def setUp(self):
super(ListVADBinariesTest, self).setUp()
client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw")
client.Set(client.Schema.SYSTEM("Windows"))
client.Set(client.Schema.OS_VERSION("6.2"))
client.Flush()
self.os_overrider = test_lib.VFSOverrider(
rdf_paths.PathSpec.PathType.OS, test_lib.ClientVFSHandlerFixture)
self.reg_overrider = test_lib.VFSOverrider(
rdf_paths.PathSpec.PathType.REGISTRY, test_lib.FakeRegistryVFSHandler)
self.os_overrider.Start()
self.reg_overrider.Start()
# Add some user accounts to this client.
fd = aff4.FACTORY.Open(self.client_id, mode="rw", token=self.token)
users = fd.Schema.USER()
users.Append(rdf_client.User(
username="******", domain="testing-PC",
homedir=r"C:\Users\localservice", sid="S-1-5-20"))
fd.Set(users)
fd.Close()
self.old_driver_flow = flow.GRRFlow.classes["LoadMemoryDriver"]
flow.GRRFlow.classes["LoadMemoryDriver"] = DummyLoadMemoryDriverFlow
def testRegistryDefaultValueArtifact(self):
with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.REGISTRY,
test_lib.FakeRegistryVFSHandler):
with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
test_lib.FakeFullVFSHandler):
client_mock = action_mocks.ActionMock(standard.StatFile)
coll1 = artifact_registry.ArtifactSource(
type=artifact_registry.ArtifactSource.SourceType.
REGISTRY_VALUE,
attributes={
"key_value_pairs": [{
"key":
(r"HKEY_LOCAL_MACHINE/SOFTWARE/ListingTest"),
"value":
""
}]
})
self.fakeartifact.sources.append(coll1)
artifact_list = ["FakeArtifact"]
for s in test_lib.TestFlowHelper("ArtifactCollectorFlow",
client_mock,
artifact_list=artifact_list,
token=self.token,
client_id=self.client_id):
session_id = s
fd = aff4.FACTORY.Open(session_id.Add(flow_runner.RESULTS_SUFFIX),
token=self.token)
self.assertTrue(isinstance(list(fd)[0], rdf_client.StatEntry))
self.assertEqual(fd[0].registry_data.GetValue(), "DefaultValue")
def setUp(self):
super(ListVADBinariesTest, self).setUp()
self.SetupClients(1, system="Windows", os_version="6.2", arch="AMD64")
self.os_overrider = test_lib.VFSOverrider(
rdf_paths.PathSpec.PathType.OS, test_lib.ClientVFSHandlerFixture)
self.reg_overrider = test_lib.VFSOverrider(
rdf_paths.PathSpec.PathType.REGISTRY,
test_lib.FakeRegistryVFSHandler)
self.os_overrider.Start()
self.reg_overrider.Start()
# Add some user accounts to this client.
fd = aff4.FACTORY.Open(self.client_id, mode="rw", token=self.token)
kb = fd.Get(fd.Schema.KNOWLEDGE_BASE)
kb.environ_systemdrive = "C:"
kb.MergeOrAddUser(
rdf_client.KnowledgeBaseUser(username="******",
userdomain="testing-PC",
homedir=r"C:\Users\localservice",
sid="S-1-5-20"))
fd.Set(kb)
fd.Close()
self.old_driver_flow = flow.GRRFlow.classes["LoadMemoryDriver"]
flow.GRRFlow.classes["LoadMemoryDriver"] = DummyLoadMemoryDriverFlow
def testRetrieveDependencies(self):
"""Test getting an artifact without a KB using retrieve_depdendencies."""
with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.REGISTRY,
test_lib.FakeRegistryVFSHandler):
with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
test_lib.FakeFullVFSHandler):
client_mock = action_mocks.ActionMock(standard.StatFile)
artifact_list = ["WinDirEnvironmentVariable"]
for s in test_lib.TestFlowHelper(
"ArtifactCollectorFlow",
client_mock,
artifact_list=artifact_list,
token=self.token,
client_id=self.client_id,
dependencies=artifact_utils.ArtifactCollectorFlowArgs.
