
	258	'time_at' => '2008-04-02 21:44:49.32'
	259	},
	260	{
	261	'value_type' => 'REG_SZ',
	262	'value_name' => 'BaseClass',
	263	'value' => 'Drive',
	264	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\{259bda11-8b6f-11d7-9c24-806d6172696f}',
	265	'event' => 'SetValueKey',
	266	'time_at' => '2008-04-02 21:44:49.32'
	267	},
	268	{
	269	'value_type' => 'REG_SZ',
	270	'value_name' => 'BaseClass',
	271	'value' => 'Drive',
	272	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\MountPoints2\\{86efd67e-0a06-11dc-97a7-806d6172696f}',
	273	'event' => 'SetValueKey',
	274	'time_at' => '2008-04-02 21:44:49.32'
	275	},
	276	{
	277	'value_type' => 'REG_SZ',
	278	'value_name' => 'Personal',
	279	'value' => 'C:\\Documents and Settings\\Administrator\\My Documents',
	280	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders',
	281	'event' => 'SetValueKey',
	282	'time_at' => '2008-04-02 21:44:49.329'
	283	},
	284	{
	285	'value_type' => 'REG_SZ',
	286	'value_name' => 'Common Documents',
	287	'value' => 'C:\\Documents and Settings\\All Users\\Documents',
	288	'name' => 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders',
	289	'event' => 'SetValueKey',
	290	'time_at' => '2008-04-02 21:44:49.329'
	291	},
	292	{
	293	'value_type' => 'REG_SZ',
	294	'value_name' => 'Desktop',
	295	'value' => 'C:\\Documents and Settings\\Administrator\\Desktop',
	296	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders',
	297	'event' => 'SetValueKey',
	298	'time_at' => '2008-04-02 21:44:49.344'
	299	},
	300	{
	301	'value_type' => 'REG_SZ',
	302	'value_name' => 'Common Desktop',
	303	'value' => 'C:\\Documents and Settings\\All Users\\Desktop',
	304	'name' => 'HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders',
	305	'event' => 'SetValueKey',
	306	'time_at' => '2008-04-02 21:44:49.344'
	307	},
	308	{
	309	'value_type' => 'REG_SZ',
	310	'value_name' => 'Favorites',
	311	'value' => 'C:\\Documents and Settings\\Administrator\\Favorites',
	312	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\Shell Folders',
	313	'event' => 'SetValueKey',
	314	'time_at' => '2008-04-02 21:44:49.797'
	315	},
	316	{
	317	'value_type' => 'REG_BINARY',
	318	'value_name' => 'b',
	319	'value' => '6e06f07406507006106402e0650780650004303a05c06307906707706906e05c06806f06d06505c04106406d06906e06907307407206107406f07205c07407207506e06b02d07207705c04306107007407507206503205c06306107007407507206502d06306c06906506e07402d07806506e06f02d06d06f06405c06906e07307406106c06c000',
	320	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\LastVisitedMRU',
	321	'event' => 'SetValueKey',
	322	'time_at' => '2008-04-02 21:44:54.79'
	323	},
	324	{
	325	'value_type' => 'REG_SZ',
	326	'value_name' => 'MRUList',
	327	'value' => 'bac',
	328	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\LastVisitedMRU',
	329	'event' => 'SetValueKey',
	330	'time_at' => '2008-04-02 21:44:54.79'
	331	},
	332	{
	333	'value_type' => 'REG_SZ',
	334	'value_name' => 'a',
	335	'value' => 'C:\\cygwin\\home\\Administrator\\trunk-rw\\Capture2\\capture-client-xeno-mod\\install\\foo.txt',
	336	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\OpenSaveMRU\\txt',
	337	'event' => 'SetValueKey',
	338	'time_at' => '2008-04-02 21:44:54.94'
