def testMultipleHits(self): filename = "/fs/os/c/Downloads/grepfile.txt" data = "random content here. I am a HIT!!" * 100 self.CreateFile(filename, data) grepspec = rdf_client.BareGrepSpec( mode=rdf_client.GrepSpec.Mode.ALL_HITS, literal="HIT") for s in test_lib.TestFlowHelper( "SearchFileContent", self.client_mock, client_id=self.client_id, paths=["/c/Downloads/grepfile.txt"], pathtype=rdf_paths.PathSpec.PathType.OS, grep=grepspec, token=self.token): session_id = s # Check the output file is created fd = aff4.FACTORY.Open( session_id.Add(flow_runner.RESULTS_SUFFIX), token=self.token) self.assertEqual(len(fd), 100) self.assertEqual(fd[15].offset, 523) self.assertEqual(fd[38], "e. I am a HIT!!random c") self.assertEqual(fd[99], "e. I am a HIT!!") self.DeleteFile(filename)
def testPatternAtBufsize(self): old_size = searching.Grep.BUFF_SIZE try: searching.Grep.BUFF_SIZE = 10000 filename = "/fs/os/c/Downloads/grepfile.txt" data = "X" * (searching.Grep.BUFF_SIZE - len("HIT")) + "HIT" + "X" * 1000 self.CreateFile(filename, data) grepspec = rdf_client.BareGrepSpec( mode=rdf_client.GrepSpec.Mode.FIRST_HIT, literal="HIT") for s in test_lib.TestFlowHelper( "SearchFileContent", self.client_mock, client_id=self.client_id, paths=["/c/Downloads/grepfile.txt"], pathtype=rdf_paths.PathSpec.PathType.OS, token=self.token, grep=grepspec): session_id = s # Check the output file is created fd = aff4.FACTORY.Open( session_id.Add(flow_runner.RESULTS_SUFFIX), token=self.token) self.assertEqual(len(fd), 1) self.assertEqual(fd[0].offset, searching.Grep.BUFF_SIZE - len("HIT")) self.assertEqual(fd[0].length, 23) self.DeleteFile(filename) finally: searching.Grep.BUFF_SIZE = old_size
def testPatternAtBufsize(self): old_size = searching.Grep.BUFF_SIZE try: searching.Grep.BUFF_SIZE = 10000 filename = "/fs/os/c/Downloads/grepfile.txt" data = "X" * (searching.Grep.BUFF_SIZE - len("HIT")) + "HIT" + "X" * 1000 self.CreateFile(filename, data) grepspec = rdf_client.BareGrepSpec( mode=rdf_client.GrepSpec.Mode.FIRST_HIT, literal="HIT") for s in flow_test_lib.TestFlowHelper( grep.SearchFileContent.__name__, self.client_mock, client_id=self.client_id, paths=["/c/Downloads/grepfile.txt"], pathtype=rdf_paths.PathSpec.PathType.OS, token=self.token, grep=grepspec): session_id = s fd = flow.GRRFlow.ResultCollectionForFID(session_id) self.assertEqual(len(fd), 1) self.assertEqual(fd[0].offset, searching.Grep.BUFF_SIZE - len("HIT")) self.assertEqual(fd[0].length, 23) self.DeleteFile(filename) finally: searching.Grep.BUFF_SIZE = old_size
def testMultipleHits(self): filename = "/fs/os/c/Downloads/grepfile.txt" data = "random content here. I am a HIT!!" * 100 self.CreateFile(filename, data) grepspec = rdf_client.BareGrepSpec( mode=rdf_client.GrepSpec.Mode.ALL_HITS, literal="HIT") for s in flow_test_lib.TestFlowHelper( grep.SearchFileContent.__name__, self.client_mock, client_id=self.client_id, paths=["/c/Downloads/grepfile.txt"], pathtype=rdf_paths.PathSpec.PathType.OS, grep=grepspec, token=self.token): session_id = s fd = flow.GRRFlow.ResultCollectionForFID(session_id) self.assertEqual(len(fd), 100) self.assertEqual(fd[15].offset, 523) self.assertEqual(fd[38], "e. I am a HIT!!random c") self.assertEqual(fd[99], "e. I am a HIT!!") self.DeleteFile(filename)
class TestGrepMemory(base.AutomatedTest): """Test ScanMemory.""" platforms = ["Windows"] flow = "ScanMemory" test_output_path = "analysis/grep/testing" args = { "also_download": False, "grep": rdf_client.BareGrepSpec(literal="grr", length=4 * 1024 * 1024 * 1024, mode=rdf_client.GrepSpec.Mode.FIRST_HIT, bytes_before=10, bytes_after=10), "output": test_output_path } def CheckFlow(self): collection = aff4.FACTORY.Open(self.client_id.Add( self.test_output_path), token=self.token) self.assertIsInstance(collection, aff4.RDFValueCollection) self.assertEqual(len(list(collection)), 1) reference = collection[0] self.assertEqual(reference.length, 23) self.assertEqual(reference.data[10:10 + 3], "grr")
