def Run(self):
acl_test_lib.CreateUser(self.token.username)
with test_lib.FakeTime(42):
client_id = self.SetupClient(0)
with test_lib.FakeTime(43):
flow_id_1 = flow_test_lib.StartFlow(
discovery.Interrogate, client_id, creator=self.token.username)
with test_lib.FakeTime(44):
flow_id_2 = flow_test_lib.StartFlow(
processes.ListProcesses, client_id, creator=self.token.username)
replace = api_regression_test_lib.GetFlowTestReplaceDict(
client_id, flow_id_1, "F:ABCDEF10")
replace.update(
api_regression_test_lib.GetFlowTestReplaceDict(client_id, flow_id_2,
"F:ABCDEF11"))
self.Check(
"ListFlows",
args=flow_plugin.ApiListFlowsArgs(client_id=client_id),
replace=replace)
self.Check(
"ListFlows",
args=flow_plugin.ApiListFlowsArgs(
client_id=client_id,
top_flows_only=True,
),
replace=replace)
self.Check(
"ListFlows",
args=flow_plugin.ApiListFlowsArgs(
client_id=client_id,
min_started_at=rdfvalue.RDFDatetimeSeconds(44),
top_flows_only=True,
),
replace=replace)
self.Check(
"ListFlows",
args=flow_plugin.ApiListFlowsArgs(
client_id=client_id,
max_started_at=rdfvalue.RDFDatetimeSeconds(43),
top_flows_only=True,
),
replace=replace)
def _ConvertStatEntry(entry: filesystem_pb2.StatEntry,
pathspec: rdf_paths.PathSpec) -> rdf_client_fs.StatEntry:
"""Converts a stat entry from a filesystem_pb2 protobuf to RDF."""
st = rdf_client_fs.StatEntry()
st.pathspec = pathspec.Copy()
if entry.HasField("st_mode"):
st.st_mode = entry.st_mode
# TODO: Expose st_ino as well.
# It's not exposed at the moment for compatibility with
# vfs_handlers/ntfs.py, which doesn't expose it.
if entry.HasField("st_dev"):
st.st_dev = entry.st_dev
if entry.HasField("st_nlink"):
st.st_nlink = entry.st_nlink
if entry.HasField("st_uid"):
st.st_uid = entry.st_uid
if entry.HasField("st_gid"):
st.st_gid = entry.st_gid
if entry.HasField("st_size"):
st.st_size = entry.st_size
st.st_atime = rdfvalue.RDFDatetimeSeconds(entry.st_atime.seconds)
st.st_mtime = rdfvalue.RDFDatetimeSeconds(entry.st_mtime.seconds)
st.st_btime = rdfvalue.RDFDatetimeSeconds(entry.st_btime.seconds)
st.st_ctime = rdfvalue.RDFDatetimeSeconds(entry.st_ctime.seconds)
if entry.HasField("ntfs"):
if entry.ntfs.is_directory:
st.st_mode |= stat.S_IFDIR
else:
st.st_mode |= stat.S_IFREG
flags = entry.ntfs.flags
st.st_mode |= stat.S_IXUSR | stat.S_IXGRP | stat.S_IXOTH
if (flags & stat.FILE_ATTRIBUTE_READONLY) == 0:
st.st_mode |= stat.S_IWUSR | stat.S_IWGRP | stat.S_IWOTH
if (flags & stat.FILE_ATTRIBUTE_HIDDEN) == 0:
st.st_mode |= stat.S_IRUSR | stat.S_IRGRP | stat.S_IROTH
return st
def testExistingFileStat(self):
bash_stat = {
"st_ctime":
rdfvalue.RDFDatetimeSeconds(1299502221),
"st_rdev":
0,
"st_mtime":
rdfvalue.RDFDatetimeSeconds(1284154642),
"st_blocks":
16,
"st_nlink":
1,
"st_gid":
0,
"st_blksize":
4096,
"pathspec":
rdf_paths.PathSpec(path="/bin/bash",
pathtype="OS",
path_options="CASE_LITERAL"),
"st_dev":
51713,
"st_size":
4874,
"st_ino":
1026148,
"st_uid":
0,
"st_mode":
rdf_client_fs.StatMode(33261),
"st_atime":
rdfvalue.RDFDatetimeSeconds(1299502220)
}
bash_path = os.path.join("/", self.client_name, "fs/os/c/bin/bash")
self.assertCountEqual(self.passthrough.getattr(bash_path), bash_stat)
def testRegistryKeyConverterWorksWithRegistryKeys(self):
# Registry keys won't have registry_type and registry_data set.
stat = rdf_client_fs.StatEntry(
st_mode=32768,
st_size=51,
st_mtime=1247546054,
pathspec=rdf_paths.PathSpec(
path="/HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/"
"CurrentVersion/Run/Sidebar",
pathtype=rdf_paths.PathSpec.PathType.REGISTRY))
converter = file.StatEntryToExportedRegistryKeyConverter()
results = list(converter.Convert(self.metadata, stat))
self.assertLen(results, 1)
self.assertEqual(
results[0].urn,
rdfvalue.RDFURN("aff4:/%s/registry/HKEY_USERS/S-1-5-20/Software/"
"Microsoft/Windows/CurrentVersion/Run/Sidebar" %
self.client_id))
self.assertEqual(results[0].last_modified,
rdfvalue.RDFDatetimeSeconds(1247546054))
self.assertEqual(results[0].data, b"")
self.assertEqual(results[0].type, 0)
def testStatEntryToExportedRegistryKeyConverter(self):
stat = rdf_client_fs.StatEntry(
st_mode=32768,
st_size=51,
st_mtime=1247546054,
registry_type=rdf_client_fs.StatEntry.RegistryType.REG_EXPAND_SZ,
pathspec=rdf_paths.PathSpec(
path="/HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/"
"CurrentVersion/Run/Sidebar",
pathtype=rdf_paths.PathSpec.PathType.REGISTRY),
registry_data=rdf_protodict.DataBlob(string="Sidebar.exe"))
converter = file.StatEntryToExportedRegistryKeyConverter()
results = list(converter.Convert(self.metadata, stat))
self.assertLen(results, 1)
self.assertEqual(
results[0].urn, "aff4:/%s/registry/HKEY_USERS/S-1-5-20/Software/"
"Microsoft/Windows/CurrentVersion/Run/Sidebar" % self.client_id)
self.assertEqual(results[0].last_modified,
rdfvalue.RDFDatetimeSeconds(1247546054))
self.assertEqual(results[0].type,
rdf_client_fs.StatEntry.RegistryType.REG_EXPAND_SZ)
self.assertEqual(results[0].data, b"Sidebar.exe")
def testBug122716179(self):
d = rdfvalue.RDFDatetimeSeconds.FromSecondsSinceEpoch(1)
self.assertEqual(d.AsMicrosecondsSinceEpoch(), 1000000)
diff = rdfvalue.RDFDatetimeSeconds(10) - rdfvalue.Duration("3s")
self.assertEqual(diff.AsMicrosecondsSinceEpoch(), 7000000)