	339	},
	340	{
	341	'value_type' => 'REG_SZ',
	342	'value_name' => 'MRUList',
	343	'value' => 'a',
	344	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\OpenSaveMRU\\txt',
	345	'event' => 'SetValueKey',
	346	'time_at' => '2008-04-02 21:44:54.94'
	347	},
	348	{
	349	'value_type' => 'REG_SZ',
	350	'value_name' => 'e',
	351	'value' => 'C:\\cygwin\\home\\Administrator\\trunk-rw\\Capture2\\capture-client-xeno-mod\\install\\foo.txt',
	352	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\OpenSaveMRU\\*',
	353	'event' => 'SetValueKey',
	354	'time_at' => '2008-04-02 21:44:54.94'
	355	},
	356	{
	357	'value_type' => 'REG_SZ',
	358	'value_name' => 'MRUList',
	359	'value' => 'edcbjihagf',
	360	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\ComDlg32\\OpenSaveMRU\\*',
	361	'event' => 'SetValueKey',
	362	'time_at' => '2008-04-02 21:44:54.94'
	363	},
	364	{
	365	'value_type' => 'REG_DWORD',
	366	'value_name' => 'lfEscapement',
	367	'value' => '0',
	368	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	369	'event' => 'SetValueKey',
	370	'time_at' => '2008-04-02 21:44:57.63'
	371	},
	372	{
	373	'value_type' => 'REG_DWORD',
	374	'value_name' => 'lfOrientation',
	375	'value' => '0',
	376	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	377	'event' => 'SetValueKey',
	378	'time_at' => '2008-04-02 21:44:57.63'
	379	},
	380	{
	381	'value_type' => 'REG_DWORD',
	382	'value_name' => 'lfWeight',
	383	'value' => '190',
	384	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	385	'event' => 'SetValueKey',
	386	'time_at' => '2008-04-02 21:44:57.63'
	387	},
	388	{
	389	'value_type' => 'REG_DWORD',
	390	'value_name' => 'lfItalic',
	391	'value' => '0',
	392	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	393	'event' => 'SetValueKey',
	394	'time_at' => '2008-04-02 21:44:57.63'
	395	},
	396	{
	397	'value_type' => 'REG_DWORD',
	398	'value_name' => 'lfUnderline',
	399	'value' => '0',
	400	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	401	'event' => 'SetValueKey',
	402	'time_at' => '2008-04-02 21:44:57.63'
	403	},
	404	{
	405	'value_type' => 'REG_DWORD',
	406	'value_name' => 'lfStrikeOut',
	407	'value' => '0',
	408	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	409	'event' => 'SetValueKey',
	410	'time_at' => '2008-04-02 21:44:57.63'
	411	},
	412	{
	413	'value_type' => 'REG_DWORD',
	414	'value_name' => 'lfCharSet',
	415	'value' => '0',
	416	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	417	'event' => 'SetValueKey',
	418	'time_at' => '2008-04-02 21:44:57.63'
	419	},
	420	{
	421	'value_type' => 'REG_DWORD',
	422	'value_name' => 'lfOutPrecision',
	423	'value' => '3',
	424	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	425	'event' => 'SetValueKey',
	426	'time_at' => '2008-04-02 21:44:57.63'
	427	},
	428	{
	429	'value_type' => 'REG_DWORD',
	430	'value_name' => 'lfClipPrecision',
	431	'value' => '2',
	432	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	433	'event' => 'SetValueKey',
	434	'time_at' => '2008-04-02 21:44:57.63'
	435	},
	436	{
	437	'value_type' => 'REG_DWORD',
	438	'value_name' => 'lfQuality',
	439	'value' => '1',
	440	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	441	'event' => 'SetValueKey',