class TestSearchFilesGrep(base.AutomatedTest): """Test SearchFileContent with grep.""" platforms = ["Linux"] flow = "SearchFileContent" args = {"paths": ["/bin/ls*"], "grep": rdf_client.BareGrepSpec(literal="ELF"), "also_download": True} def CheckFlow(self): results = self.CheckCollectionNotEmptyWithRetry( self.session_id.Add(flow_runner.RESULTS_SUFFIX), self.token) for result in results: self.assertTrue("ELF" in result.data) self.assertTrue("ls" in result.pathspec.path)
class TestSearchFilesGrep(base.AutomatedTest): """Test SearchFileContent with grep.""" platforms = ["Linux"] flow = "SearchFileContent" test_output_path = "analysis/SearchFilesGrep/testing" args = {"output": test_output_path, "paths": ["/bin/ls*"], "grep": rdf_client.BareGrepSpec(literal="ELF"), "also_download": True} def CheckFlow(self): results = aff4.FACTORY.Open(self.client_id.Add(self.test_output_path), token=self.token) self.assertGreater(len(results), 1) for result in results: self.assertTrue("ELF" in result.data) self.assertTrue("ls" in result.pathspec.path)
def testNormalGrep(self): grepspec = rdf_client.BareGrepSpec( mode=rdf_client.GrepSpec.Mode.FIRST_HIT, literal="hello") for s in flow_test_lib.TestFlowHelper( grep.SearchFileContent.__name__, self.client_mock, client_id=self.client_id, paths=["/proc/10/cmdline"], pathtype=rdf_paths.PathSpec.PathType.OS, token=self.token, grep=grepspec): session_id = s fd = flow.GRRFlow.ResultCollectionForFID(session_id) self.assertEqual(len(fd), 1) self.assertEqual(fd[0].offset, 3) self.assertEqual(fd[0], "ls\x00hello world\'\x00-l") self.assertEqual(fd[0].length, 18)
def testScanMemory(self): # Use a file in place of a memory image for simplicity image_path = os.path.join(self.base_path, "numbers.txt") self.CreateClient() self.CreateSignedDriver() class ClientMock(action_mocks.MemoryClientMock): """A mock which returns the image as the driver path.""" def GetMemoryInformation(self, _): """Mock out the driver loading code to pass the memory image.""" reply = rdf_rekall_types.MemoryInformation( device=rdf_paths.PathSpec( path=image_path, pathtype=rdf_paths.PathSpec.PathType.OS)) reply.runs.Append(offset=0, length=1000000000) return [reply] args = dict(grep=rdf_client.BareGrepSpec( literal="88", mode="ALL_HITS", ), output="analysis/grep/testing") # Run the flow. for _ in test_lib.TestFlowHelper("ScanMemory", ClientMock("Grep"), client_id=self.client_id, token=self.token, **args): pass fd = aff4.FACTORY.Open(rdfvalue.RDFURN( self.client_id).Add("/analysis/grep/testing"), token=self.token) self.assertEqual(len(fd), 20) self.assertEqual(fd[0].offset, 252) self.assertEqual(fd[0].data, "\n85\n86\n87\n88\n89\n90\n91\n")
def testNormalGrep(self): grepspec = rdf_client.BareGrepSpec( mode=rdf_client.GrepSpec.Mode.FIRST_HIT, literal="hello") for s in test_lib.TestFlowHelper( "SearchFileContent", self.client_mock, client_id=self.client_id, paths=["/proc/10/cmdline"], pathtype=rdf_paths.PathSpec.PathType.OS, token=self.token, grep=grepspec): session_id = s # Check the output file is created fd = aff4.FACTORY.Open( session_id.Add(flow_runner.RESULTS_SUFFIX), token=self.token) self.assertEqual(len(fd), 1) self.assertEqual(fd[0].offset, 3) self.assertEqual(fd[0], "ls\x00hello world\'\x00-l") self.assertEqual(fd[0].length, 18)