def testLiteralMatchConditionWithDifferentActions(self):
expected_files = ["auth.log"]
non_expected_files = ["dpkg.log", "dpkg_false.log"]
match = rdf_file_finder.FileFinderContentsLiteralMatchCondition(
mode=rdf_file_finder.FileFinderContentsLiteralMatchCondition.Mode.
ALL_HITS,
bytes_before=10,
bytes_after=10,
literal="session opened for user dearjohn")
literal_condition = rdf_file_finder.FileFinderCondition(
condition_type=rdf_file_finder.FileFinderCondition.Type.
CONTENTS_LITERAL_MATCH,
contents_literal_match=match)
for action in self.CONDITION_TESTS_ACTIONS:
results = self.RunFlowAndCheckResults(
action=action,
conditions=[literal_condition],
expected_files=expected_files,
non_expected_files=non_expected_files)
# Check that the results' matches fields are correctly filled.
self.assertEqual(len(results), 1)
self.assertEqual(len(results[0].matches), 1)
self.assertEqual(results[0].matches[0].offset, 350)
self.assertEqual(
results[0].matches[0].data,
"session): session opened for user dearjohn by (uid=0")
def testFindsKeyWithLiteralAndModificationTimeConditions(self):
modification_time = rdf_file_finder.FileFinderModificationTimeCondition(
min_last_modified_time=rdfvalue.RDFDatetime.FromSecondsSinceEpoch(
1247546054 - 1),
max_last_modified_time=rdfvalue.RDFDatetime.FromSecondsSinceEpoch(
1247546054 + 1))
vlm = rdf_file_finder.FileFinderContentsLiteralMatchCondition(
bytes_before=10,
bytes_after=10,
literal="Windows Sidebar\\Sidebar.exe")
client_id = self.SetupClient(0)
session_id = self.RunFlow(client_id, [self.runkey], [
registry.RegistryFinderCondition(
condition_type=registry.RegistryFinderCondition.Type.
MODIFICATION_TIME,
modification_time=modification_time),
registry.RegistryFinderCondition(
condition_type=registry.RegistryFinderCondition.Type.
VALUE_LITERAL_MATCH,
value_literal_match=vlm)
])
results = self.GetResults(session_id)
self.assertEqual(len(results), 1)
# We expect Sidebar and MctAdmin keys here (see
# test_data/client_fixture.py).
self.assertEqual(
results[0].stat_entry.AFF4Path(client_id),
"aff4:/C.1000000000000000/registry/HKEY_USERS/S-1-5-20/"
"Software/Microsoft/Windows/CurrentVersion/Run/Sidebar")
def testLiteralMatchConditionWithHexEncodedValue(self):
match = rdf_file_finder.FileFinderContentsLiteralMatchCondition(
mode=rdf_file_finder.FileFinderContentsLiteralMatchCondition.Mode.
FIRST_HIT,
bytes_before=10,
bytes_after=10,
literal=b"\x4D\x5A\x90")
literal_condition = rdf_file_finder.FileFinderCondition(
condition_type=rdf_file_finder.FileFinderCondition.Type.
CONTENTS_LITERAL_MATCH,
contents_literal_match=match)
paths = [
os.path.join(os.path.dirname(self.fixture_path), "win_hello.exe")
]
results = self.RunFlow(paths=paths, conditions=[literal_condition])
# Check that the results' matches fields are correctly filled. Expecting a
# match from win_hello.exe
self.assertLen(results, 1)
self.assertLen(results[0].matches, 1)
self.assertEqual(results[0].matches[0].offset, 0)
self.assertEqual(results[0].matches[0].data,
b"MZ\x90\x00\x03\x00\x00\x00\x04\x00\x00\x00\xff")
def testFindsKeyIfItMatchesLiteralMatchCondition(self):
vlm = rdf_file_finder.FileFinderContentsLiteralMatchCondition(
bytes_before=10,
bytes_after=10,
literal="Windows Sidebar\\Sidebar.exe")
client_id = self.SetupClient(0)
session_id = self.RunFlow(client_id, [self.runkey], [
registry.RegistryFinderCondition(
condition_type=registry.RegistryFinderCondition.Type.
