Skip to content

Commit 0fb721e

Browse files
ikelosikelos
authored
Merge pull request #1757 from volatilityfoundation/fix_tests
Tests: Fix Userassist and MFTScan testdata
2 parents d3d19fe + 5befbf8 commit 0fb721e

File tree

3 files changed

+28
-29
lines changed

3 files changed

+28
-29
lines changed

test/plugins/windows/test_data/windows.registry.userassist.UserAssist.json

Lines changed: 9 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -9,7 +9,7 @@
99
"Last Write Time": "2025-03-06T17:57:09+00:00",
1010
"Name": null,
1111
"Path": "ntuser.dat\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count",
12-
"Raw Data": "",
12+
"Raw Data": "N/A",
1313
"Time Focused": null,
1414
"Type": "Key",
1515
"__children": [
@@ -23,7 +23,7 @@
2323
"Last Write Time": "2025-03-06T17:57:09+00:00",
2424
"Name": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Paint.lnk",
2525
"Path": "ntuser.dat\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count",
26-
"Raw Data": "\"\n00 00 00 00 07 00 00 00 00 00 00 00 07 00 00 00 ................\n00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................\n00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................\n00 00 80 bf 00 00 80 bf ff ff ff ff 90 86 6b 31 ..............k1\nfd 8d db 01 00 00 00 00 ........ \"",
26+
"Raw Data": "00 00 00 00 07 00 00 00 00 00 00 00 07 00 00 00 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ff ff ff ff 90 86 6b 31 fd 8d db 01 00 00 00 00",
2727
"Time Focused": "0:00:00.507000",
2828
"Type": "Value",
2929
"__children": []
@@ -38,7 +38,7 @@
3838
"Last Write Time": "2025-03-06T17:57:09+00:00",
3939
"Name": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Registry Editor.lnk",
4040
"Path": "ntuser.dat\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count",
41-
"Raw Data": "\"\n00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 ................\n00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................\n00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................\n00 00 80 bf 00 00 80 bf ff ff ff ff f0 82 cf ca ................\n95 8e db 01 00 00 00 00 ........ \"",
41+
"Raw Data": "00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ff ff ff ff f0 82 cf ca 95 8e db 01 00 00 00 00",
4242
"Time Focused": "0:00:00.501000",
4343
"Type": "Value",
4444
"__children": []
@@ -53,7 +53,7 @@
5353
"Last Write Time": "2025-03-06T17:57:09+00:00",
5454
"Name": "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Windows PowerShell\\Windows PowerShell.lnk",
5555
"Path": "ntuser.dat\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count",
56-
"Raw Data": "\"\n00 00 00 00 04 00 00 00 00 00 00 00 04 00 00 00 ................\n00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................\n00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................\n00 00 80 bf 00 00 80 bf ff ff ff ff 10 67 cf 4d .............g.M\nbe 8e db 01 00 00 00 00 ........ \"",
56+
"Raw Data": "00 00 00 00 04 00 00 00 00 00 00 00 04 00 00 00 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ff ff ff ff 10 67 cf 4d be 8e db 01 00 00 00 00",
5757
"Time Focused": "0:00:00.504000",
5858
"Type": "Value",
5959
"__children": []
@@ -68,7 +68,7 @@
6868
"Last Write Time": "2025-03-06T17:57:09+00:00",
6969
