def Run(self, args):
if args.yara_signature or not args.signature_shard.payload:
raise ValueError(
"A Yara signature shard is required, and not the full signature.")
if args.num_signature_shards == 1:
# Skip saving to disk if there is just one shard.
yara_signature = args.signature_shard.payload.decode("utf-8")
else:
yara_signature = self._SaveSignatureShard(args)
if yara_signature is None:
# We haven't received the whole signature yet.
return
scan_request = args.Copy()
scan_request.yara_signature = yara_signature
scan_response = rdf_memory.YaraProcessScanResponse()
processes = ProcessIterator(scan_request.pids, scan_request.process_regex,
scan_request.ignore_grr_process,
scan_response.errors)
for process in processes:
self.Progress()
num_results = (
len(scan_response.errors) + len(scan_response.matches) +
len(scan_response.misses))
if num_results >= self._RESULTS_PER_RESPONSE:
self.SendReply(scan_response)
scan_response = rdf_memory.YaraProcessScanResponse()
self._ScanProcess(process, scan_request, scan_response)
self.SendReply(scan_response)
def Run(self, args):
result = rdf_memory.YaraProcessScanResponse()
for p in ProcessIterator(args.pids, args.process_regex,
args.ignore_grr_process, result.errors):
self.Progress()
n_results = len(result.errors) + len(result.matches) + len(
result.misses)
if n_results >= self._RESULTS_PER_RESPONSE:
self.SendReply(result)
result = rdf_memory.YaraProcessScanResponse()
rdf_process = rdf_client.Process.FromPsutilProcess(p)
start_time = time.time()
try:
matches = self._ScanProcess(p, args)
scan_time = time.time() - start_time
scan_time_us = int(scan_time * 1e6)
except yara.TimeoutError:
result.errors.Append(
rdf_memory.ProcessMemoryError(
process=rdf_process,
error="Scanning timed out (%s seconds)." %
(time.time() - start_time)))
continue
except Exception as e: # pylint: disable=broad-except
result.errors.Append(
rdf_memory.ProcessMemoryError(process=rdf_process,
error=str(e)))
continue
if matches:
result.matches.Append(
rdf_memory.YaraProcessScanMatch(process=rdf_process,
match=matches,
scan_time_us=scan_time_us))
else:
result.misses.Append(
rdf_memory.YaraProcessScanMiss(process=rdf_process,
scan_time_us=scan_time_us))
self.SendReply(result)
def Run(self, args):
if args.yara_signature or not args.signature_shard.payload:
raise ValueError(
"A Yara signature shard is required, and not the full signature.")
if args.num_signature_shards == 1:
# Skip saving to disk if there is just one shard.
yara_signature = args.signature_shard.payload.decode("utf-8")
else:
yara_signature = self._SaveSignatureShard(args)
if yara_signature is None:
# We haven't received the whole signature yet.
return
scan_request = args.Copy()
scan_request.yara_signature = yara_signature
scan_response = rdf_memory.YaraProcessScanResponse()
processes = list(
ProcessIterator(scan_request.pids, scan_request.process_regex,
scan_request.cmdline_regex,
scan_request.ignore_grr_process, scan_response.errors))
if config.CONFIG["Client.use_memory_sandboxing"]:
self._yara_wrapper: YaraWrapper = UnprivilegedYaraWrapper(
str(scan_request.yara_signature), processes)
else:
self._yara_wrapper: YaraWrapper = DirectYaraWrapper(
str(scan_request.yara_signature))
with self._yara_wrapper:
for process in processes:
self.Progress()
num_results = (
len(scan_response.errors) + len(scan_response.matches) +
len(scan_response.misses))
if num_results >= self._RESULTS_PER_RESPONSE:
self.SendReply(scan_response)
scan_response = rdf_memory.YaraProcessScanResponse()
self._ScanProcess(process, scan_request, scan_response)
self.SendReply(scan_response)
def testDoesNotFailForYaraProcessScanResponse(self):
yara_dump = rdf_memory.YaraProcessScanResponse()
message = rdf_flows.GrrMessage(source=self.client_id, payload=yara_dump)
self._ProcessValuesWithPlugin([message])
self.plugin.OutputMemoryDump.assert_not_called()