Beispiel #1
0
    def ParseRunKeys(self, responses):
        """Get filenames from the RunKeys and download the files."""
        filenames = []
        client = aff4.FACTORY.Open(self.client_id, mode="r", token=self.token)
        kb = artifact.GetArtifactKnowledgeBase(client)

        for response in responses:
            runkey = response.registry_data.string

            environ_vars = artifact_utils.GetWindowsEnvironmentVariablesMap(kb)
            path_guesses = path_detection_windows.DetectExecutablePaths(
                [runkey], environ_vars)

            if not path_guesses:
                self.Log("Couldn't guess path for %s", runkey)

            for path in path_guesses:
                filenames.append(
                    rdf_paths.PathSpec(
                        path=path, pathtype=rdf_paths.PathSpec.PathType.TSK))

        if filenames:
            self.CallFlow("MultiGetFile",
                          pathspecs=filenames,
                          next_state="Done")
Beispiel #2
0
  def testExtractsPathsFromNonRunDllStrings(self):
    """Test it extracts paths from non-rundll strings."""
    fixture = [(r"C:\Program Files\Realtek\Audio\blah.exe -s",
                r"C:\Program Files\Realtek\Audio\blah.exe"),
               (r"'C:\Program Files\Realtek\Audio\blah.exe' -s",
                r"C:\Program Files\Realtek\Audio\blah.exe"),
               (r"C:\Program Files\NVIDIA Corporation\nwiz.exe /quiet /blah",
                r"C:\Program Files\NVIDIA Corporation\nwiz.exe")]

    for in_str, result in fixture:
      self.assertEqual(list(windows.DetectExecutablePaths([in_str])), [result])
Beispiel #3
0
  def testReplacesEnvironmentVariable(self):
    """Test it replaces environment variables."""
    mapping = {"programfiles": r"C:\Program Files",}
    fixture = [(r"%ProgramFiles%\Realtek\Audio\blah.exe -s",
                r"C:\Program Files\Realtek\Audio\blah.exe"),
               (r"'%ProgramFiles%\Realtek\Audio\blah.exe' -s",
                r"C:\Program Files\Realtek\Audio\blah.exe")]

    for in_str, result in fixture:
      self.assertEqual(
          list(windows.DetectExecutablePaths(
              [in_str], mapping)), [result])
Beispiel #4
0
  def _GetFilePaths(self, path, pathtype, kb):
    """Guess windows filenames from a commandline string."""

    environ_vars = artifact_utils.GetWindowsEnvironmentVariablesMap(kb)
    path_guesses = path_detection_windows.DetectExecutablePaths(
        [path], environ_vars)

    if not path_guesses:
      # TODO(user): yield a ParserAnomaly object
      return []

    return [rdf_paths.PathSpec(path=path, pathtype=pathtype)
            for path in path_guesses]
Beispiel #5
0
  def testExctactsPathsFromRunDllStrings(self):
    """Test it extracts paths from rundll strings."""
    fixture = [
        (r"rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32",
         r"C:\Windows\system32\advpack.dll"),
        (r"rundll32.exe 'C:\Program Files\Realtek\Audio\blah.exe',blah",
         r"C:\Program Files\Realtek\Audio\blah.exe"),
        (r"'rundll32.exe' 'C:\Program Files\Realtek\Audio\blah.exe',blah",
         r"C:\Program Files\Realtek\Audio\blah.exe")]

    for in_str, result in fixture:
      self.assertEqual(set(windows.DetectExecutablePaths([in_str])),
                       set([result, "rundll32.exe"]))
Beispiel #6
0
  def testReplacesEnvironmentVariablesWithMultipleMappings(self):
    """Test it replaces environment variables with multiple mappings."""
    mapping = {
        "appdata": [r"C:\Users\foo\Application Data",
                    r"C:\Users\bar\Application Data"]
    }

    fixture = [(r"%AppData%\Realtek\Audio\blah.exe -s",
                [r"C:\Users\foo\Application Data\Realtek\Audio\blah.exe",
                 r"C:\Users\bar\Application Data\Realtek\Audio\blah.exe"]),
               (r"'%AppData%\Realtek\Audio\blah.exe' -s",
                [r"C:\Users\foo\Application Data\Realtek\Audio\blah.exe",
                 r"C:\Users\bar\Application Data\Realtek\Audio\blah.exe"])]

    for in_str, result in fixture:
      self.assertEqual(set(windows.DetectExecutablePaths(
          [in_str], mapping)), set(result))