public void Should_Be_Possible_To_Search_SubKeys_From_KeyName()
{
object fakeFoundSubKeys = new string[] { "Graphics", "GData", "XPTO" };
Dictionary <string, object> searchKeysParameters = new Dictionary <string, object>();
searchKeysParameters.Add(registry_object_ItemsChoices.hive.ToString(), eHiveNames.HKEY_LOCAL_MACHINE.ToString());
searchKeysParameters.Add(registry_object_ItemsChoices.key.ToString(), "Microsoft");
AbstractConstraint[] invokeMethodConstraints = new AbstractConstraint[]
{ new Equal("EnumKey"), new Anything(), new Anything() };
MockRepository mocks = new MockRepository();
WmiDataProvider fakeWmiPrv = mocks.DynamicMock <WmiDataProvider>();
Expect.Call(fakeWmiPrv.InvokeMethod("", null, "")).Constraints(invokeMethodConstraints).Return(fakeFoundSubKeys);
mocks.ReplayAll();
RegistryObjectCollector systemDataSource = new RegistryObjectCollector()
{
WmiDataProvider = fakeWmiPrv
};
IList <string> registrySubKeys = systemDataSource.GetValues(searchKeysParameters);
mocks.VerifyAll();
Assert.IsNotNull(registrySubKeys);
Assert.AreEqual(3, registrySubKeys.Count);
Assert.AreEqual("Graphics", registrySubKeys[0]);
Assert.AreEqual("GData", registrySubKeys[1]);
Assert.AreEqual("XPTO", registrySubKeys[2]);
}
public void Should_be_possible_to_generate_itemTypes_from_objectTypes_with_variables_and_regex()
{
string hiveHKLM = eHiveNames.HKEY_LOCAL_MACHINE.ToString();
string startKey = "SOFTWARE\\Microsoft\\Windows";
var ovalObject = WindowsTestHelper.GetObjectFromDefinitions("definitionsWithLocalVariable.xml", "oval:modulo:obj:5000");
var fakeDataSource = WindowsTestHelper.GetDataSourceFakeWithRegex(startKey, 1);
WmiDataProvider wmiDataProvider = new WmiDataProvider();// new WmiDataProviderFactory().GetFakeWmiDataProviderForTestInvokeMethodEnumKeyWithReturnSuccess();
VariableValue variable = new VariableValue(ovalObject.id, "oval:org.mitre.oval:var:3000", new List <string>()
{
"CurrentType"
});
VariablesEvaluated variables = new VariablesEvaluated(new List <VariableValue>()
{
variable
});
var itemGenerator = new RegistryItemTypeGenerator()
{
SystemDataSource = fakeDataSource, WmiDataProvider = wmiDataProvider
};
var itemsToCollect = itemGenerator.GetItemsToCollect(ovalObject, variables).Cast <registry_item>();
Assert.AreEqual(2, itemsToCollect.Count());
this.AssertGeneratedRegistryItem(itemsToCollect.ElementAt(0), hiveHKLM, "SOFTWARE\\Microsoft\\Windows\\CurrentBuild", "CurrentType");
this.AssertGeneratedRegistryItem(itemsToCollect.ElementAt(1), hiveHKLM, "SOFTWARE\\Microsoft\\Windows\\CurrentVersion", "CurrentType");
}
public void GetPrimaryHardDriveSerial()
{
WmiDataProvider provider = new WmiDataProvider();
string data = provider.GetPrimaryHardDriveSerial();
Assert.IsNotNull(data);
}
public FileEffectiveRights53ObjectCollector(WmiDataProvider wmiDataProvider)
{
this.WmiProvider = wmiDataProvider;
this.DaclDisassembler = new WindowsSecurityDescriptorDisassembler(SecurityDescriptorType.DACL);
this.Cache = new Dictionary <string, IEnumerable <fileeffectiverights_item> >();
this.FlatCache = new Dictionary <string, fileeffectiverights_item>();
}
private FileProber GetMockedFileProber(file_item fakeItem)
{
IList <String> fakeValues = new List <String>(new string[] { "FakeValue" });
CollectedItem fakeCollectedItem = ProbeHelper.CreateFakeCollectedItem(fakeItem);
MockRepository mocks = new MockRepository();
IConnectionManager fakeConnection = mocks.DynamicMock <IConnectionManager>();