Dependency.FETCH_NOW):
session_id = s
output = aff4.FACTORY.Open(session_id.Add(
flow_runner.RESULTS_SUFFIX),
token=self.token)
self.assertEqual(len(output), 1)
self.assertEqual(output[0], r"C:\Windows")
def testSystemDriveArtifact(self):
self._PrepareWindowsClient()
class BrokenClientMock(action_mocks.ActionMock):
def StatFile(self, _):
raise IOError
def ListDirectory(self, _):
raise IOError
# No registry, broken filesystem, this should just raise.
with self.assertRaises(RuntimeError):
for _ in test_lib.TestFlowHelper(
"ArtifactCollectorFlow",
BrokenClientMock(),
artifact_list=["SystemDriveEnvironmentVariable"],
token=self.token,
client_id=self.client_id,
output="testsystemdrive"):
pass
# No registry, so this should use the fallback flow
with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
test_lib.ClientVFSHandlerFixture):
self._CheckDriveAndRoot()
# Registry is present, so this should use the regular artifact collection
with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.REGISTRY,
test_lib.FakeRegistryVFSHandler):
self._CheckDriveAndRoot()
def testRetrieveDependencies(self):
"""Test getting an artifact without a KB using retrieve_depdendencies."""
self._PrepareWindowsClient()
with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.REGISTRY,
test_lib.FakeRegistryVFSHandler):
with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
test_lib.FakeFullVFSHandler):
client_mock = action_mocks.ActionMock("TransferBuffer",
"StatFile", "Find",
"HashBuffer",
"FingerprintFile",
"ListDirectory")
artifact_list = ["WinDirEnvironmentVariable"]
for _ in test_lib.TestFlowHelper(
"ArtifactCollectorFlow",
client_mock,
artifact_list=artifact_list,
token=self.token,
client_id=self.client_id,
dependencies=artifact_utils.ArtifactCollectorFlowArgs.
Dependency.FETCH_NOW,
output="testRetrieveDependencies"):
pass
output = aff4.FACTORY.Open(
self.client_id.Add("testRetrieveDependencies"),
token=self.token)
self.assertEqual(len(output), 1)
self.assertEqual(output[0], r"C:\Windows")
def testRegistryValueArtifact(self):
with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.REGISTRY,
test_lib.FakeRegistryVFSHandler):
with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
test_lib.FakeFullVFSHandler):
client_mock = action_mocks.ActionMock(standard.StatFile)
coll1 = artifact_registry.ArtifactSource(
type=artifact_registry.ArtifactSource.SourceType.
REGISTRY_VALUE,
attributes={
"key_value_pairs": [{
"key":
(r"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet"
r"\Control\Session Manager"),
"value":
"BootExecute"
}]
})
self.fakeartifact.sources.append(coll1)
artifact_list = ["FakeArtifact"]
for s in test_lib.TestFlowHelper("ArtifactCollectorFlow",
client_mock,
artifact_list=artifact_list,
token=self.token,
client_id=self.client_id):
session_id = s
# Test the statentry got stored with the correct aff4path.
fd = aff4.FACTORY.Open(session_id.Add(flow_runner.RESULTS_SUFFIX),
token=self.token)
self.assertTrue(isinstance(list(fd)[0], rdf_client.StatEntry))
self.assertTrue(str(fd[0].aff4path).endswith("BootExecute"))
def testProcessCollectedArtifacts(self):
"""Test downloading files from artifacts."""
self._PrepareWindowsClient()
with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.REGISTRY,
test_lib.FakeRegistryVFSHandler):
with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
test_lib.FakeFullVFSHandler):
self._testProcessCollectedArtifacts()
def testProcessCollectedArtifacts(self):
"""Test downloading files from artifacts."""
