Python YaraProcessDumpResponse Examples, grr_response_core.lib.rdfvalues.memory.YaraProcessDumpResponse Python Examples

Example #1

0

Show file

File: memory_dump_plugin_test.py Project: esmat777/grr

  def testMultipleClientsWithIdenticalPathsYieldDifferentPMIs(self):
    client1 = self.SetupClient(1)
    client2 = self.SetupClient(2)

    yara_dump1 = rdf_memory.YaraProcessDumpResponse(dumped_processes=[
        rdf_memory.YaraProcessDumpInformation(dump_files=[
            rdf_paths.PathSpec(path="my_proc_123_f0_fa.tmp", pathtype=TMPFILE),
        ])
    ])
    yara_dump2 = rdf_memory.YaraProcessDumpResponse(dumped_processes=[
        rdf_memory.YaraProcessDumpInformation(dump_files=[
            rdf_paths.PathSpec(path="my_proc_123_f0_fa.tmp", pathtype=TMPFILE),
        ])
    ])
    stat_entry1 = rdf_client_fs.StatEntry(
        pathspec=rdf_paths.PathSpec(
            path="my_proc_123_f0_fa.tmp", pathtype=TMPFILE))
    stat_entry2 = rdf_client_fs.StatEntry(
        pathspec=rdf_paths.PathSpec(
            path="my_proc_123_f0_fa.tmp", pathtype=TMPFILE))
    m0 = rdf_flows.GrrMessage(source=client1, payload=yara_dump1)
    m1 = rdf_flows.GrrMessage(source=client2, payload=yara_dump2)
    m2 = rdf_flows.GrrMessage(source=client1, payload=stat_entry1)
    m3 = rdf_flows.GrrMessage(source=client2, payload=stat_entry2)
    self._ProcessValuesWithPlugin([m0, m1, m2, m3])

    self.assertEqual(self.plugin.OutputMemoryDump.call_count, 2)
    self.plugin.OutputMemoryDump.assert_any_call(
        rdf_memory.YaraProcessDumpInformation(dump_files=[
            rdf_paths.PathSpec(path="my_proc_123_f0_fa.tmp", pathtype=TMPFILE),
        ]), client1)
    self.plugin.OutputMemoryDump.assert_any_call(
        rdf_memory.YaraProcessDumpInformation(dump_files=[
            rdf_paths.PathSpec(path="my_proc_123_f0_fa.tmp", pathtype=TMPFILE),
        ]), client2)

Example #2

0

Show file

 def testLegacyDataMigration(self):
     res = rdf_memory.YaraProcessDumpResponse(dumped_processes=[
         rdf_memory.YaraProcessDumpInformation(dump_files=[
             rdf_paths.PathSpec(path="C:\\Foo\\Bar\\%s_%d_%x_%x.tmp" %
                                ("my_proc", 123, 111, 222),
                                pathtype="TMPFILE"),
             rdf_paths.PathSpec(path="/foo/bar/%s_%d_%x_%x.tmp" %
                                ("my_proc", 123, 456, 789),
                                pathtype="TMPFILE")
         ])
     ])
     memory._MigrateLegacyDumpFilesToMemoryAreas(res)
     self.assertEqual(
         res,
         rdf_memory.YaraProcessDumpResponse(dumped_processes=[
             rdf_memory.YaraProcessDumpInformation(memory_regions=[
                 rdf_memory.ProcessMemoryRegion(
                     start=111,
                     size=111,
                     file=rdf_paths.PathSpec(
                         path="/C:/Foo/Bar/%s_%d_%x_%x.tmp" %
                         ("my_proc", 123, 111, 222),
                         pathtype="TMPFILE")),
                 rdf_memory.ProcessMemoryRegion(
                     start=456,
                     size=333,
                     file=rdf_paths.PathSpec(
                         path="/foo/bar/%s_%d_%x_%x.tmp" %
                         ("my_proc", 123, 456, 789),
                         pathtype="TMPFILE"))
             ])
         ]))