ISystemInformationService fakeSystemInformation = mocks.DynamicMock <ISystemInformationService>();
FileConnectionProvider fakeProvider = mocks.DynamicMock <FileConnectionProvider>();
WmiDataProvider fakeWmiProvider = mocks.DynamicMock <WmiDataProvider>();
FileObjectCollector fakeDataCollector = mocks.DynamicMock <FileObjectCollector>();
fakeDataCollector.WmiDataProvider = fakeWmiProvider;
//Expect.Call(fakeConnection.Connect<FileConnectionProvider>(null, null)).IgnoreArguments().Repeat.Any().Return(fakeProvider);
Expect.Call(fakeDataCollector.CollectDataForSystemItem(fakeItem)).IgnoreArguments().Repeat.Any().Return(new List <CollectedItem>()
{
fakeCollectedItem
});
Expect.Call(fakeDataCollector.GetValues(null)).IgnoreArguments().Repeat.Any().Return(fakeValues);
Expect.Call(fakeSystemInformation.GetSystemInformationFrom(null)).IgnoreArguments().Return(SystemInformationFactory.GetExpectedSystemInformation());
mocks.ReplayAll();
return(new FileProber()
{
ConnectionManager = fakeConnection, ObjectCollector = fakeDataCollector
});
}
public void GetBiosData()
{
IWmiDataProvider provider = new WmiDataProvider();
string data = provider.GetBiosData();
Assert.IsNotNull(data);
}
private FileItemTypeGenerator GetMockedFileItemTypeGenerator(string fileObjectID, string[] fakeFoundPaths, out file_object fileObject)
{
oval_definitions definitions = ProbeHelper.GetFakeOvalDefinitions(DEFINITIONS_REGEX_ON_VALUE);
fileObject = (file_object)ProbeHelper.GetOvalComponentByOvalID(definitions, fileObjectID);
List <WmiObject> fakeWmiObjects = new List <WmiObject>();
foreach (var fakePath in fakeFoundPaths)
{
fakeWmiObjects.Add(this.createFakeWmiObject(fakePath, "Application", 100));
}
MockRepository mocks = new MockRepository();
WmiDataProvider fakeWmiProvider = mocks.DynamicMock <WmiDataProvider>();
Expect.Call(fakeWmiProvider.SearchWmiObjects(null, null)).IgnoreArguments().Return(fakeWmiObjects.ToArray());
mocks.ReplayAll();
return(new FileItemTypeGenerator()
{
SystemDataSource = new FileObjectCollector()
{
WmiDataProvider = fakeWmiProvider
}
});
}
public void Should_Be_Possible_To_Search_KeyValues_From_KeyName()
{
object fakeFoundKeyValues = new List <string>(new string[] { "Risk Manager", "PCN", "Workflow Manager", "Dashboard" });
Dictionary <string, object> searchValuesParameters = new Dictionary <string, object>();
searchValuesParameters.Add(registry_object_ItemsChoices.hive.ToString(), eHiveNames.HKEY_LOCAL_MACHINE.ToString());
searchValuesParameters.Add(registry_object_ItemsChoices.key.ToString(), "SOFTWARE\\Modulo");
searchValuesParameters.Add(registry_object_ItemsChoices.name.ToString(), "^.*");
AbstractConstraint[] invokeMethodConstraints =
new AbstractConstraint[] { new Equal("EnumValues"), new Anything(), new Anything() };
MockRepository mocks = new MockRepository();
WmiDataProvider fakeWmiPrv = mocks.DynamicMock <WmiDataProvider>();
Expect.Call(fakeWmiPrv.InvokeMethod("", null, "")).Constraints(invokeMethodConstraints).Return(fakeFoundKeyValues);
mocks.ReplayAll();
RegistryObjectCollector systemDataSource = new RegistryObjectCollector()
{
WmiDataProvider = fakeWmiPrv
};
IList <string> registryKeyValues = systemDataSource.GetValues(searchValuesParameters);
mocks.VerifyAll();
Assert.IsNotNull(registryKeyValues);
Assert.AreEqual(4, registryKeyValues.Count);
Assert.IsTrue(registryKeyValues[0].Equals("Risk Manager"));