	442	'time_at' => '2008-04-02 21:44:57.63'
	443	},
	444	{
	445	'value_type' => 'REG_DWORD',
	446	'value_name' => 'lfPitchAndFamily',
	447	'value' => '31',
	448	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	449	'event' => 'SetValueKey',
	450	'time_at' => '2008-04-02 21:44:57.63'
	451	},
	452	{
	453	'value_type' => 'REG_DWORD',
	454	'value_name' => 'iPointSize',
	455	'value' => '8c',
	456	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	457	'event' => 'SetValueKey',
	458	'time_at' => '2008-04-02 21:44:57.63'
	459	},
	460	{
	461	'value_type' => 'REG_DWORD',
	462	'value_name' => 'fWrap',
	463	'value' => '0',
	464	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	465	'event' => 'SetValueKey',
	466	'time_at' => '2008-04-02 21:44:57.63'
	467	},
	468	{
	469	'value_type' => 'REG_DWORD',
	470	'value_name' => 'StatusBar',
	471	'value' => '0',
	472	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	473	'event' => 'SetValueKey',
	474	'time_at' => '2008-04-02 21:44:57.63'
	475	},
	476	{
	477	'value_type' => 'REG_DWORD',
	478	'value_name' => 'fSaveWindowPositions',
	479	'value' => '0',
	480	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	481	'event' => 'SetValueKey',
	482	'time_at' => '2008-04-02 21:44:57.63'
	483	},
	484	{
	485	'value_type' => 'REG_SZ',
	486	'value_name' => 'lfFaceName',
	487	'value' => 'Lucida Console',
	488	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	489	'event' => 'SetValueKey',
	490	'time_at' => '2008-04-02 21:44:57.63'
	491	},
	492	{
	493	'value_type' => 'REG_SZ',
	494	'value_name' => 'szHeader',
	495	'value' => '&f',
	496	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	497	'event' => 'SetValueKey',
	498	'time_at' => '2008-04-02 21:44:57.63'
	499	},
	500	{
	501	'value_type' => 'REG_SZ',
	502	'value_name' => 'szTrailer',
	503	'value' => 'Page &p',
	504	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	505	'event' => 'SetValueKey',
	506	'time_at' => '2008-04-02 21:44:57.63'
	507	},
	508	{
	509	'value_type' => 'REG_DWORD',
	510	'value_name' => 'iMarginTop',
	511	'value' => '3e8',
	512	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	513	'event' => 'SetValueKey',
	514	'time_at' => '2008-04-02 21:44:57.63'
	515	},
	516	{
	517	'value_type' => 'REG_DWORD',
	518	'value_name' => 'iMarginBottom',
	519	'value' => '3e8',
	520	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	521	'event' => 'SetValueKey',
	522	'time_at' => '2008-04-02 21:44:57.63'
	523	},
	524	{
	525	'value_type' => 'REG_DWORD',
	526	'value_name' => 'iMarginLeft',
	527	'value' => '2ee',
	528	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	529	'event' => 'SetValueKey',
	530	'time_at' => '2008-04-02 21:44:57.63'
	531	},
	532	{
	533	'value_type' => 'REG_DWORD',
	534	'value_name' => 'iMarginRight',
	535	'value' => '2ee',
	536	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	537	'event' => 'SetValueKey',
	538	'time_at' => '2008-04-02 21:44:57.63'
	539	},
	540	{
	541	'value_type' => 'REG_DWORD',
	542	'value_name' => 'fMLE_is_broken',
	543	'value' => '0',
	544	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	545	'event' => 'SetValueKey',
	546	'time_at' => '2008-04-02 21:44:57.63'
	547	},
	548	{
	549	'value_type' => 'REG_DWORD',