Example #3

0

Show file

    def testPathSpecCasingIsCorrected(self):
        flow = memory.DumpProcessMemory(rdf_flow_objects.Flow())
        flow.SendReply = mock.Mock(spec=flow.SendReply)

        request = rdf_flow_objects.FlowRequest(
            request_data={
                "YaraProcessDumpResponse":
                rdf_memory.YaraProcessDumpResponse(dumped_processes=[
                    rdf_memory.YaraProcessDumpInformation(memory_regions=[
                        rdf_memory.ProcessMemoryRegion(
                            start=1,
                            size=1,
                            file=rdf_paths.PathSpec.Temp(
                                path="/C:/grr/x_1_0_1.tmp")),
                        rdf_memory.ProcessMemoryRegion(
                            start=1,
                            size=1,
                            file=rdf_paths.PathSpec.Temp(
                                path="/C:/GRR/x_1_1_2.tmp"))
                    ])
                ])
            })
        pathspecs = [
            rdf_paths.PathSpec.Temp(path="/C:/Grr/x_1_0_1.tmp"),
            rdf_paths.PathSpec.Temp(path="/C:/Grr/x_1_1_2.tmp")
        ]
        responses = flow_responses.Responses.FromResponses(
            request, [
                rdf_flow_objects.FlowResponse(payload=rdf_client_fs.StatEntry(
                    pathspec=pathspec)) for pathspec in pathspecs
            ])

        flow.ProcessMemoryRegions(responses)
        flow.SendReply.assert_any_call(
            rdf_memory.YaraProcessDumpResponse(dumped_processes=[
                rdf_memory.YaraProcessDumpInformation(memory_regions=[
                    rdf_memory.ProcessMemoryRegion(
                        start=1,
                        size=1,
                        file=rdf_paths.PathSpec.Temp(
                            path="/C:/Grr/x_1_0_1.tmp")),
                    rdf_memory.ProcessMemoryRegion(
                        start=1,
                        size=1,
                        file=rdf_paths.PathSpec.Temp(
                            path="/C:/Grr/x_1_1_2.tmp"))
                ])
            ]))

Example #4

0

Show file

    def Run(self, args):
        if args.prioritize_offsets and len(args.pids) != 1:
            raise ValueError(
                "Supplied prioritize_offsets {} for PIDs {} in YaraProcessDump. "
                "Required exactly one PID.".format(args.prioritize_offsets,
                                                   args.pids))

        result = rdf_memory.YaraProcessDumpResponse()

        for p in ProcessIterator(args.pids, args.process_regex, None,
                                 args.ignore_grr_process, result.errors):
            self.Progress()
            start = rdfvalue.RDFDatetime.Now()

            try:
                response = self.DumpProcess(p, args)
                now = rdfvalue.RDFDatetime.Now()
                response.dump_time_us = (now - start).ToInt(
                    rdfvalue.MICROSECONDS)
                result.dumped_processes.Append(response)
                if response.error:
                    # Limit exceeded, we bail out early.
                    break
            except Exception as e:  # pylint: disable=broad-except
                result.errors.Append(
                    rdf_memory.ProcessMemoryError(
                        process=rdf_client.Process.FromPsutilProcess(p),
                        error=str(e)))
                continue

        self.SendReply(result)

Example #5

0

Show file

File: memory.py Project: x35029/grr

    def Run(self, args):
        result = rdf_memory.YaraProcessDumpResponse()

        self.bytes_written = 0

        for p in ProcessIterator(args.pids, args.process_regex,
                                 args.ignore_grr_process, result.errors):
            self.Progress()
            start_time = time.time()

            try:
                response = self.DumpProcess(p, args)
                response.dump_time_us = int((time.time() - start_time) * 1e6)
                result.dumped_processes.Append(response)
                if response.error:
                    # Limit exceeded, we bail out early.
                    break
            except Exception as e:  # pylint: disable=broad-except
                result.errors.Append(
                    rdf_memory.ProcessMemoryError(
                        process=rdf_client.Process.FromPsutilProcess(p),
                        error=str(e)))
                continue

        self.SendReply(result)