Assert.IsTrue(registryKeyValues[1].Equals("PCN"));
Assert.IsTrue(registryKeyValues[2].Equals("Workflow Manager"));
Assert.IsTrue(registryKeyValues[3].Equals("Dashboard"));
}
protected override void ConfigureObjectCollector()
{
if (base.ObjectCollector == null)
{
var newWmiProvider = new WmiDataProvider(((RegKeyEffectiveRights53ConnectionProvider)base.ConnectionProvider).ConnectionScope);
base.ObjectCollector = new RegKeyEffectiveRightsObjectCollector()
{
TargetInfo = this.TargetInfo,
WmiDataProvider = newWmiProvider,
AccessControlListProvider = AccessControlListProvider.CreateInstance()
};
}
if (base.ItemTypeGenerator == null)
{
base.ItemTypeGenerator =
new RegKeyEffectiveRightsItemTypeGenerator()
{
OperationEvaluator = new RegKeyEffectiveRightsOperationEvaluator()
{
SystemDataSource = base.ObjectCollector
},
ObjectCollector = (RegKeyEffectiveRightsObjectCollector)base.ObjectCollector
}
}
;
/* { SystemDataSource = base.ObjectCollector } */;
}
private void CreateExpectationForGetGroupComponent(WmiDataProvider fakeWmiProvider, string groupName)
{
var fakeWin32GroupUserRecords = new List <WmiObject>();
var groupComponent = GroupComponent(FAKE_COMPUTER_NAME, groupName);
var wqlAdministratorsUsers = new WQLBuilder().WithWmiClass("Win32_GroupUser").AddParameter("GroupComponent", groupComponent).Build();
Expect.Call(fakeWmiProvider.ExecuteWQL(wqlAdministratorsUsers)).Return(new[] { NewWmiObjectForFakeGroupUser("fakeUser") });
}
private void CreateItemTypeGeneratorInstance()
{
if (base.ItemTypeGenerator == null)
{
var newWmiDataProvider = new WmiDataProvider(this.WMIConnectionProvider.ConnectionScope);
var newAccountProvider = new WindowsUsersProvider(newWmiDataProvider, this.TargetInfo);
base.ItemTypeGenerator = new AccessTokenItemTypeGenerator(newAccountProvider);
}
}
public static FileEffectiveRightsCollector GetInstance(WmiDataProvider wmiDataProvider)
{
WmiDataProvider = wmiDataProvider;
if (Instance == null)
{
Instance = new FileEffectiveRightsCollector();
}
return(Instance);
}
public WmiDataProvider GetFakeWmiDataProviderForTestInvokeMethodEnumKeyWithReturnSuccess()
{
MockRepository mocks = new MockRepository();
WmiDataProvider wmiDataProvider = mocks.DynamicMock <WmiDataProvider>();
Expect.Call(wmiDataProvider.InvokeMethod("EnumKey", null)).IgnoreArguments().Repeat.Any().Return(this.GetReturnOfInvokeMethodEnumKey());
mocks.ReplayAll();
return(wmiDataProvider);
}
private void CreateObjectCollector()
{
if (base.ObjectCollector == null)
{
var wmiConnectionScope = ((FileConnectionProvider)this.ConnectionProvider).ConnectionScope;
var newWmiProvider = new WmiDataProvider(wmiConnectionScope);
base.ObjectCollector = new FileEffectiveRights53ObjectCollector()
{
WmiDataProvider = newWmiProvider
};
}
}
public void Should_be_possible_to_collect_FileEffectiveRights()
{
// Arrange
WmiObject fakeWmiObject = new WmiObject();
fakeWmiObject.Add("Descriptor.DACL.AccessMask", (uint)128);
fakeWmiObject.Add("Descriptor.DACL.AceFlags", (uint)123);
fakeWmiObject.Add("Descriptor.DACL.Trustee.SID", "{500}");
fakeWmiObject.Add("Descriptor.DACL.Trustee.Domain", "mss");
fakeWmiObject.Add("Descriptor.DACL.Trustee.Name", "lfernandes");
MockRepository mocks = new MockRepository();
WmiDataProvider fakeWmiDataProvider = mocks.DynamicMock <WmiDataProvider>();
Expect.Call(fakeWmiDataProvider.InvokeMethodByWmiPath(null)).IgnoreArguments().Return(new WmiObject[] { fakeWmiObject });
