Beispiel #1
0
    def testKnowledgeBaseRootAttributesGetMappedCorrectly(self):
        kb = rdf_client.KnowledgeBase(
            environ_path="the_path",
            environ_temp="the_temp",
            environ_systemroot="the_systemroot",
            environ_windir="the_windir",
            environ_programfiles="the_programfiles",
            environ_programfilesx86="the_programfilesx86",
            environ_systemdrive="the_systemdrive",
            environ_allusersprofile="the_allusersprofile",
            environ_allusersappdata="the_allusersappdata")

        mapping = artifact_utils.GetWindowsEnvironmentVariablesMap(kb)

        self.assertEqual(
            mapping, {
                "allusersappdata": "the_allusersappdata",
                "allusersprofile": "the_allusersprofile",
                "path": "the_path",
                "programdata": "the_allusersprofile",
                "programfiles": "the_programfiles",
                "programfiles(x86)": "the_programfilesx86",
                "programw6432": "the_programfiles",
                "systemdrive": "the_systemdrive",
                "systemroot": "the_systemroot",
                "temp": "the_temp",
                "windir": "the_windir"
            })
Beispiel #2
0
  def ParseRunKeys(self, responses):
    """Get filenames from the RunKeys and download the files."""
    filenames = []
    client = aff4.FACTORY.Open(self.client_id, mode="r", token=self.token)
    kb = artifact.GetArtifactKnowledgeBase(client)

    for response in responses:
      runkey = response.registry_data.string

      environ_vars = artifact_utils.GetWindowsEnvironmentVariablesMap(kb)
      path_guesses = path_detection_windows.DetectExecutablePaths([runkey],
                                                                  environ_vars)

      if not path_guesses:
        self.Log("Couldn't guess path for %s", runkey)

      for path in path_guesses:
        filenames.append(
            rdf_paths.PathSpec(
                path=path, pathtype=rdf_paths.PathSpec.PathType.TSK))

    if filenames:
      self.CallFlow(
          transfer.MultiGetFile.__name__,
          pathspecs=filenames,
          next_state="Done")
Beispiel #3
0
  def _GetFilePaths(self, path, pathtype, kb):
    """Guess windows filenames from a commandline string."""

    environ_vars = artifact_utils.GetWindowsEnvironmentVariablesMap(kb)
    path_guesses = path_detection_windows.DetectExecutablePaths([path],
                                                                environ_vars)

    if not path_guesses:
      # TODO(user): yield a ParserAnomaly object
      return []

    return [
        rdf_paths.PathSpec(path=path, pathtype=pathtype)
        for path in path_guesses
    ]
Beispiel #4
0
    def testKnowlegeBaseUsersAttributesExpandIntoLists(self):
        kb = rdf_client.KnowledgeBase()
        kb.users.append(
            rdf_client.User(appdata="the_appdata_1",
                            localappdata="the_localappdata_1",
                            userdomain="the_userdomain_1",
                            userprofile="the_userprofile_1"))
        kb.users.append(
            rdf_client.User(appdata="the_appdata_2",
                            localappdata="the_localappdata_2",
                            userdomain="the_userdomain_2",
                            userprofile="the_userprofile_2"))

        mapping = artifact_utils.GetWindowsEnvironmentVariablesMap(kb)

        self.assertEqual(
            mapping, {
                "appdata": ["the_appdata_1", "the_appdata_2"],
                "localappdata": ["the_localappdata_1", "the_localappdata_2"],
                "userdomain": ["the_userdomain_1", "the_userdomain_2"],
                "userprofile": ["the_userprofile_1", "the_userprofile_2"]
            })