self.SetupClients(1, system="Windows", os_version="6.2")
with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.REGISTRY,
test_lib.FakeRegistryVFSHandler):
with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
test_lib.FakeFullVFSHandler):
self._testProcessCollectedArtifacts()
def setUp(self):
super(GrrKbWindowsTest, self).setUp()
self.SetupClients(1, system="Windows", os_version="6.2", arch="AMD64")
self.os_overrider = test_lib.VFSOverrider(
rdf_paths.PathSpec.PathType.OS, test_lib.FakeFullVFSHandler)
self.reg_overrider = test_lib.VFSOverrider(
rdf_paths.PathSpec.PathType.REGISTRY, test_lib.FakeRegistryVFSHandler)
self.os_overrider.Start()
self.reg_overrider.Start()
def SetupWindowsMocks(self):
test_lib.ClientFixture(self.client_id, token=self.token)
self.SetWindowsClient()
self.os_overrider = test_lib.VFSOverrider(
rdf_paths.PathSpec.PathType.OS, test_lib.FakeFullVFSHandler)
self.reg_overrider = test_lib.VFSOverrider(
rdf_paths.PathSpec.PathType.REGISTRY,
test_lib.FakeRegistryVFSHandler)
self.os_overrider.Start()
self.reg_overrider.Start()
def testAppliesLiteralConditionWhenMemoryPathTypeIsUsed(self):
with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
test_lib.FakeTestDataVFSHandler):
with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.MEMORY,
test_lib.FakeTestDataVFSHandler):
paths = [
os.path.join(os.path.dirname(self.base_path), "auth.log"),
os.path.join(os.path.dirname(self.base_path), "dpkg.log")
]
literal_condition = file_finder.FileFinderContentsLiteralMatchCondition
all_hits = literal_condition.Mode.ALL_HITS
literal_condition = file_finder.FileFinderCondition(
condition_type=file_finder.FileFinderCondition.Type.
CONTENTS_LITERAL_MATCH,
contents_literal_match=literal_condition(
mode=all_hits,
literal="session opened for user dearjohn"))
# Check this condition with all the actions. This makes sense, as we may
# download memeory or send it to the socket.
for action in sorted(file_finder.FileFinderAction.Action.
enum_dict.values()):
for _ in test_lib.TestFlowHelper(
"FileFinder",
self.client_mock,
client_id=self.client_id,
paths=paths,
pathtype=rdf_paths.PathSpec.PathType.MEMORY,
conditions=[literal_condition],
action=file_finder.FileFinderAction(
action_type=action),
token=self.token,
output=self.output_path):
pass
self.CheckFilesInCollection(["auth.log"])
fd = aff4.FACTORY.Open(self.client_id.Add(
self.output_path),
aff4_type="RDFValueCollection",
token=self.token)
self.assertEqual(fd[0].stat_entry.pathspec.CollapsePath(),
paths[0])
self.assertEqual(len(fd), 1)
self.assertEqual(len(fd[0].matches), 1)
self.assertEqual(fd[0].matches[0].offset, 350)
self.assertEqual(
fd[0].matches[0].data,
"session): session opened for user dearjohn by (uid=0")
def testAppliesLiteralConditionWhenMemoryPathTypeIsUsed(self):
with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
test_lib.FakeTestDataVFSHandler):
with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.MEMORY,
test_lib.FakeTestDataVFSHandler):
paths = ["/var/log/auth.log", "/etc/ssh/sshd_config"]
literal_condition = file_finder.FileFinderContentsLiteralMatchCondition
all_hits = literal_condition.Mode.ALL_HITS
literal_condition = file_finder.FileFinderCondition(
condition_type=file_finder.FileFinderCondition.Type.
CONTENTS_LITERAL_MATCH,
contents_literal_match=literal_condition(
mode=all_hits,
bytes_before=10,
bytes_after=10,
literal="session opened for user dearjohn"))
# Check this condition with all the actions. This makes sense, as we may
# download memeory or send it to the socket.
for action in self.CONDITION_TESTS_ACTIONS:
for s in test_lib.TestFlowHelper(
"FileFinder",
self.client_mock,
client_id=self.client_id,
paths=paths,
pathtype=rdf_paths.PathSpec.PathType.MEMORY,
conditions=[literal_condition],
action=file_finder.FileFinderAction(
action_type=action),
token=self.token):
session_id = s
self.CheckFilesInCollection(["auth.log"],
session_id=session_id)
fd = aff4.FACTORY.Open(session_id.Add(
flow_runner.RESULTS_SUFFIX),
aff4_type=sequential_collection.