FileEffectiveRightsObjectCollector fileEffectiveRightsSysDataSource = new FileEffectiveRightsObjectCollector();
fileEffectiveRightsSysDataSource.WmiDataProvider = fakeWmiDataProvider;
mocks.ReplayAll();
// Act
IEnumerable <CollectedItem> collectedItem = fileEffectiveRightsSysDataSource.CollectDataForSystemItem(this.getFakeFileItem());
Assert.IsNotNull(collectedItem, "The return of collect data cannot be null");
Assert.AreEqual(1, collectedItem.Count(), "Unexpected collected items count.");
Assert.IsNotNull(collectedItem.ElementAt(0).ItemType, "The file item cannot be null.");
Assert.IsInstanceOfType(collectedItem.ElementAt(0).ItemType, typeof(fileeffectiverights_item), "The item of collected item must be file_item");
fileeffectiverights_item collectedFileEffectiveRights = (fileeffectiverights_item)collectedItem.ElementAt(0).ItemType;
Assert.AreEqual("{500}", collectedFileEffectiveRights.trustee_sid.Value, "Unexpected item value.");
Assert.AreEqual("1", collectedFileEffectiveRights.file_read_attributes.Value, "Unexpected file attribute found.");
this.AssertFileEffectiveRight(collectedFileEffectiveRights.file_append_data, false, "file_append_data");
this.AssertFileEffectiveRight(collectedFileEffectiveRights.file_delete_child, false, "file_delete_child");
this.AssertFileEffectiveRight(collectedFileEffectiveRights.file_execute, false, "file_execute");
this.AssertFileEffectiveRight(collectedFileEffectiveRights.file_read_data, false, "file_read_data");
this.AssertFileEffectiveRight(collectedFileEffectiveRights.file_read_ea, false, "file_read_ea");
this.AssertFileEffectiveRight(collectedFileEffectiveRights.file_write_attributes, false, "file_write_attributes");
this.AssertFileEffectiveRight(collectedFileEffectiveRights.file_write_data, false, "file_write_data");
this.AssertFileEffectiveRight(collectedFileEffectiveRights.file_write_ea, false, "file_write_ea");
this.AssertFileEffectiveRight(collectedFileEffectiveRights.generic_all, true, "generic_all");
this.AssertFileEffectiveRight(collectedFileEffectiveRights.generic_execute, true, "generic_execute");
this.AssertFileEffectiveRight(collectedFileEffectiveRights.generic_read, true, "generic_read");
this.AssertFileEffectiveRight(collectedFileEffectiveRights.generic_write, false, "generic_write");
this.AssertFileEffectiveRight(collectedFileEffectiveRights.standard_delete, false, "standard_delete");
this.AssertFileEffectiveRight(collectedFileEffectiveRights.standard_read_control, false, "standard_delete");
this.AssertFileEffectiveRight(collectedFileEffectiveRights.standard_synchronize, false, "standard_sync");
this.AssertFileEffectiveRight(collectedFileEffectiveRights.standard_write_dac, false, "standard_write_dac");
this.AssertFileEffectiveRight(collectedFileEffectiveRights.standard_write_owner, false, "standard_write_owner");
}
public WmiDataProvider GetFakeWmiDataProviderForTestExecutingQueriesForSystemInfo()
{
MockRepository mocks = new MockRepository();
WmiDataProvider wmiDataProvider = mocks.StrictMock <WmiDataProvider>();
Expect.Call(wmiDataProvider.SearchWmiObjects("Win32_ComputerSystem", null)).Return(this.GetWmiObjectsForComputerSystemQuery());
Expect.Call(wmiDataProvider.SearchWmiObjects("Win32_OperatingSystem", null)).Return(this.GetWmiObjectsForOperatingSystemQuery());
Expect.Call(wmiDataProvider.SearchWmiObjects("Win32_NetworkAdapterConfiguration", null)).IgnoreArguments().Return(this.GetWmiObjectsForNetworkInterfaces());
