def EnumerateFilesystemsFromClient(args):
"""List all local filesystems mounted on this system."""
del args # Unused.
for fs_struct in client_utils_osx.GetFileSystems():
yield rdf_client_fs.Filesystem(
device=fs_struct.f_mntfromname,
mount_point=fs_struct.f_mntonname,
type=fs_struct.f_fstypename)
drive_re = re.compile("r?disk[0-9].*")
for drive in os.listdir("/dev"):
if not drive_re.match(drive):
continue
path = os.path.join("/dev", drive)
try:
img_inf = pytsk3.Img_Info(path)
# This is a volume or a partition - we send back a TSK device.
yield rdf_client_fs.Filesystem(device=path)
vol_inf = pytsk3.Volume_Info(img_inf)
for volume in vol_inf:
if volume.flags == pytsk3.TSK_VS_PART_FLAG_ALLOC:
offset = volume.start * vol_inf.info.block_size
yield rdf_client_fs.Filesystem(
device="{path}:{offset}".format(path=path, offset=offset),
type="partition")
except (IOError, RuntimeError):
continue
def Run(self, unused_args):
"""List all local filesystems mounted on this system."""
for fs_struct in client_utils_osx.GetFileSystems():
self.SendReply(
rdf_client_fs.Filesystem(device=fs_struct.f_mntfromname,
mount_point=fs_struct.f_mntonname,
type=fs_struct.f_fstypename))
drive_re = re.compile("r?disk[0-9].*")
for drive in os.listdir("/dev"):
if not drive_re.match(drive):
continue
path = os.path.join("/dev", drive)
try:
img_inf = pytsk3.Img_Info(path)
# This is a volume or a partition - we send back a TSK device.
self.SendReply(rdf_client_fs.Filesystem(device=path))
vol_inf = pytsk3.Volume_Info(img_inf)
for volume in vol_inf:
if volume.flags == pytsk3.TSK_VS_PART_FLAG_ALLOC:
offset = volume.start * vol_inf.info.block_size
self.SendReply(
rdf_client_fs.Filesystem(device=path + ":" +
str(offset),
type="partition"))
except (IOError, RuntimeError):
continue
def testParse(self):
filt = filters.ItemFilter()
one = rdf_protodict.AttributedDict(test1="1", test2=[2, 3])
foo = rdf_protodict.AttributedDict(test1="foo", test2=["bar", "baz"])
fs = rdf_client_fs.Filesystem(device="/dev/sda1", mount_point="/root")
objs = [one, foo, fs]
results = filt.Parse(objs, u"test1 is '1'")
self.assertLen(results, 1)
self.assertEqual("test1", results[0].key)
self.assertEqual("1", results[0].value)
results = filt.Parse(objs, u"test1 is '2'")
self.assertFalse(results)
results = filt.Parse(objs, u"test2 contains 3")
self.assertLen(results, 1)
self.assertEqual("test2", results[0].key)
self.assertEqual([2, 3], results[0].value)
results = filt.Parse(objs, u"test1 is '1' or test1 contains 'foo'")
self.assertLen(results, 2)
self.assertEqual("test1", results[0].key)
self.assertEqual("1", results[0].value)
self.assertEqual("test1", results[1].key)
self.assertEqual("foo", results[1].value)
results = filt.Parse(objs, u"mount_point is '/root'")
self.assertLen(results, 1)
self.assertEqual("mount_point", results[0].key)
self.assertEqual("/root", results[0].value)
def Parse(self, cmd, args, stdout, stderr, return_val, time_taken,
knowledge_base):
"""Parse the mount command output."""
_ = stderr, time_taken, args, knowledge_base # Unused.
self.CheckReturn(cmd, return_val)
result = rdf_protodict.AttributedDict()
for entry in self._field_parser.ParseEntries(stdout):
line_str = " ".join(entry)
mount_rslt = self.mount_re.match(line_str)
if mount_rslt:
device, mount_point, fs_type, option_str = mount_rslt.groups()
result = rdf_client_fs.Filesystem()
result.device = device
result.mount_point = mount_point
result.type = fs_type
# Parse these options as a dict as some items may be key/values.
# KeyValue parser uses OrderedDict as the native parser method. Use it.
options = KeyValueParser(
term=",").ParseToOrderedDict(option_str)
# Keys without values get assigned [] by default. Because these keys are
# actually true, if declared, change any [] values to True.
for k, v in iteritems(options):
options[k] = v or [True]
result.options = rdf_protodict.AttributedDict(**options)
yield result
def EnumerateFilesystemsStub(self, args):
del args # Unused.
path = os.path.join(self.base_path, "osx_fsdata")
with io.open(path, "rb") as f:
filesystems = self.osx.client_utils_osx.ParseFileSystemsStruct(
self.osx.client_utils_osx.StatFS64Struct, 7, f.read())
for fs_struct in filesystems:
yield rdf_client_fs.Filesystem(device=fs_struct.f_mntfromname,
mount_point=fs_struct.f_mntonname,
type=fs_struct.f_fstypename)
def EnumerateFilesystemsFromClient(args):
"""List all the filesystems mounted on the system."""