GeneralIndexedCollection,
token=self.token)
self.assertEqual(fd[0].stat_entry.pathspec.CollapsePath(),
paths[0])
self.assertEqual(len(fd), 1)
self.assertEqual(len(fd[0].matches), 1)
self.assertEqual(fd[0].matches[0].offset, 350)
self.assertEqual(
fd[0].matches[0].data,
"session): session opened for user dearjohn by (uid=0")
def testInterrogateWindows(self):
"""Test the Interrogate flow."""
test_lib.ClientFixture(self.client_id, token=self.token)
with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.REGISTRY,
test_lib.FakeRegistryVFSHandler):
with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
test_lib.FakeFullVFSHandler):
client_mock = action_mocks.InterrogatedClient(
"TransferBuffer", "StatFile", "Find", "HashBuffer",
"ListDirectory", "FingerprintFile", "GetLibraryVersions")
self.SetWindowsClient()
client_mock.InitializeClient(system="Windows",
version="6.1.7600",
kernel="6.1.7601")
# Run the flow in the simulated way
for _ in test_lib.TestFlowHelper("Interrogate",
client_mock,
token=self.token,
client_id=self.client_id):
pass
self.fd = aff4.FACTORY.Open(self.client_id, token=self.token)
self._CheckAFF4Object("test_node", "Windows", 100 * 1000000)
self._CheckClientInfo()
self._CheckClientIndex(".*Host.*")
self._CheckGRRConfig()
self._CheckNotificationsCreated()
self._CheckClientSummary("Windows",
"6.1.7600",
kernel="6.1.7601")
# users Bert and Ernie added by the fixture should not be present (USERS
# overriden by kb)
# jim parsed from registry profile keys
self._CheckUsers(["jim", "kovacs"])
self._CheckNetworkInfo()
self._CheckVFS()
self._CheckLabelIndex()
self._CheckWindowsDiskInfo()
self._CheckRegistryPathspec()
self._CheckClientKwIndex(["Linux"], 0)
self._CheckClientKwIndex(["Windows"], 1)
self._CheckClientKwIndex(["Label2"], 1)
def testKnowledgeBaseRetrievalLinuxPasswd(self):
"""Check we can retrieve a Linux kb."""
self.ClearKB()
with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
test_lib.FakeTestDataVFSHandler):
with test_lib.ConfigOverrider({
"Artifacts.knowledge_base": ["LinuxWtmp",
"LinuxPasswdHomedirs",
"LinuxRelease"],
"Artifacts.knowledge_base_additions": [],
"Artifacts.knowledge_base_skip": []}):
for _ in test_lib.TestFlowHelper(
"KnowledgeBaseInitializationFlow", self.client_mock,
client_id=self.client_id, token=self.token):
pass
client = aff4.FACTORY.Open(self.client_id, token=self.token, mode="rw")
kb = artifact.GetArtifactKnowledgeBase(client)
self.assertEqual(kb.os_major_version, 14)
self.assertEqual(kb.os_minor_version, 4)
# user 1,2,3 from wtmp.
# Bert and Ernie not present (Users fixture overriden by kb).
self.assertItemsEqual([x.username for x in kb.users], ["user1", "user2",
"user3"])
user = kb.GetUser(username="******")
self.assertEqual(user.last_logon.AsSecondsFromEpoch(), 1296552099)
self.assertEqual(user.homedir, "/home/user1")
user = kb.GetUser(username="******")
self.assertEqual(user.last_logon.AsSecondsFromEpoch(), 1296552102)
self.assertEqual(user.homedir, "/home/user2")
self.assertFalse(kb.GetUser(username="******"))
def CreateTimelineFixture(self):
"""Creates a new timeline fixture we can play with."""
# Create a client for testing
client_id = rdf_client.ClientURN("C.0000000000000001")
token = access_control.ACLToken(username="******", reason="fixture")
fd = aff4.FACTORY.Create(client_id, "VFSGRRClient", token=token)
cert = self.ClientCertFromPrivateKey(
config_lib.CONFIG["Client.private_key"])
client_cert = rdf_crypto.RDFX509Cert(cert.as_pem())
fd.Set(fd.Schema.CERT(client_cert))
fd.Close()
with test_lib.VFSOverrider(
rdf_paths.PathSpec.PathType.OS, test_lib.ClientVFSHandlerFixture):
client_mock = action_mocks.ActionMock("ListDirectory")
output_path = "analysis/Timeline/MAC"
for _ in test_lib.TestFlowHelper(
"RecursiveListDirectory", client_mock, client_id=client_id,
pathspec=rdf_paths.PathSpec(
path="/", pathtype=rdf_paths.PathSpec.PathType.OS),
token=token):
pass
# Now make a timeline
for _ in test_lib.TestFlowHelper(
"MACTimes", client_mock, client_id=client_id, token=token,
path="/", output=output_path):
pass
def testIteratedDirectoryListing(self):
"""Test that the client iterator works."""