Expect.Call(wmiDataProvider.SearchWmiObjects("Win32_NetworkAdapter", null)).IgnoreArguments().Return(this.GetWmiObjectsForNetworkInterfacesAdapter());
mocks.ReplayAll();
return(wmiDataProvider);
}
private void CreateWmiDataProviderFromWmiItem(wmi_item wmiItem)
{
if (this.WmiDataProvider == null)
{
var wmiNamespace = String.Format(@"{0}\{1}", this.TargetInfo.GetAddress(), [email protected]);
var wmiNamespacePath = new System.Management.ManagementPath(wmiNamespace);
var wmiConnectionOptions = WmiDataProviderFactory.CreateConnectionOptions(this.TargetInfo);
var wmiManagementScope = new System.Management.ManagementScope(wmiNamespacePath, wmiConnectionOptions);
wmiManagementScope.Connect();
this.WmiDataProvider = new WmiDataProvider(wmiManagementScope);
}
}
protected override void ConfigureObjectCollector()
{
if (this.ObjectCollector == null)
{
var wmiProvider = new WmiDataProvider(((FileConnectionProvider)ConnectionProvider).ConnectionScope);
var accountProvider = new WindowsUsersProvider(wmiProvider, this.TargetInfo);
ObjectCollector = new UserObjectCollector(accountProvider);
if (ItemTypeGenerator == null)
{
ItemTypeGenerator = new UserItemTypeGenerator(accountProvider);
}
}
}
public void Should_be_possible_to_generate_itemTypes_from_objectType_with_PatternMatchOperation_on_key_and_name_entities_at_same_time()
{
var objectType = WindowsTestHelper.GetObjectFromDefinitions("definitionsWithOnlyObjects.xml", "oval:modulo:obj:12345");
var fakeDataSource = WindowsTestHelper.GetDataSourceFakeWithRegex("", 2);
var fakeWmiDataProvider = new WmiDataProvider();// new WmiDataProviderFactory().GetFakeWmiDataProviderForTestInvokeMethodEnumKeyWithReturnSuccess();
var itemTypeGenerator = new RegistryItemTypeGenerator()
{
SystemDataSource = fakeDataSource, WmiDataProvider = fakeWmiDataProvider
};
var generatedItems = itemTypeGenerator.GetItemsToCollect(objectType, VariableHelper.CreateEmptyEvaluatedVariables());
Assert.IsNotNull(generatedItems, "The result of GetItemsToCollect method cannot be null.");
Assert.AreEqual(4, generatedItems.Count(), "Unexpected generated items type count");
}
protected override void ConfigureObjectCollector()
{
if (base.ObjectCollector == null)
{
var connectionScope = ((FileConnectionProvider)FileConnectionProvider).ConnectionScope;
var newWmiDataProvider = new WmiDataProvider(connectionScope);
var newFileProvider = new WindowsFileProvider(TargetInfo)
{
WmiDataProvider = newWmiDataProvider
};
ObjectCollector = new TextFileContentObjectCollector()
{
FileContentProvider = newFileProvider, TargetInfo = TargetInfo
};
FileDataSource = new FileObjectCollector()
{
WmiDataProvider = newWmiDataProvider
};
}
if (base.ItemTypeGenerator == null)
{
var newFileProvider =
new WindowsFileProvider(this.TargetInfo)
{
WmiDataProvider =
WmiDataProviderFactory
.CreateWmiDataProviderForFileSearching(this.TargetInfo)
};
var newOperationEvaluator =
new TextFileContentEntityOperationEvaluator(ObjectCollector, newFileProvider, FamilyEnumeration.windows);
ItemTypeGenerator = new TextFileContentItemTypeGenerator()
{
OperationEvaluator = newOperationEvaluator
};
}
}
public WindowsUsersProvider(WmiDataProvider wmiDataProvider, TargetInfo targetInfo)
{
this.WmiProvider = wmiDataProvider;
this.TargetInfo = targetInfo;
}
/// <summary>
/// Creates a list of WinACEs objects from security descriptor management object.