VALUE_LITERAL_MATCH,
value_literal_match=vlm)
])
results = self.GetResults(session_id)
self.assertEqual(len(results), 1)
self.assertEqual(len(results[0].matches), 1)
self.assertEqual(results[0].matches[0].offset, 15)
self.assertEqual(results[0].matches[0].data,
"ramFiles%\\Windows Sidebar\\Sidebar.exe /autoRun")
self.assertEqual(
results[0].stat_entry.AFF4Path(client_id),
"aff4:/C.1000000000000000/registry/HKEY_USERS/S-1-5-20/"
"Software/Microsoft/Windows/CurrentVersion/Run/Sidebar")
self.assertEqual(
results[0].stat_entry.pathspec.path,
"/HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/"
"CurrentVersion/Run/Sidebar")
self.assertEqual(results[0].stat_entry.pathspec.pathtype,
rdf_paths.PathSpec.PathType.REGISTRY)
def testLiteralMatchConditionWithHexEncodedValue(self):
match = rdf_file_finder.FileFinderContentsLiteralMatchCondition(
mode=rdf_file_finder.FileFinderContentsLiteralMatchCondition.Mode.
FIRST_HIT,
bytes_before=10,
bytes_after=10,
literal="\x4D\x5A\x90")
literal_condition = rdf_file_finder.FileFinderCondition(
condition_type=rdf_file_finder.FileFinderCondition.Type.
CONTENTS_LITERAL_MATCH,
contents_literal_match=match)
paths = [os.path.join(os.path.dirname(self.fixture_path), "hello.exe")]
session_id = flow_test_lib.TestFlowHelper(
file_finder.FileFinder.__name__,
self.client_mock,
client_id=self.client_id,
paths=paths,
pathtype=rdf_paths.PathSpec.PathType.OS,
conditions=[literal_condition],
token=self.token)
# Check that the results' matches fields are correctly filled. Expecting a
# match from hello.exe
fd = flow.GRRFlow.ResultCollectionForFID(session_id)
self.assertEqual(len(fd[0].matches), 1)
self.assertEqual(fd[0].matches[0].offset, 0)
self.assertEqual(fd[0].matches[0].data,
"MZ\x90\x00\x03\x00\x00\x00\x04\x00\x00\x00\xff")
def testFindsNothingIfNothingMatchesLiteralMatchCondition(self):
vlm = rdf_file_finder.FileFinderContentsLiteralMatchCondition(
bytes_before=10, bytes_after=10, literal="CanNotFindMe")
client_id = self.SetupClient(0)
session_id = self.RunFlow(client_id, [self.runkey], [
registry.RegistryFinderCondition(
condition_type=registry.RegistryFinderCondition.Type.
VALUE_LITERAL_MATCH,
value_literal_match=vlm)
])
self.AssertNoResults(session_id)
def testCopyHuntHandlesLiteralExpressionCorrectly(self):
"""Literals are raw bytes. Testing that raw bytes are processed right."""
literal_match = rdf_file_finder.FileFinderContentsLiteralMatchCondition(
literal=b"foo\x0d\xc8bar")
self.StartHunt(
description="model hunt",
flow_runner_args=rdf_flow_runner.FlowRunnerArgs(
flow_name=file_finder.FileFinder.__name__),
flow_args=rdf_file_finder.FileFinderArgs(
conditions=[
rdf_file_finder.FileFinderCondition(
condition_type="CONTENTS_LITERAL_MATCH",
contents_literal_match=literal_match)
],
paths=["/tmp/evil.txt"]),
token=self.token)
self.Open("/#main=ManageHunts")
self.Click("css=tr:contains('model hunt')")
self.Click("css=button[name=CopyHunt]:not([disabled])")
# Wait until dialog appears.
self.WaitUntil(self.IsTextPresent, "What to run?")
# Check that non-default values of sample hunt are prefilled.
self.WaitUntilEqual(
"foo\\x0d\\xc8bar", self.GetValue, "css=grr-new-hunt-wizard-form "
"label:contains('Literal') ~ * input:text")
# Click on "Next" button
self.Click("css=grr-new-hunt-wizard-form button.Next")
self.WaitUntil(self.IsElementPresent,
"css=grr-wizard-form:contains('Hunt parameters')")
# Click on "Next" button.
self.Click("css=grr-new-hunt-wizard-form button.Next")
self.WaitUntil(self.IsTextPresent, "How to process results")
# Click on "Next" button
self.Click("css=grr-new-hunt-wizard-form button.Next")
self.WaitUntil(self.IsTextPresent, "Where to run?")
