def ParseRunKeys(self, responses):
"""Get filenames from the RunKeys and download the files."""
filenames = []
client = data_store.REL_DB.ReadClientSnapshot(self.client_id)
kb = client.knowledge_base
for response in responses:
runkey = response.registry_data.string
environ_vars = artifact_utils.GetWindowsEnvironmentVariablesMap(kb)
path_guesses = path_detection_windows.DetectExecutablePaths(
[runkey], environ_vars)
if not path_guesses:
self.Log("Couldn't guess path for %s", runkey)
for path in path_guesses:
filenames.append(
rdf_paths.PathSpec(
path=path,
pathtype=config.
CONFIG["Server.raw_filesystem_access_pathtype"]))
if filenames:
self.CallFlow(transfer.MultiGetFile.__name__,
pathspecs=filenames,
next_state=compatibility.GetName(self.Done))
def testReplacesEnvironmentVariablesWithMultipleMappings(self):
"""Test it replaces environment variables with multiple mappings."""
# TODO: Raw unicode literals in Python 2 are broken since they
# do not consider "\u" to be two characters ("\" and "u") but treat it is as
# a unicode escape sequence. This behaviour is fixed in Python 3 so once the
# codebase does not have to support Python 2 anymore, these escaped literals
# can be rewritten with raw ones.
mapping = {
"appdata": [
"C:\\Users\\foo\\Application Data",
"C:\\Users\\bar\\Application Data",
]
}
fixture = [
(r"%AppData%\Realtek\Audio\blah.exe -s", [
"C:\\Users\\foo\\Application Data\\Realtek\\Audio\\blah.exe",
"C:\\Users\\bar\\Application Data\\Realtek\\Audio\\blah.exe"
]),
(r"'%AppData%\Realtek\Audio\blah.exe' -s", [
"C:\\Users\\foo\\Application Data\\Realtek\\Audio\\blah.exe",
"C:\\Users\\bar\\Application Data\\Realtek\\Audio\\blah.exe"
])
]
for in_str, result in fixture:
self.assertEqual(
set(windows.DetectExecutablePaths([in_str], mapping)),
set(result))
def ParseRunKeys(self, responses):
"""Get filenames from the RunKeys and download the files."""
filenames = []
client = aff4.FACTORY.Open(self.client_id, mode="r", token=self.token)
kb = artifact.GetArtifactKnowledgeBase(client)
for response in responses:
runkey = response.registry_data.string
environ_vars = artifact_utils.GetWindowsEnvironmentVariablesMap(kb)
path_guesses = path_detection_windows.DetectExecutablePaths(
[runkey], environ_vars)
if not path_guesses:
self.Log("Couldn't guess path for %s", runkey)
for path in path_guesses:
filenames.append(
rdf_paths.PathSpec(
path=path, pathtype=rdf_paths.PathSpec.PathType.TSK))
if filenames:
self.CallFlow(transfer.MultiGetFile.__name__,
pathspecs=filenames,
next_state="Done")
def testExtractsPathsFromNonRunDllStrings(self):
"""Test it extracts paths from non-rundll strings."""
fixture = [(r"C:\Program Files\Realtek\Audio\blah.exe -s",
r"C:\Program Files\Realtek\Audio\blah.exe"),
(r"'C:\Program Files\Realtek\Audio\blah.exe' -s",
r"C:\Program Files\Realtek\Audio\blah.exe"),
(r"C:\Program Files\NVIDIA Corporation\nwiz.exe /quiet /blah",
r"C:\Program Files\NVIDIA Corporation\nwiz.exe")]
for in_str, result in fixture:
self.assertEqual(list(windows.DetectExecutablePaths([in_str])), [result])
def testReplacesEnvironmentVariable(self):
"""Test it replaces environment variables."""
mapping = {
"programfiles": r"C:\Program Files",
}
fixture = [(r"%ProgramFiles%\Realtek\Audio\blah.exe -s",
r"C:\Program Files\Realtek\Audio\blah.exe"),
(r"'%ProgramFiles%\Realtek\Audio\blah.exe' -s",
r"C:\Program Files\Realtek\Audio\blah.exe")]
for in_str, result in fixture:
self.assertEqual(
list(windows.DetectExecutablePaths([in_str], mapping)), [result])
def testExctactsPathsFromRunDllStrings(self):
"""Test it extracts paths from rundll strings."""
fixture = [
(r"rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32",
r"C:\Windows\system32\advpack.dll"),
(r"rundll32.exe 'C:\Program Files\Realtek\Audio\blah.exe',blah",
r"C:\Program Files\Realtek\Audio\blah.exe"),
(r"'rundll32.exe' 'C:\Program Files\Realtek\Audio\blah.exe',blah",
r"C:\Program Files\Realtek\Audio\blah.exe")
]
for in_str, result in fixture:
self.assertEqual(set(windows.DetectExecutablePaths([in_str])),
set([result, "rundll32.exe"]))
def _GetFilePaths(self, path, pathtype, kb):
"""Guess windows filenames from a commandline string."""
environ_vars = artifact_utils.GetWindowsEnvironmentVariablesMap(kb)
path_guesses = path_detection_windows.DetectExecutablePaths(
[path], environ_vars)
if not path_guesses:
# TODO(user): yield a ParserAnomaly object
return []
return [
rdf_paths.PathSpec(path=path, pathtype=pathtype)
for path in path_guesses
]
def testReplacesEnvironmentVariablesWithMultipleMappings(self):
"""Test it replaces environment variables with multiple mappings."""
mapping = {
"appdata": [
r"C:\Users\foo\Application Data", r"C:\Users\bar\Application Data"
]
}
fixture = [(r"%AppData%\Realtek\Audio\blah.exe -s", [
r"C:\Users\foo\Application Data\Realtek\Audio\blah.exe",
r"C:\Users\bar\Application Data\Realtek\Audio\blah.exe"
]), (r"'%AppData%\Realtek\Audio\blah.exe' -s", [
r"C:\Users\foo\Application Data\Realtek\Audio\blah.exe",
r"C:\Users\bar\Application Data\Realtek\Audio\blah.exe"
])]
for in_str, result in fixture:
self.assertEqual(
set(windows.DetectExecutablePaths([in_str], mapping)), set(result))
