def testFindsKeyIfItMatchesLiteralMatchCondition(self):
value_literal_match = rdfvalue.FileFinderContentsLiteralMatchCondition(
literal="Windows Sidebar\\Sidebar.exe")
self.RunFlow([
"HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/CurrentVersion/Run/*"
], [
rdfvalue.RegistryFinderCondition(
condition_type=rdfvalue.RegistryFinderCondition.Type.
VALUE_LITERAL_MATCH,
value_literal_match=value_literal_match)
])
results = self.GetResults()
self.assertEqual(len(results), 1)
self.assertEqual(len(results[0].matches), 1)
self.assertEqual(results[0].matches[0].offset, 15)
self.assertEqual(results[0].matches[0].data,
"ramFiles%\\Windows Sidebar\\Sidebar.exe /autoRun")
self.assertEqual(
results[0].stat_entry.aff4path,
"aff4:/C.1000000000000000/registry/HKEY_USERS/S-1-5-20/"
"Software/Microsoft/Windows/CurrentVersion/Run/Sidebar")
self.assertEqual(
results[0].stat_entry.pathspec.path,
"/HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/"
"CurrentVersion/Run/Sidebar")
self.assertEqual(results[0].stat_entry.pathspec.pathtype,
rdfvalue.PathSpec.PathType.REGISTRY)
def testFindsKeyWithLiteralAndModificaitonTimeConditions(self):
modification_time = rdfvalue.FileFinderModificationTimeCondition(
min_last_modified_time=rdfvalue.RDFDatetime().FromSecondsFromEpoch(
1247546054 - 1),
max_last_modified_time=rdfvalue.RDFDatetime().FromSecondsFromEpoch(
1247546054 + 1))
value_literal_match = rdfvalue.FileFinderContentsLiteralMatchCondition(
literal="Windows Sidebar\\Sidebar.exe")
self.RunFlow([
"HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/CurrentVersion/Run/*"
], [
rdfvalue.RegistryFinderCondition(
condition_type=rdfvalue.RegistryFinderCondition.Type.
MODIFICATION_TIME,
modification_time=modification_time),
rdfvalue.RegistryFinderCondition(
condition_type=rdfvalue.RegistryFinderCondition.Type.
VALUE_LITERAL_MATCH,
value_literal_match=value_literal_match)
])
results = self.GetResults()
self.assertEqual(len(results), 1)
# We expect Sidebar and MctAdmin keys here (see
# test_data/client_fixture.py).
self.assertEqual(
results[0].stat_entry.aff4path,
"aff4:/C.1000000000000000/registry/HKEY_USERS/S-1-5-20/"
"Software/Microsoft/Windows/CurrentVersion/Run/Sidebar")
def testLiteralMatchConditionWithDifferentActions(self):
expected_files = ["auth.log"]
non_expected_files = ["dpkg.log", "dpkg_false.log"]
literal_condition = rdfvalue.FileFinderCondition(
condition_type=rdfvalue.FileFinderCondition.Type.CONTENTS_LITERAL_MATCH,
contents_literal_match=rdfvalue.FileFinderContentsLiteralMatchCondition(
mode=rdfvalue.FileFinderContentsLiteralMatchCondition.Mode.ALL_HITS,
literal="session opened for user dearjohn"))
for action in sorted(
file_finder.FileFinderAction.Action.enum_dict.values()):
self.RunFlowAndCheckResults(
action=action,
conditions=[literal_condition],
expected_files=expected_files,
non_expected_files=non_expected_files)
