Python WindowsPersistenceMechanismsParser Examples

Programming Language: Python

Namespace/Package Name: grr.parsers.windows_persistence

Method/Function: WindowsPersistenceMechanismsParser

Examples at hotexamples.com: 2

Python WindowsPersistenceMechanismsParser - 2 examples found. These are the top rated real world Python examples of grr.parsers.windows_persistence.WindowsPersistenceMechanismsParser extracted from open source projects. You can rate examples to help us improve the quality of examples.

Example #1

Show file

    def testParse(self):
        parser = windows_persistence.WindowsPersistenceMechanismsParser()
        path = (r"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion"
                r"\Run\test")
        pathspec = rdf_paths.PathSpec(
            path=path, pathtype=rdf_paths.PathSpec.PathType.REGISTRY)
        reg_data = "C:\\blah\\some.exe /v"
        reg_type = rdf_client.StatEntry.RegistryType.REG_SZ
        stat = rdf_client.StatEntry(
            pathspec=pathspec,
            registry_type=reg_type,
            registry_data=rdf_protodict.DataBlob(string=reg_data))

        persistence = [stat]
        image_paths = [
            "system32\\drivers\\ACPI.sys",
            "%systemroot%\\system32\\svchost.exe -k netsvcs",
            "\\SystemRoot\\system32\\drivers\\acpipmi.sys"
        ]
        reg_key = "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services/AcpiPmi"
        for path in image_paths:
            serv_info = rdf_client.WindowsServiceInformation(
                name="blah",
                display_name="GRRservice",
                image_path=path,
                registry_key=reg_key)
            persistence.append(serv_info)

        knowledge_base = rdf_client.KnowledgeBase()
        knowledge_base.environ_systemroot = "C:\\Windows"

        expected = [
            "C:\\blah\\some.exe", "C:\\Windows\\system32\\drivers\\ACPI.sys",
            "C:\\Windows\\system32\\svchost.exe",
            "C:\\Windows\\system32\\drivers\\acpipmi.sys"
        ]

        for index, item in enumerate(persistence):
            results = list(
                parser.Parse(item, knowledge_base,
                             rdf_paths.PathSpec.PathType.OS))
            self.assertEqual(results[0].pathspec.path, expected[index])
            self.assertEqual(len(results), 1)

Example #2

Show file

File: collectors.py Project: stevensfwang-via/grr

    def FindMatchingPathspecs(self, response):
        # If we're dealing with plain file StatEntry, just
        # return it's pathspec - there's nothing to parse
        # and guess.
        if (isinstance(response, rdf_client.StatEntry)
                and response.pathspec.pathtype
                in [paths.PathSpec.PathType.TSK, paths.PathSpec.PathType.OS]):
            return [response.pathspec]

        client = aff4.FACTORY.Open(self.client_id, token=self.token)
        knowledge_base = artifact.GetArtifactKnowledgeBase(client)

        if self.args.use_tsk:
            path_type = paths.PathSpec.PathType.TSK
        else:
            path_type = paths.PathSpec.PathType.OS

        parser = windows_persistence.WindowsPersistenceMechanismsParser()
        parsed_items = list(parser.Parse(response, knowledge_base, path_type))

        return [item.pathspec for item in parsed_items]