/// </summary>
/// <param name="rootManagementObject">The result of invoked method which returns the Security Descriptor as ManagementBaseObject.</param>
/// <param name="trusteeName">The username formatted such as: "[DOMAIN]\[USERNAME]". For local users use the machine name on [DOMAIN]</param>
/// <returns>Returns a List of WMIWinACE objects.</returns>
public virtual IEnumerable <WMIWinACE> GetSecurityDescriptorsFromManagementObject(object rootManagementObject, string userTrusteeName, WmiDataProvider wmiProvider)
{
ManagementBaseObject[] ACLs = this.getACLFromManagementObject((ManagementBaseObject)rootManagementObject);
var result = new List <WMIWinACE>();
foreach (var acl in ACLs)
{
var aclTrustee = (ManagementBaseObject)acl.Properties["Trustee"].Value;
if (this.DoesACLBelongToUser(aclTrustee, userTrusteeName, wmiProvider))
{
WMIWinACE newWinACE = new WMIWinACE();
newWinACE.AccessMask = this.getPropertyValueAsUnsiggnedInteger(acl, "AccessMask");
newWinACE.AceFlags = this.getPropertyValueAsUnsiggnedInteger(acl, "AceFlags");
newWinACE.AceType = this.getPropertyValueAsUnsiggnedInteger(acl, "AceType");
newWinACE.Trustee = this.getWinTrusteeFromManagementObject(aclTrustee);
newWinACE.CalculateFileAccessRightsFromAccessMask();
result.Add(newWinACE);
}
}
return(result);
}
private bool DoesACLBelongToUser(ManagementBaseObject daclTrustee, string userTrusteeName, WmiDataProvider wmiProvider)
{
var winTrustee = this.getWinTrusteeFromManagementObject(daclTrustee);
if (userTrusteeName.Equals(winTrustee.SIDString))
{
return(true);
}
string username = this.getPropertyValueAsString(daclTrustee, "Name");
var wql = new WQLBuilder().WithWmiClass("Win32_Account").AddParameter("SID", userTrusteeName).Build();
var accountName = wmiProvider.ExecuteWQL(wql);
if ((accountName.Count() > 0) && accountName.First().GetValueOf("Name").ToString().Equals(username, StringComparison.InvariantCultureIgnoreCase))
{
return(true);
}
string userDomain = this.getPropertyValueAsString(daclTrustee, "Domain");
string[] trusteeParts = userTrusteeName.Split(new string[] { @"\" }, StringSplitOptions.RemoveEmptyEntries);
bool matchUsername = username.Equals(trusteeParts.Last(), StringComparison.CurrentCultureIgnoreCase);
bool matchUserDomain = userDomain.Equals(trusteeParts.First(), StringComparison.CurrentCultureIgnoreCase);
bool isSystemAccount = (userTrusteeName.IndexOf(@"\") < 0);
return(isSystemAccount ? matchUsername : (matchUsername && matchUserDomain));
}
public WindowsSystemInformationCollectorTest()
{
this.WmiDataProvider = new WmiDataProviderExpectFactory().GetFakeWmiDataProviderForTestExecutingQueriesForSystemInfo();
this.FakeTargetInfo = ProbeHelper.CreateFakeTarget("MSS-RJ-215", "MSS", "lcosta", "password");
}
private void ConfigureCollector()
{
this.wmiDataProvider = new WmiDataProvider(this.connectionProvider.ConnectionScope);
this.systemInformationCollector = new WindowsSystemInformationCollector(wmiDataProvider);
}
public WindowsSystemInformationCollector(WmiDataProvider wmiDataProvider)
{
this.wmiDataProvider = wmiDataProvider;
}
private void WmiProviderMustNotHaveBeenUsed(WmiDataProvider wmiProvider)
{
wmiProvider.AssertWasNotCalled <WmiDataProvider>(wmi => wmi.ExecuteWQL(null));
}
private void CheckIfWmiProviderWasUsedProperly(WmiDataProvider usedWmiProvider, string wqlThatShouldBeUsed)
{
usedWmiProvider.AssertWasCalled <WmiDataProvider>(wmi => wmi.ExecuteWQL(wqlThatShouldBeUsed));
}
public WindowsFileProvider(TargetInfo targetInfo, WmiDataProvider wmiDataProvider) : this(targetInfo)
{
this.WmiDataProvider = wmiDataProvider;
}
public WindowsGroupAccountProvider(WmiDataProvider wmiDataProvider, TargetInfo targetInfo)
{
this.WmiDataProvider = wmiDataProvider;
this.TargetInfo = targetInfo;
}