# Check that the results' matches fields are correctly filled.
fd = aff4.FACTORY.Open(self.client_id.Add(self.output_path),
aff4_type="RDFValueCollection",
token=self.token)
self.assertEqual(len(fd), 1)
self.assertEqual(len(fd[0].matches), 1)
self.assertEqual(fd[0].matches[0].offset, 350)
self.assertEqual(fd[0].matches[0].data,
"session): session opened for user dearjohn by (uid=0")
def testMemoryImageLiteralMatchConditionWithSendToSocketAction(self):
literal_condition = rdfvalue.MemoryCollectorCondition(
condition_type=rdfvalue.MemoryCollectorCondition.Type.LITERAL_MATCH,
literal_match=rdfvalue.FileFinderContentsLiteralMatchCondition(
mode=rdfvalue.FileFinderContentsLiteralMatchCondition.Mode.ALL_HITS,
literal="session opened for user dearjohn"))
dump_option = rdfvalue.MemoryCollectorDumpOption(
option_type=rdfvalue.MemoryCollectorDumpOption.Option.WITH_LOCAL_COPY,
with_local_copy=rdfvalue.MemoryCollectorWithLocalCopyDumpOption(
gzip=False))
flow_urn, encrypted, decrypted = self.RunWithSendToSocket(
dump_option, conditions=[literal_condition])
# Check that matches are in the collection
output = aff4.FACTORY.Open(self.client_id.Add(self.output_path),
aff4_type="RDFValueCollection",
token=self.token)
self.assertEqual(len(output), 1)
self.assertEqual(output[0].offset, 350)
self.assertEqual(output[0].length, 52)
self.assertEqual(output[0].data, "session): session opened for user "
"dearjohn by (uid=0")
flow_obj = aff4.FACTORY.Open(flow_urn, token=self.token)
# There was a local file, so dest_path should not be empty
self.assertTrue(flow_obj.state.memory_src_path is not None)
# Data should be encrypted, so they're not equal
self.assertNotEqual(encrypted, self.memory_dump)
# Decrypted data should be equal to the memory dump
self.assertEqual(decrypted, self.memory_dump)
def testMemoryImageLiteralMatchConditionWithDownloadAction(self):
literal_condition = rdfvalue.MemoryCollectorCondition(
condition_type=rdfvalue.MemoryCollectorCondition.Type.LITERAL_MATCH,
literal_match=rdfvalue.FileFinderContentsLiteralMatchCondition(
mode=rdfvalue.FileFinderContentsLiteralMatchCondition.Mode.ALL_HITS,
literal="session opened for user dearjohn"))
dump_option = rdfvalue.MemoryCollectorDumpOption(
option_type=rdfvalue.MemoryCollectorDumpOption.Option.WITH_LOCAL_COPY,
with_local_copy=rdfvalue.MemoryCollectorWithLocalCopyDumpOption(
gzip=False))
flow_obj = self.RunWithDownload(dump_option, conditions=[literal_condition])
# Check that matches are in the collection
output = aff4.FACTORY.Open(self.client_id.Add(self.output_path),
aff4_type="RDFValueCollection",
token=self.token)
# First item of the collection is the BufferReference, second is the
# path of the downloaded
self.assertEqual(len(output), 2)
self.assertEqual(output[0].offset, 350)
self.assertEqual(output[0].length, 52)
self.assertEqual(output[0].data, "session): session opened for user "
"dearjohn by (uid=0")
self.assertTrue(isinstance(output[1], rdfvalue.StatEntry))
self.assertTrue(flow_obj.state.memory_src_path is not None)
self.assertEqual(
flow_obj.state.downloaded_file,
self.client_id.Add("fs/os").Add(flow_obj.state.memory_src_path.path))
fd = aff4.FACTORY.Open(flow_obj.state.downloaded_file, token=self.token)
self.assertEqual(fd.Read(1024 * 1024), self.memory_dump)
def testDoesNothingWhenConditionDoesNotMatch(self):
literal_condition = rdfvalue.MemoryCollectorCondition(
condition_type=rdfvalue.MemoryCollectorCondition.Type.
LITERAL_MATCH,
literal_match=rdfvalue.FileFinderContentsLiteralMatchCondition(
mode=rdfvalue.FileFinderContentsLiteralMatchCondition.Mode.
ALL_HITS,
literal="session opened for user foobar"))
dump_option = rdfvalue.MemoryCollectorDumpOption(
option_type=rdfvalue.MemoryCollectorDumpOption.Option.