# Click on "Next" button
self.Click("css=grr-new-hunt-wizard-form button.Next")
self.WaitUntil(self.IsTextPresent, "Review")
# Check that the arguments summary is present.
self.WaitUntil(self.IsTextPresent, file_finder.FileFinder.__name__)
self.WaitUntil(self.IsTextPresent, "foo\\x0d\\xc8bar")
# Click on "Run" button
self.Click("css=grr-new-hunt-wizard-form button.Next")
self.WaitUntil(self.IsTextPresent, "Created Hunt")
# Close the window and check that the hunt was created.
self.Click("css=button.Next")
if data_store.RelationalDBReadEnabled():
hunts_list = sorted(
data_store.REL_DB.ReadHuntObjects(offset=0, count=10),
key=lambda x: x.create_time)
self.assertLen(hunts_list, 2)
last_hunt = hunts_list[-1]
# Check that the hunt was created with a correct literal value.
self.assertEqual(last_hunt.args.standard.flow_name,
file_finder.FileFinder.__name__)
self.assertEqual(
last_hunt.args.standard.flow_args.conditions[0].contents_literal_match
.literal, b"foo\x0d\xc8bar")
else:
hunts_root = aff4.FACTORY.Open("aff4:/hunts", token=self.token)
hunts_list = sorted(list(hunts_root.ListChildren()), key=lambda x: x.age)
self.assertLen(hunts_list, 2)
last_hunt = aff4.FACTORY.Open(hunts_list[-1], token=self.token)
# Check that the hunt was created with a correct literal value.
self.assertEqual(last_hunt.args.flow_runner_args.flow_name,
file_finder.FileFinder.__name__)
self.assertEqual(
last_hunt.args.flow_args.conditions[0].contents_literal_match.literal,
b"foo\x0d\xc8bar")
def testPassesAllConditionsToClientFileFinderWhenAllConditionsSpecified(
self):
modification_time = rdf_file_finder.FileFinderModificationTimeCondition(
min_last_modified_time=rdfvalue.RDFDatetime.Now(), )
access_time = rdf_file_finder.FileFinderAccessTimeCondition(
min_last_access_time=rdfvalue.RDFDatetime.Now(), )
inode_change_time = rdf_file_finder.FileFinderInodeChangeTimeCondition(
min_last_inode_change_time=rdfvalue.RDFDatetime.Now(), )
size = rdf_file_finder.FileFinderSizeCondition(min_file_size=42, )
ext_flags = rdf_file_finder.FileFinderExtFlagsCondition(
linux_bits_set=42, )
contents_regex_match = (
rdf_file_finder.FileFinderContentsRegexMatchCondition(
regex=b"foo", ))
contents_literal_match = (
rdf_file_finder.FileFinderContentsLiteralMatchCondition(
literal=b"bar", ))
flow_id = flow_test_lib.StartFlow(
file.CollectMultipleFiles,
client_id=self.client_id,
path_expressions=["/some/path"],
modification_time=modification_time,
access_time=access_time,
inode_change_time=inode_change_time,
size=size,
ext_flags=ext_flags,
contents_regex_match=contents_regex_match,
contents_literal_match=contents_literal_match,
)
children = data_store.REL_DB.ReadChildFlowObjects(
self.client_id, flow_id)
self.assertLen(children, 1)
child = children[0]
self.assertEqual(child.flow_class_name,
file_finder.ClientFileFinder.__name__)
# We expect 7 condition-attributes to be converted
# to 7 FileFinderConditions.
self.assertLen(child.args.conditions, 7)
def _GetCondition(condition_type):
for c in child.args.conditions:
if c.condition_type == condition_type:
return c.UnionCast()
raise RuntimeError(
f"Condition of type {condition_type} not found.")
self.assertEqual(
_GetCondition(
rdf_file_finder.FileFinderCondition.Type.MODIFICATION_TIME),
modification_time)
self.assertEqual(
_GetCondition(
rdf_file_finder.FileFinderCondition.Type.ACCESS_TIME),
access_time)
self.assertEqual(
_GetCondition(
rdf_file_finder.FileFinderCondition.Type.INODE_CHANGE_TIME),
inode_change_time)
self.assertEqual(
_GetCondition(rdf_file_finder.FileFinderCondition.Type.SIZE), size)
self.assertEqual(
_GetCondition(rdf_file_finder.FileFinderCondition.Type.EXT_FLAGS),
ext_flags)
self.assertEqual(
_GetCondition(
rdf_file_finder.FileFinderCondition.Type.CONTENTS_REGEX_MATCH),
contents_regex_match)
self.assertEqual(
_GetCondition(rdf_file_finder.FileFinderCondition.Type.
CONTENTS_LITERAL_MATCH), contents_literal_match)