"Name": "%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\System Tools\\Command Prompt.lnk",
7070
"Path": "ntuser.dat\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count",
71-
"Raw Data": "\"\n00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 ................\n00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................\n00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................\n00 00 80 bf 00 00 80 bf ff ff ff ff d0 99 66 6c ..............fl\nc0 8e db 01 00 00 00 00 ........ \"",
71+
"Raw Data": "00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ff ff ff ff d0 99 66 6c c0 8e db 01 00 00 00 00",
7272
"Time Focused": "0:00:00.501000",
7373
"Type": "Value",
7474
"__children": []
@@ -83,7 +83,7 @@
8383
"Last Write Time": "2025-03-06T17:57:09+00:00",
8484
"Name": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Notepad.lnk",
8585
"Path": "ntuser.dat\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count",
86-
"Raw Data": "\"\n00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 ................\n00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................\n00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................\n00 00 80 bf 00 00 80 bf ff ff ff ff 00 62 ba 89 .............b..\nc0 8e db 01 00 00 00 00 ........ \"",
86+
"Raw Data": "00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ff ff ff ff 00 62 ba 89 c0 8e db 01 00 00 00 00",
8787
"Time Focused": "0:00:00.501000",
8888
"Type": "Value",
8989
"__children": []
@@ -98,7 +98,7 @@
9898
"Last Write Time": "2025-03-06T17:57:09+00:00",
9999
"Name": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\Task Scheduler.lnk",
100100
"Path": "ntuser.dat\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count",
101-
"Raw Data": "\"\n00 00 00 00 02 00 00 00 00 00 00 00 02 00 00 00 ................\n00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................\n00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................\n00 00 80 bf 00 00 80 bf ff ff ff ff b0 24 49 23 .............$I#\nc1 8e db 01 00 00 00 00 ........ \"",
101+
"Raw Data": "00 00 00 00 02 00 00 00 00 00 00 00 02 00 00 00 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ff ff ff ff b0 24 49 23 c1 8e db 01 00 00 00 00",
102102
"Time Focused": "0:00:00.502000",
103103
"Type": "Value",
104104
"__children": []
@@ -113,11 +113,11 @@
113113
"Last Write Time": "2025-03-06T17:57:09+00:00",
114114
"Name": "%ALLUSERSPROFILE%\\Microsoft\\Windows\\Start Menu\\Programs\\Microsoft Edge.lnk",
115115
"Path": "ntuser.dat\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UserAssist\\{F4E57C4B-2036-45F0-A9AB-443BCFE33D9F}\\Count",
116-
"Raw Data": "\"\n00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 ................\n00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................\n00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ................\n00 00 80 bf 00 00 80 bf ff ff ff ff 60 3d 89 2e ............`=..\nc1 8e db 01 00 00 00 00 ........ \"",
116+
"Raw Data": "00 00 00 00 01 00 00 00 00 00 00 00 01 00 00 00 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf 00 00 80 bf ff ff ff ff 60 3d 89 2e c1 8e db 01 00 00 00 00",
117117
"Time Focused": "0:00:00.501000",
118118
"Type": "Value",
119119
"__children": []
120120
}
121121
]
122122
}
123-
}
123+
}