	550	'value_name' => 'iWindowPosX',
	551	'value' => 'fffffff9',
	552	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	553	'event' => 'SetValueKey',
	554	'time_at' => '2008-04-02 21:44:57.63'
	555	},
	556	{
	557	'value_type' => 'REG_DWORD',
	558	'value_name' => 'iWindowPosY',
	559	'value' => '38',
	560	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	561	'event' => 'SetValueKey',
	562	'time_at' => '2008-04-02 21:44:57.63'
	563	},
	564	{
	565	'value_type' => 'REG_DWORD',
	566	'value_name' => 'iWindowPosDX',
	567	'value' => '40c',
	568	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	569	'event' => 'SetValueKey',
	570	'time_at' => '2008-04-02 21:44:57.63'
	571	},
	572	{
	573	'value_type' => 'REG_DWORD',
	574	'value_name' => 'iWindowPosDY',
	575	'value' => '299',
	576	'name' => 'HKCU\\Software\\Microsoft\\Notepad',
	577	'event' => 'SetValueKey',
	578	'time_at' => '2008-04-02 21:44:57.63'
	579	}
	580	],
	581	'parent_pid' => '1380',
	582	'process_files' => [
	583	{
	584	'name' => 'C:\\cygwin\\home\\Administrator\\trunk-rw\\Capture2\\capture-client-xeno-mod\\install\\foo.txt',
	585	'time_at' => '2008-04-02 21:44:54.79',
	586	'event' => 'Delete'
	587	},
	588	{
	589	'name' => 'C:\\cygwin\\home\\Administrator\\trunk-rw\\Capture2\\capture-client-xeno-mod\\install\\foo.txt',
	590	'file_content' => {
	591	'sha1' => 'C:\\cygwin\\home\\Administrator\\trunk-rw\\Capture2\\capture-client-xeno-mod\\install\\foo.txt2008-04-02 21:44:54.172',
	592	'md5' => 'C:\\cygwin\\home\\Administrator\\trunk-rw\\Capture2\\capture-client-xeno-mod\\install\\foo.txt2008-04-02 21:44:54.172',
	593	'mime_type' => 'UNKNOWN',
	594	'size' => -1
	595	},
	596	'time_at' => '2008-04-02 21:44:54.172',
	597	'event' => 'Write'
	598	}
	599	]
	600	},
	601	{
	602	'regkeys' => [],
	603	'pid' => '984',
	604	'name' => 'C:\\WINDOWS\\system32\\svchost.exe',
	605	'process_files' => [
	606	{
	607	'name' => 'C:\\Documents and Settings\\Administrator\\SendTo',
	608	'file_content' => {
	609	'sha1' => 'C:\\Documents and Settings\\Administrator\\SendTo2008-04-02 21:44:42.766',
	610	'md5' => 'C:\\Documents and Settings\\Administrator\\SendTo2008-04-02 21:44:42.766',
	611	'mime_type' => 'UNKNOWN',
	612	'size' => -1
	613	},
	614	'time_at' => '2008-04-02 21:44:42.766',
	615	'event' => 'Write'
	616	},
	617	{
	618	'name' => 'C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data',
	619	'file_content' => {
	620	'sha1' => 'C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data2008-04-02 21:44:42.782',
	621	'md5' => 'C:\\Documents and Settings\\Administrator\\Local Settings\\Application Data2008-04-02 21:44:42.782',
	622	'mime_type' => 'UNKNOWN',
	623	'size' => -1
	624	},
	625	'time_at' => '2008-04-02 21:44:42.782',
	626	'event' => 'Write'
	627	}
	628	]
	629	},
	630	{
	631	'regkeys' => [
	632	{
	633	'value_type' => 'REG_EXPAND_SZ',
	634	'value_name' => 'CachePath',
	635	'value' => '%USERPROFILE%\\Local Settings\\History\\History.IE5\\MSHist012008040220080403',
	636	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012008040220080403',
	637	'event' => 'SetValueKey',
	638	'time_at' => '2008-04-02 21:44:54.376'
	639	},
	640	{
	641	'value_type' => 'REG_SZ',
	642	'value_name' => 'CachePrefix',
