-
Notifications
You must be signed in to change notification settings - Fork 46
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Adding Get-ATHDriverService, New-ATHDriverService, Remove-ATHDriverSe…
…rvice
- Loading branch information
1 parent
c53fb39
commit 7b8f153
Showing
3 changed files
with
849 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
97 changes: 97 additions & 0 deletions
97
TestHarnesses/T1543.003_WindowsService/DriverInstaller.Tests.ps1
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,97 @@ | ||
| Set-StrictMode -Version Latest | ||
|
|
||
| $TestScriptRoot = Split-Path $MyInvocation.MyCommand.Path -Parent | ||
| $ModuleRoot = Resolve-Path "$TestScriptRoot\..\..\" | ||
| $ModuleManifest = "$ModuleRoot\AtomicTestHarnesses.psd1" | ||
|
|
||
| Remove-Module [A]tomicTestHarnesses | ||
| Import-Module $ModuleManifest -Force -ErrorAction Stop | ||
|
|
||
| Describe 'Get-ATHDriverService' { | ||
| BeforeAll { | ||
| $Help = Get-Help -Name Get-ATHDriverService -Full | ||
|
|
||
| $ExpectedTechniqueID = $null | ||
|
|
||
| if ($Help.Synopsis.Split("`r`n")[-1] -match '^(?-i:Technique ID: )(?<TechniqueID>\S+) (?<TechniqueDescription>\(.+\))$') { | ||
| $ExpectedTechniqueID = $Matches['TechniqueID'] | ||
| } | ||
| } | ||
|
|
||
| Context 'Validating error conditions' -Tag 'Unit', 'T1543.003' { | ||
| It 'should return detailed, contextual information for a running driver service based on the service name' { | ||
| $ServiceName = 'cdrom' | ||
|
|
||
| $Result = Get-ATHDriverService -ServiceName $ServiceName -ErrorAction Stop | ||
|
|
||
| $Result | Should -Not -BeNullOrEmpty | ||
|
|
||
| $Result.TechniqueID | Should -BeExactly $ExpectedTechniqueID | ||
| $Result.ServiceName | Should -Be $ServiceName | ||
| $Result.ServiceDisplayName | Should -Not -BeNullOrEmpty | ||
| $Result.ServiceStartMode | Should -Not -BeNullOrEmpty | ||
| $Result.ServiceState | Should -Not -BeNullOrEmpty | ||
| $Result.ServiceType | Should -BeExactly 'Kernel Driver' | ||
| $Result.ServiceRegistryKey | Should -Be "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\$ServiceName" | ||
| $Result.DriverPathFormatted | Should -Match '^[A-Z]:\\' | ||
| $Result.DriverPathFormatted.EndsWith('cdrom.sys') | Should -BeTrue | ||
| $Result.DriverPathUnformatted.EndsWith('cdrom.sys') | Should -BeTrue | ||
| $Result.DriverFileHashSHA256 | Should -Not -BeNullOrEmpty | ||
| $Result.LoadedImageBaseAddress | Should -Not -BeNullOrEmpty | ||
| $Result.LoadedImageSize | Should -Not -BeNullOrEmpty | ||
| $Result.LoadCount | Should -BeGreaterThan 0 | ||
| } | ||
|
|
||
| It 'should throw an error when a non-existent service name is supplied' { | ||
| { Get-ATHDriverService -ServiceName ' ' -ErrorAction Stop } | Should -Throw | ||
| } | ||
|
|
||
| It 'should return detailed, contextual information for a running driver service when a driver filename is supplied' { | ||
| $DriverFilename = 'cdrom.sys' | ||
|
|
||
| $Result = Get-ATHDriverService -LoadedDriverFileName $DriverFilename -ErrorAction Stop | ||
|
|
||
| $Result | Should -Not -BeNullOrEmpty | ||
|
|
||
| $Result.TechniqueID | Should -BeExactly $ExpectedTechniqueID | ||
| $Result.ServiceName | Should -Not -BeNullOrEmpty | ||
| $Result.ServiceDisplayName | Should -Not -BeNullOrEmpty | ||
| $Result.ServiceStartMode | Should -Not -BeNullOrEmpty | ||
| $Result.ServiceState | Should -Not -BeNullOrEmpty | ||
| $Result.ServiceType | Should -BeExactly 'Kernel Driver' | ||
| $Result.ServiceRegistryKey | Should -Not -BeNullOrEmpty | ||
| $Result.DriverPathFormatted | Should -Match '^[A-Z]:\\' | ||
| $Result.DriverPathFormatted.EndsWith($DriverFilename) | Should -BeTrue | ||
| $Result.DriverPathUnformatted.EndsWith($DriverFilename) | Should -BeTrue | ||
| $Result.DriverFileHashSHA256 | Should -Not -BeNullOrEmpty | ||
| $Result.LoadedImageBaseAddress | Should -Not -BeNullOrEmpty | ||
| $Result.LoadedImageSize | Should -Not -BeNullOrEmpty | ||
| $Result.LoadCount | Should -BeGreaterThan 0 | ||
| } | ||
|
|
||
| It 'should not return output when a non-existent driver path is supplied' { | ||
| $Result = Get-ATHDriverService -LoadedDriverFileName ' ' -ErrorAction Stop | Should -BeNullOrEmpty | ||
|
|
||
| $Result | Should -BeNullOrEmpty | ||
| } | ||
| } | ||
| } | ||
|
|
||
|
|
||
| Describe 'Remove-ATHDriverService' { | ||
| BeforeAll { | ||
| $Help = Get-Help -Name Get-ATHDriverService -Full | ||
|
|
||
| $ExpectedTechniqueID = $null | ||
|
|
||
| if ($Help.Synopsis.Split("`r`n")[-1] -match '^(?-i:Technique ID: )(?<TechniqueID>\S+) (?<TechniqueDescription>\(.+\))$') { | ||
| $ExpectedTechniqueID = $Matches['TechniqueID'] | ||
| } | ||
| } | ||
|
|
||
| Context 'Validating error conditions' -Tag 'Unit', 'T1543.003' { | ||
| It 'should throw an error when a non-existent service name is supplied' { | ||
| { Remove-ATHDriverService -ServiceName ' ' -ErrorAction Stop } | Should -Throw | ||
| } | ||
| } | ||
| } |
Oops, something went wrong.