test/plugins/windows/windows.py

Lines changed: 19 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -1,10 +1,10 @@
1-
import json
1+
import contextlib
22
import hashlib
3+
import json
4+
import os
35
import shutil
4-
import contextlib
56
import tempfile
6-
import os
7-
from test import test_volatility, WindowsSamples
7+
from test import WindowsSamples, test_volatility
88

99

1010
class TestWindowsVolshell:
@@ -843,20 +843,22 @@ def test_windows_specific_mftscan_ads_xp(self, volatility, python):
843843
{
844844
"ADS Filename": "Zone.Identifier",
845845
"Filename": "libby_hoeler_part1.wmv",
846-
"Hexdump": '"\n5b 5a 6f 6e 65 54 72 61 6e 73 66 65 72 5d 0d 0a [ZoneTransfer]..\n5a 6f 6e 65 49 64 3d 33 0d 0a ZoneId=3.. "',
846+
"Hexdump": "5b 5a 6f 6e 65 54 72 61 6e 73 66 65 72 5d 0d 0a 5a 6f 6e 65 49 64 3d 33 0d 0a",
847847
"MFT Type": "DATA",
848848
"Offset": 55926304,
849849
"Record Number": 323,
850850
"Record Type": "FILE",
851+
"__children": [],
851852
},
852853
{
853854
"ADS Filename": "Zone.Identifier",
854855
"Filename": "NetZeroQuickHelpLite.exe",
855-
"Hexdump": '"\n5b 5a 6f 6e 65 54 72 61 6e 73 66 65 72 5d 0d 0a [ZoneTransfer]..\n5a 6f 6e 65 49 64 3d 33 0d 0a ZoneId=3.. "',
856+
"Hexdump": "5b 5a 6f 6e 65 54 72 61 6e 73 66 65 72 5d 0d 0a 5a 6f 6e 65 49 64 3d 33 0d 0a",
856857
"MFT Type": "DATA",
857858
"Offset": 56102400,
858859
"Record Number": 347,
859860
"Record Type": "FILE",
861+
"__children": [],
860862
},
861863
]
862864
for expected_row in expected_rows:
@@ -877,20 +879,22 @@ def test_windows_specific_mftscan_ads_win10(self, volatility, python):
877879
{
878880
"ADS Filename": "$Max",
879881
"Filename": "$UsnJrnl",
880-
"Hexdump": '"\n00 00 00 02 00 00 00 00 00 00 80 00 00 00 00 00 ................\nb9 dd f0 cc df 73 db 01 00 00 00 00 00 00 00 00 .....s.........."',
882+
"Hexdump": "00 00 00 02 00 00 00 00 00 00 80 00 00 00 00 00 b9 dd f0 cc df 73 db 01 00 00 00 00 00 00 00 00",
881883
"MFT Type": "DATA",
882-
"Offset": 1058018088,
884+
"Offset": 26235616,
883885
"Record Number": 107240,
884886
"Record Type": "FILE",
887+
"__children": [],
885888
},
886889
{
887-
"ADS Filename": "$Config",
888-
"Filename": "$Repair",
889-
"Hexdump": '"\n01 00 00 00 03 00 00 00 ........ "',
890+
"ADS Filename": "$SRAT",
891+
"Filename": "$Bitmap",
892+
"Hexdump": "a4 5f fd 60 38 00 01 03 10 00 0c 00 04 00 00 00 01 00 00 00 01 00 00 00 8d 4e 16 00 02 00 00 00 a0 00 00 00 00 00 06 00 03 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 4a 7b 01 00 00 00 00 00",
890893
"MFT Type": "DATA",
891-
"Offset": 5009678688,
892-
"Record Number": 28,
894+
"Offset": 1052277088,
895+
"Record Number": 6,
893896
"Record Type": "FILE",
897+
"__children": [],
894898
},
895899
]
896900
for expected_row in expected_rows:
@@ -924,15 +928,15 @@ def test_windows_specific_mftscan_residentdata_win10(self, volatility, python):
924928
expected_rows = [
925929
{
926930
"Filename": "index",
927-
"Hexdump": '"\n30 5c 72 a7 1b 6d fb fc 09 00 00 00 00 00 00 00 0\\r..m..........\n00 00 00 00 00 00 00 00 ........ "',
931+
"Hexdump": "30 5c 72 a7 1b 6d fb fc 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00",
928932
"MFT Type": "DATA",
929933
"Offset": 4961536280,
930934
"Record Number": 116474,
931935
"Record Type": "FILE",
932936
},
933937
{
934938
"Filename": "0.2.filtertrie.intermediate.txt",
935-
"Hexdump": '"\n30 09 32 0d 0a 0.2.. "',
939+
"Hexdump": "30 09 32 0d 0a",
936940
"MFT Type": "DATA",
937941
"Offset": 619242944,
938942
"Record Number": 113013,
@@ -1411,4 +1415,3 @@ def test_windows_specific_virtmap(self, volatility, python):
14111415
)
14121416
for expected_row in expected_rows:
14131417
assert test_volatility.match_output_row(expected_row, json_out)
1414-

volatility3/cli/text_renderer.py

Lines changed: 0 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -228,10 +228,6 @@ def render_bytes(self, data: renderers.LayerData) -> Tuple[bytes, Set[int]]:
228228
True,
229229
)
230230

231-
import pdb
232-
233-
pdb.set_trace()
234-
235231
return specific_data, error_bytes
236232

237233

0 commit comments

Comments
 (0)