def _FindMatchingPathspecs(self, response):
# If we're dealing with plain file StatEntry, just
# return it's pathspec - there's nothing to parse
# and guess.
if (isinstance(response, rdf_client_fs.StatEntry) and
response.pathspec.pathtype in [
rdf_paths.PathSpec.PathType.TSK,
rdf_paths.PathSpec.PathType.OS,
rdf_paths.PathSpec.PathType.NTFS,
]):
return [response.pathspec]
knowledge_base = _ReadClientKnowledgeBase(self.client_id)
if self.args.use_raw_filesystem_access or self.args.use_tsk:
path_type = rdf_paths.PathSpec.PathType.TSK
else:
path_type = rdf_paths.PathSpec.PathType.OS
p = windows_persistence.WindowsPersistenceMechanismsParser()
parsed_items = p.ParseResponse(knowledge_base, response)
parsed_pathspecs = [item.pathspec for item in parsed_items]
for pathspec in parsed_pathspecs:
pathspec.pathtype = path_type
return parsed_pathspecs
def testParse(self):
parser = windows_persistence.WindowsPersistenceMechanismsParser()
path = (r"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion"
r"\Run\test")
pathspec = rdf_paths.PathSpec(
path=path, pathtype=rdf_paths.PathSpec.PathType.REGISTRY)
reg_data = "C:\\blah\\some.exe /v"
reg_type = rdf_client_fs.StatEntry.RegistryType.REG_SZ
stat = rdf_client_fs.StatEntry(
pathspec=pathspec,
registry_type=reg_type,
registry_data=rdf_protodict.DataBlob(string=reg_data))
persistence = [stat]
image_paths = [
"system32\\drivers\\ACPI.sys",
"%systemroot%\\system32\\svchost.exe -k netsvcs",
"\\SystemRoot\\system32\\drivers\\acpipmi.sys"
]
reg_key = "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services/AcpiPmi"
for path in image_paths:
serv_info = rdf_client.WindowsServiceInformation(
name="blah",
display_name="GRRservice",
image_path=path,
registry_key=reg_key)
persistence.append(serv_info)
knowledge_base = rdf_client.KnowledgeBase()
knowledge_base.environ_systemroot = "C:\\Windows"
expected = [
"C:\\blah\\some.exe", "C:\\Windows\\system32\\drivers\\ACPI.sys",
"C:\\Windows\\system32\\svchost.exe",
"C:\\Windows\\system32\\drivers\\acpipmi.sys"
]
for index, item in enumerate(persistence):
results = list(
parser.Parse(item, knowledge_base,
rdf_paths.PathSpec.PathType.OS))
self.assertEqual(results[0].pathspec.path, expected[index])
self.assertEqual(len(results), 1)
def FindMatchingPathspecs(self, response):
# If we're dealing with plain file StatEntry, just
# return it's pathspec - there's nothing to parse
# and guess.
if (isinstance(response, rdf_client.StatEntry) and
response.pathspec.pathtype in [
rdf_paths.PathSpec.PathType.TSK, rdf_paths.PathSpec.PathType.OS
]):
return [response.pathspec]
client = aff4.FACTORY.Open(self.client_id, token=self.token)
knowledge_base = artifact.GetArtifactKnowledgeBase(client)
if self.args.use_tsk:
path_type = rdf_paths.PathSpec.PathType.TSK
else:
path_type = rdf_paths.PathSpec.PathType.OS
p = windows_persistence.WindowsPersistenceMechanismsParser()
parsed_items = p.Parse(response, knowledge_base, path_type)
return [item.pathspec for item in parsed_items]