Example #6

0

Show file

File: memory_dump_plugin_test.py Project: esmat777/grr

  def testOutputPluginPersistsStateCorrectly(self):
    yara_dump_0 = rdf_memory.YaraProcessDumpResponse(dumped_processes=[
        rdf_memory.YaraProcessDumpInformation(dump_files=[
            rdf_paths.PathSpec(path="my_proc_123_f0_fa.tmp", pathtype=TMPFILE),
            rdf_paths.PathSpec(path="my_proc_123_fa_104.tmp", pathtype=TMPFILE)
        ])
    ])
    yara_dump_1 = rdf_memory.YaraProcessDumpResponse(dumped_processes=[
        rdf_memory.YaraProcessDumpInformation(dump_files=[
            rdf_paths.PathSpec(path="foobar_456_f0_fa.tmp", pathtype=TMPFILE),
        ])
    ])
    stat_entry_00 = rdf_client_fs.StatEntry(
        pathspec=rdf_paths.PathSpec(
            path="my_proc_123_f0_fa.tmp", pathtype=TMPFILE))
    stat_entry_01 = rdf_client_fs.StatEntry(
        pathspec=rdf_paths.PathSpec(
            path="my_proc_123_fa_104.tmp", pathtype=TMPFILE))
    stat_entry_10 = rdf_client_fs.StatEntry(
        pathspec=rdf_paths.PathSpec(
            path="foobar_456_f0_fa.tmp", pathtype=TMPFILE))

    self._ProcessValuesWithPlugin(
        [rdf_flows.GrrMessage(source=self.client_id, payload=yara_dump_0)])
    self.plugin = None

    self._ProcessValuesWithPlugin(
        [rdf_flows.GrrMessage(source=self.client_id, payload=yara_dump_1)])
    self.plugin = None

    self._ProcessValuesWithPlugin(
        [rdf_flows.GrrMessage(source=self.client_id, payload=stat_entry_00)])
    self.plugin = None
    self._ProcessValuesWithPlugin(
        [rdf_flows.GrrMessage(source=self.client_id, payload=stat_entry_01)])
    self.plugin.OutputMemoryDump.assert_called_once_with(
        rdf_memory.YaraProcessDumpInformation(dump_files=[
            rdf_paths.PathSpec(path="my_proc_123_f0_fa.tmp", pathtype=TMPFILE),
            rdf_paths.PathSpec(path="my_proc_123_fa_104.tmp", pathtype=TMPFILE)
        ]), self.client_id)
    self.plugin = None
    self._ProcessValuesWithPlugin(
        [rdf_flows.GrrMessage(source=self.client_id, payload=stat_entry_10)])
    self.plugin.OutputMemoryDump.assert_called_once_with(
        rdf_memory.YaraProcessDumpInformation(dump_files=[
            rdf_paths.PathSpec(path="foobar_456_f0_fa.tmp", pathtype=TMPFILE),
        ]), self.client_id)

Example #7

0

Show file

File: memory_dump_plugin_test.py Project: esmat777/grr

  def testProcessesMultipleYaraProcessDumpResponsesCorrectly(self):
    yara_dump_0 = rdf_memory.YaraProcessDumpResponse(dumped_processes=[
        rdf_memory.YaraProcessDumpInformation(dump_files=[
            rdf_paths.PathSpec(path="my_proc_123_f0_fa.tmp", pathtype=TMPFILE),
            rdf_paths.PathSpec(path="my_proc_123_fa_104.tmp", pathtype=TMPFILE)
        ])
    ])
    yara_dump_1 = rdf_memory.YaraProcessDumpResponse(dumped_processes=[
        rdf_memory.YaraProcessDumpInformation(dump_files=[
            rdf_paths.PathSpec(path="foobar_456_f0_fa.tmp", pathtype=TMPFILE),
        ])
    ])
    stat_entry_00 = rdf_client_fs.StatEntry(
        pathspec=rdf_paths.PathSpec(
            path="my_proc_123_f0_fa.tmp", pathtype=TMPFILE))
    stat_entry_01 = rdf_client_fs.StatEntry(
        pathspec=rdf_paths.PathSpec(
            path="my_proc_123_fa_104.tmp", pathtype=TMPFILE))
    stat_entry_10 = rdf_client_fs.StatEntry(
        pathspec=rdf_paths.PathSpec(
            path="foobar_456_f0_fa.tmp", pathtype=TMPFILE))