del args # Unused.
filenames = ["/proc/mounts", "/etc/mtab"]
for filename in filenames:
for device, fs_type, mnt_point in CheckMounts(filename):
yield rdf_client_fs.Filesystem(
mount_point=mnt_point, type=fs_type, device=device)
def Run(self, unused_args):
"""List all the filesystems mounted on the system."""
self.devices = {}
# For now we check all the mounted filesystems.
self.CheckMounts("/proc/mounts")
self.CheckMounts("/etc/mtab")
for device, (fs_type, mnt_point) in iteritems(self.devices):
self.SendReply(
rdf_client_fs.Filesystem(
mount_point=mnt_point, type=fs_type, device=device))
def Parse(self, unused_stat, file_obj, unused_knowledge_base):
for entry in self.ParseEntries(file_obj.read()):
if not entry:
continue
result = rdf_client_fs.Filesystem()
result.device = entry[0].decode("string_escape")
result.mount_point = entry[1].decode("string_escape")
result.type = entry[2].decode("string_escape")
options = KeyValueParser(term=",").ParseToOrderedDict(entry[3])
# Keys without values get assigned [] by default. Because these keys are
# actually true, if declared, change any [] values to True.
for k, v in iteritems(options):
options[k] = v or [True]
result.options = rdf_protodict.AttributedDict(**options)
yield result
def Parse(self, unused_stat, file_obj, unused_knowledge_base):
for entry in self._field_parser.ParseEntries(
utils.ReadFileBytesAsUnicode(file_obj)):
if not entry:
continue
result = rdf_client_fs.Filesystem()
result.device = compatibility.UnescapeString(entry[0])
result.mount_point = compatibility.UnescapeString(entry[1])
result.type = compatibility.UnescapeString(entry[2])
options = KeyValueParser(term=",").ParseToOrderedDict(entry[3])
# Keys without values get assigned [] by default. Because these keys are
# actually true, if declared, change any [] values to True.
for k, v in iteritems(options):
options[k] = v or [True]
result.options = rdf_protodict.AttributedDict(**options)
yield result
def EnumerateFilesystemsFromClient(args):
"""List all local filesystems mounted on this system."""
del args # Unused.
for drive in win32api.GetLogicalDriveStrings().split("\x00"):
if not drive:
continue
try:
volume = win32file.GetVolumeNameForVolumeMountPoint(drive).rstrip(
"\\")
label, _, _, _, fs_type = win32api.GetVolumeInformation(drive)
except win32api.error:
continue
yield rdf_client_fs.Filesystem(device=volume,
mount_point="/%s:/" % drive[0],
type=fs_type,
label=UnicodeFromCodePage(label))
def Run(self, unused_args):
"""List all local filesystems mounted on this system."""
for drive in win32api.GetLogicalDriveStrings().split("\x00"):
if drive:
try:
volume = win32file.GetVolumeNameForVolumeMountPoint(
drive).rstrip("\\")
label, _, _, _, fs_type = win32api.GetVolumeInformation(
drive)
self.SendReply(
rdf_client_fs.Filesystem(
device=volume,
mount_point="/%s:/" % drive[0],
type=fs_type,
label=UnicodeFromCodePage(label)))
except win32api.error:
pass
def testEnumerateFilesystemsLinux(self):
"""Enumerate filesystems."""
def MockCheckMounts(unused_filename):
del unused_filename # Unused.
device = "/dev/mapper/dhcp--100--104--9--24--vg-root"
fs_type = "ext4"
mnt_point = "/"
yield device, fs_type, mnt_point
with utils.Stubber(linux, "CheckMounts", MockCheckMounts):
results = self.RunAction(linux.EnumerateFilesystems)
expected = rdf_client_fs.Filesystem(
mount_point="/",
type="ext4",
device="/dev/mapper/dhcp--100--104--9--24--vg-root")
self.assertLen(results, 2)
for result in results:
self.assertEqual(result, expected)
def ParseFile(
self,
knowledge_base: rdf_client.KnowledgeBase,
pathspec: rdf_paths.PathSpec,
filedesc: IO[bytes],
) -> Iterator[rdf_client_fs.Filesystem]:
del knowledge_base # Unused.
del pathspec # Unused.
for entry in self._field_parser.ParseEntries(
utils.ReadFileBytesAsUnicode(filedesc)):
if not entry:
continue
result = rdf_client_fs.Filesystem()
result.device = compatibility.UnescapeString(entry[0])
result.mount_point = compatibility.UnescapeString(entry[1])
result.type = compatibility.UnescapeString(entry[2])
options = KeyValueParser(term=",").ParseToOrderedDict(entry[3])
# Keys without values get assigned [] by default. Because these keys are
# actually true, if declared, change any [] values to True.
for k, v in options.items():
options[k] = v or [True]
result.options = rdf_protodict.AttributedDict(**options)
yield result
def EnumerateFilesystems(self, _):
self.response_count += 1
return [
rdf_client_fs.Filesystem(device="/dev/sda",
mount_point="/mnt/data")
]