WITH_LOCAL_COPY,
with_local_copy=rdfvalue.MemoryCollectorWithLocalCopyDumpOption(
gzip=False))
flow_obj = self.RunWithDownload(dump_option,
conditions=[literal_condition])
# Check that there are no matches
with self.assertRaises(aff4.InstantiationError):
aff4.FACTORY.Open(self.client_id.Add(self.output_path),
aff4_type="RDFValueCollection",
token=self.token)
# Assert nothing got downloaded
self.assertTrue("dest_path" not in flow_obj.state)
self.assertTrue("downloaded_file" not in flow_obj.state)
def testFindsNothingIfNothingMatchesLiteralMatchCondition(self):
value_literal_match = rdfvalue.FileFinderContentsLiteralMatchCondition(
literal="CanNotFindMe")
self.RunFlow([
"HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/CurrentVersion/Run/*"
], [
rdfvalue.RegistryFinderCondition(
condition_type=rdfvalue.RegistryFinderCondition.Type.
VALUE_LITERAL_MATCH,
value_literal_match=value_literal_match)
])
self.AssertNoResults()
def testMemoryImageLiteralMatchConditionWithNoAction(self):
literal_condition = rdfvalue.MemoryCollectorCondition(
condition_type=rdfvalue.MemoryCollectorCondition.Type.LITERAL_MATCH,
literal_match=rdfvalue.FileFinderContentsLiteralMatchCondition(
mode=rdfvalue.FileFinderContentsLiteralMatchCondition.Mode.ALL_HITS,
literal="session opened for user dearjohn"))
self.RunWithNoAction(conditions=[literal_condition])
output = aff4.FACTORY.Open(self.client_id.Add(self.output_path),
aff4_type="RDFValueCollection",
token=self.token)
self.assertEqual(len(output), 1)
self.assertEqual(output[0].offset, 350)
self.assertEqual(output[0].length, 52)
self.assertEqual(output[0].data, "session): session opened for user "
"dearjohn by (uid=0")
def testAppliesLiteralConditionWhenMemoryPathTypeIsUsed(self):
vfs.VFS_HANDLERS[
rdfvalue.PathSpec.PathType.OS] = test_lib.FakeTestDataVFSHandler
vfs.VFS_HANDLERS[
rdfvalue.PathSpec.PathType.MEMORY] = test_lib.FakeTestDataVFSHandler
paths = [os.path.join(os.path.dirname(self.base_path), "auth.log"),
os.path.join(os.path.dirname(self.base_path), "dpkg.log")]
literal_condition = rdfvalue.FileFinderCondition(
condition_type=rdfvalue.FileFinderCondition.Type.CONTENTS_LITERAL_MATCH,
contents_literal_match=rdfvalue.FileFinderContentsLiteralMatchCondition(
mode=rdfvalue.FileFinderContentsLiteralMatchCondition.Mode.ALL_HITS,
literal="session opened for user dearjohn"))
# Check this condition with all the actions. This makes sense, as we may
# download memeory or send it to the socket.
for action in sorted(
file_finder.FileFinderAction.Action.enum_dict.values()):
for _ in test_lib.TestFlowHelper(
"FileFinder", self.client_mock,
client_id=self.client_id,
paths=paths,
pathtype=rdfvalue.PathSpec.PathType.MEMORY,
conditions=[literal_condition],
action=file_finder.FileFinderAction(
action_type=action),
token=self.token,
output=self.output_path):
pass
self.CheckFilesInCollection(["auth.log"])
fd = aff4.FACTORY.Open(self.client_id.Add(self.output_path),
aff4_type="RDFValueCollection",
token=self.token)
self.assertEqual(fd[0].stat_entry.pathspec.CollapsePath(),
paths[0])
self.assertEqual(len(fd), 1)
self.assertEqual(len(fd[0].matches), 1)
self.assertEqual(fd[0].matches[0].offset, 350)
self.assertEqual(fd[0].matches[0].data,
"session): session opened for user dearjohn by (uid=0")