    m0 = rdf_flows.GrrMessage(source=self.client_id, payload=yara_dump_0)
    m1 = rdf_flows.GrrMessage(source=self.client_id, payload=yara_dump_1)
    m2 = rdf_flows.GrrMessage(source=self.client_id, payload=stat_entry_00)
    m3 = rdf_flows.GrrMessage(source=self.client_id, payload=stat_entry_01)
    m4 = rdf_flows.GrrMessage(source=self.client_id, payload=stat_entry_10)
    self._ProcessValuesWithPlugin([m0, m1, m2, m3, m4])

    self.assertEqual(self.plugin.OutputMemoryDump.call_count, 2)
    self.plugin.OutputMemoryDump.assert_any_call(
        rdf_memory.YaraProcessDumpInformation(dump_files=[
            rdf_paths.PathSpec(path="my_proc_123_f0_fa.tmp", pathtype=TMPFILE),
            rdf_paths.PathSpec(path="my_proc_123_fa_104.tmp", pathtype=TMPFILE)
        ]), self.client_id)
    self.plugin.OutputMemoryDump.assert_any_call(
        rdf_memory.YaraProcessDumpInformation(dump_files=[
            rdf_paths.PathSpec(path="foobar_456_f0_fa.tmp", pathtype=TMPFILE),
        ]), self.client_id)

Example #8

0

Show file

File: memory_dump_plugin_test.py Project: esmat777/grr

  def testCallsOutputMemoryDumpWithSingleBlob(self):
    yara_dump = rdf_memory.YaraProcessDumpResponse(dumped_processes=[
        rdf_memory.YaraProcessDumpInformation(dump_files=[
            rdf_paths.PathSpec(path="my_proc_123_f0_fa.tmp", pathtype=TMPFILE),
        ])
    ])
    stat_entry = rdf_client_fs.StatEntry(
        pathspec=rdf_paths.PathSpec(
            path="my_proc_123_f0_fa.tmp", pathtype=TMPFILE))
    m0 = rdf_flows.GrrMessage(source=self.client_id, payload=yara_dump)
    m1 = rdf_flows.GrrMessage(source=self.client_id, payload=stat_entry)
    self._ProcessValuesWithPlugin([m0, m1])

    self.plugin.OutputMemoryDump.assert_called_once_with(
        rdf_memory.YaraProcessDumpInformation(dump_files=[
            rdf_paths.PathSpec(path="my_proc_123_f0_fa.tmp", pathtype=TMPFILE),
        ]), self.client_id)

Example #9

0

Show file

File: memory_dump_plugin_test.py Project: esmat777/grr

  def testIsResilientToTemporaryPathSpecRegression(self):
    yara_dump = rdf_memory.YaraProcessDumpResponse(dumped_processes=[
        rdf_memory.YaraProcessDumpInformation(dump_files=[
            rdf_paths.PathSpec(
                path="C:\\Foo\\my_proc_123_f0_fa.tmp", pathtype=TMPFILE),
        ])
    ])
    stat_entry = rdf_client_fs.StatEntry(
        pathspec=rdf_paths.PathSpec(
            path="/C:/Foo/my_proc_123_f0_fa.tmp",
            pathtype=TMPFILE,
            path_options=rdf_paths.PathSpec.Options.CASE_LITERAL))
    m0 = rdf_flows.GrrMessage(source=self.client_id, payload=yara_dump)
    m1 = rdf_flows.GrrMessage(source=self.client_id, payload=stat_entry)
    self._ProcessValuesWithPlugin([m0, m1])

    self.plugin.OutputMemoryDump.assert_called_once_with(
        rdf_memory.YaraProcessDumpInformation(dump_files=[
            rdf_paths.PathSpec(
                path="/C:/Foo/my_proc_123_f0_fa.tmp",
                pathtype=TMPFILE,
                path_options=rdf_paths.PathSpec.Options.CASE_LITERAL),
        ]), self.client_id)

Example #10

0

Show file

File: memory_dump_plugin_test.py Project: esmat777/grr

  def testDoesNotFailForEmptyProcessDump(self):
    yara_dump = rdf_memory.YaraProcessDumpResponse()
    message = rdf_flows.GrrMessage(source=self.client_id, payload=yara_dump)

    self._ProcessValuesWithPlugin([message])
    self.plugin.OutputMemoryDump.assert_not_called()