	643	'value' => ':2008040220080403: ',
	644	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012008040220080403',
	645	'event' => 'SetValueKey',
	646	'time_at' => '2008-04-02 21:44:54.376'
	647	},
	648	{
	649	'value_type' => 'REG_DWORD',
	650	'value_name' => 'CacheLimit',
	651	'value' => '2000',
	652	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012008040220080403',
	653	'event' => 'SetValueKey',
	654	'time_at' => '2008-04-02 21:44:54.376'
	655	},
	656	{
	657	'value_type' => 'REG_DWORD',
	658	'value_name' => 'CacheOptions',
	659	'value' => 'b',
	660	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012008040220080403',
	661	'event' => 'SetValueKey',
	662	'time_at' => '2008-04-02 21:44:54.376'
	663	},
	664	{
	665	'value_type' => 'REG_EXPAND_SZ',
	666	'value_name' => 'CachePath',
	667	'value' => '%USERPROFILE%\\Local Settings\\History\\History.IE5\\MSHist012008040220080403',
	668	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012008040220080403',
	669	'event' => 'SetValueKey',
	670	'time_at' => '2008-04-02 21:44:54.376'
	671	},
	672	{
	673	'value_type' => 'REG_DWORD',
	674	'value_name' => 'CacheRepair',
	675	'value' => '0',
	676	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\5.0\\Cache\\Extensible Cache\\MSHist012008040220080403',
	677	'event' => 'SetValueKey',
	678	'time_at' => '2008-04-02 21:44:54.376'
	679	}
	680	],
	681	'pid' => '1380',
	682	'name' => 'C:\\WINDOWS\\explorer.exe',
	683	'process_files' => [
	684	{
	685	'name' => 'C:\\Documents and Settings\\Administrator\\Recent\\foo.txt.lnk',
	686	'file_content' => {
	687	'sha1' => 'C:\\Documents and Settings\\Administrator\\Recent\\foo.txt.lnk2008-04-02 21:44:54.282',
	688	'md5' => 'C:\\Documents and Settings\\Administrator\\Recent\\foo.txt.lnk2008-04-02 21:44:54.282',
	689	'mime_type' => 'UNKNOWN',
	690	'size' => -1
	691	},
	692	'time_at' => '2008-04-02 21:44:54.282',
	693	'event' => 'Write'
	694	},
	695	{
	696	'name' => 'C:\\cygwin\\home\\Administrator\\src\\honeyclient-trunk\\thirdparty\\capture-mod\\logs\\deleted_files\\C\\Documents and Settings\\Administrator\\Recent\\install.lnk',
	697	'file_content' => {
	698	'sha1' => 'C:\\cygwin\\home\\Administrator\\src\\honeyclient-trunk\\thirdparty\\capture-mod\\logs\\deleted_files\\C\\Documents and Settings\\Administrator\\Recent\\install.lnk2008-04-02 21:44:54.516',
	699	'md5' => 'C:\\cygwin\\home\\Administrator\\src\\honeyclient-trunk\\thirdparty\\capture-mod\\logs\\deleted_files\\C\\Documents and Settings\\Administrator\\Recent\\install.lnk2008-04-02 21:44:54.516',
	700	'mime_type' => 'UNKNOWN',
	701	'size' => -1
	702	},
	703	'time_at' => '2008-04-02 21:44:54.516',
	704	'event' => 'Write'
	705	},
	706	{
	707	'name' => 'C:\\Documents and Settings\\Administrator\\Recent\\install.lnk',
	708	'time_at' => '2008-04-02 21:44:54.516',
	709	'event' => 'Delete'
	710	},
	711	{
	712	'name' => 'C:\\Documents and Settings\\Administrator\\Recent\\install.lnk',
	713	'file_content' => {
	714	'sha1' => 'C:\\Documents and Settings\\Administrator\\Recent\\install.lnk2008-04-02 21:44:54.547',
	715	'md5' => 'C:\\Documents and Settings\\Administrator\\Recent\\install.lnk2008-04-02 21:44:54.547',
	716	'mime_type' => 'UNKNOWN',
	717	'size' => -1
	718	},
	719	'time_at' => '2008-04-02 21:44:54.547',
	720	'event' => 'Write'
	721	}
	722	]
	723	},
	724	{
	725	'regkeys' => [],
	726	'pid' => '4',
	727	'name' => 'System',
	728	'process_files' => [
	729	{
	730	'name' => 'C:\\Documents and Settings\\Administrator\\Recent\\foo.txt.lnk',
	731	'file_content' => {
	732	'sha1' => 'C:\\Documents and Settings\\Administrator\\Recent\\foo.txt.lnk2008-04-02 21:44:54.579',
	733	'md5' => 'C:\\Documents and Settings\\Administrator\\Recent\\foo.txt.lnk2008-04-02 21:44:54.579',
	734	'mime_type' => 'UNKNOWN',
	735	'size' => -1
	736	},
	737	'time_at' => '2008-04-02 21:44:54.579',
	738	'event' => 'Write'
	739	},
	740	{
	741	'name' => 'C:\\cygwin\\home\\Administrator\\src\\honeyclient-trunk\\thirdparty\\capture-mod\\logs\\deleted_files\\C\\Documents and Settings\\Administrator\\Recent\\install.lnk',
	742	'file_content' => {
	743	'sha1' => 'C:\\cygwin\\home\\Administrator\\src\\honeyclient-trunk\\thirdparty\\capture-mod\\logs\\deleted_files\\C\\Documents and Settings\\Administrator\\Recent\\install.lnk2008-04-02 21:44:54.579',
	744	'md5' => 'C:\\cygwin\\home\\Administrator\\src\\honeyclient-trunk\\thirdparty\\capture-mod\\logs\\deleted_files\\C\\Documents and Settings\\Administrator\\Recent\\install.lnk2008-04-02 21:44:54.579',
	745	'mime_type' => 'UNKNOWN',
	746	'size' => -1
	747	},
	748	'time_at' => '2008-04-02 21:44:54.579',
	749	'event' => 'Write'
	750	},
	751	{
	752	'name' => 'C:\\Documents and Settings\\Administrator\\Recent\\install.lnk',
	753	'file_content' => {
	754	'sha1' => 'C:\\Documents and Settings\\Administrator\\Recent\\install.lnk2008-04-02 21:44:54.579',
	755	'md5' => 'C:\\Documents and Settings\\Administrator\\Recent\\install.lnk2008-04-02 21:44:54.579',
	756	'mime_type' => 'UNKNOWN',
	757	'size' => -1
	758	},
	759	'time_at' => '2008-04-02 21:44:54.579',
	760	'event' => 'Write'
	761	}
	762	]
	763	},
	764	{
	765	'parent_name' => 'C:\\WINDOWS\\explorer.exe',
	766	'name' => 'C:\\WINDOWS\\regedit.exe',
	767	'created' => '2008-04-02 21:45:07.829',
	768	'stopped' => '2008-04-02 21:45:22.344',
	769	'pid' => '2648',
	770	'regkeys' => [
	771	{
	772	'value_type' => 'REG_SZ',
	773	'value_name' => 'New Value #1',
	774	'value' => '',
	775	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer',
	776	'event' => 'SetValueKey',
	777	'time_at' => '2008-04-02 21:45:15.985'
	778	},
	779	{
	780	'value_type' => 'REG_SZ',
	781	'value_name' => 'foo',
	782	'value' => '',
	783	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer',
	784	'event' => 'SetValueKey',
	785	'time_at' => '2008-04-02 21:45:17.266'
	786	},
	787	{
	788	'value_type' => 'REG_NONE',
	789	'value_name' => 'New Value #1',
	790	'value' => '',
	791	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer',
	792	'event' => 'DeleteValueKey',
	793	'time_at' => '2008-04-02 21:45:17.266'
	794	},
	795	{
	796	'value_type' => 'REG_SZ',
	797	'value_name' => 'foo',
	798	'value' => 'bar',
	799	'name' => 'HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer',
	800	'event' => 'SetValueKey',
	801	'time_at' => '2008-04-02 21:45:19.204'
	802	},
	803	{
	804	'value_type' => 'REG_BINARY',
	805	'value_name' => 'View',
	806	'value' => '2c00000001000ffffffffffffffffffffffffffff