with test_lib.VFSOverrider(
rdf_paths.PathSpec.PathType.OS, MockVFSHandler):
path = "/"
# Run the flow in the simulated way
client_mock = action_mocks.ActionMock("IteratedListDirectory")
for _ in test_lib.TestFlowHelper(
"IteratedListDirectory", client_mock, client_id=self.client_id,
pathspec=rdf_paths.PathSpec(path="/",
pathtype=rdf_paths.PathSpec.PathType.OS),
token=self.token):
pass
fd = aff4.FACTORY.Open(self.client_id.Add("fs/os").Add(path),
token=self.token)
directory = [ch for ch in fd.OpenChildren()]
pb = rdf_paths.PathSpec(path=path,
pathtype=rdf_paths.PathSpec.PathType.OS)
directory2 = list(vfs.VFSOpen(pb).ListFiles())
directory.sort()
result = [x.Get(x.Schema.STAT) for x in directory]
# Make sure that the resulting directory is what it should be
for x, y in zip(result, directory2):
x.aff4path = None
self.assertEqual(x.st_mode, y.st_mode)
self.assertRDFValueEqual(x, y)
def testKnowledgeBaseRetrievalDarwin(self):
"""Check we can retrieve a Darwin kb."""
self.ClearKB()
with test_lib.ConfigOverrider(
{"Artifacts.knowledge_base": ["OSXUsers"]}):
with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
test_lib.ClientVFSHandlerFixture):
for _ in test_lib.TestFlowHelper(
"KnowledgeBaseInitializationFlow",
self.client_mock,
client_id=self.client_id,
token=self.token):
pass
client = aff4.FACTORY.Open(self.client_id,
token=self.token,
mode="rw")
kb = artifact.GetArtifactKnowledgeBase(client)
self.assertEqual(kb.os_major_version, 10)
self.assertEqual(kb.os_minor_version, 9)
# scalzi from /Users dir listing.
self.assertItemsEqual([x.username for x in kb.users],
["scalzi"])
user = kb.GetUser(username="******")
self.assertEqual(user.homedir, "/Users/scalzi")
def testKnowledgeBaseRetrievalLinuxNoUsers(self):
"""Cause a users.username dependency failure."""
self.ClearKB()
with test_lib.ConfigOverrider({
"Artifacts.knowledge_base": [
"NetgroupConfiguration", "NssCacheLinuxPasswdHomedirs",
"LinuxRelease"
],
"Artifacts.netgroup_filter_regexes": ["^doesntexist$"]
}):
with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
test_lib.FakeTestDataVFSHandler):
for _ in test_lib.TestFlowHelper(
"KnowledgeBaseInitializationFlow",
self.client_mock,
require_complete=False,
client_id=self.client_id,
token=self.token):
pass
client = aff4.FACTORY.Open(self.client_id,
token=self.token,
mode="rw")
kb = artifact.GetArtifactKnowledgeBase(client)
self.assertEqual(kb.os_major_version, 14)
self.assertEqual(kb.os_minor_version, 4)
self.assertItemsEqual([x.username for x in kb.users], [])
def testKnowledgeBaseRetrievalLinux(self):
"""Check we can retrieve a Linux kb."""
self.ClearKB()
with test_lib.ConfigOverrider({
"Artifacts.knowledge_base": [
"LinuxWtmp", "NetgroupConfiguration",
"LinuxPasswdHomedirs", "LinuxRelease"
],
"Artifacts.netgroup_filter_regexes": ["^login$"],
"Artifacts.netgroup_user_blacklist": ["isaac"]
}):
with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
test_lib.FakeTestDataVFSHandler):
for _ in test_lib.TestFlowHelper(
"KnowledgeBaseInitializationFlow",
self.client_mock,
client_id=self.client_id,
token=self.token):
pass
client = aff4.FACTORY.Open(self.client_id,
token=self.token,
mode="rw")
kb = artifact.GetArtifactKnowledgeBase(client)
self.assertEqual(kb.os_major_version, 14)
self.assertEqual(kb.os_minor_version, 4)
# user 1,2,3 from wtmp. yagharek from netgroup.
self.assertItemsEqual([x.username for x in kb.users],
["user1", "user2", "user3", "yagharek"])
user = kb.GetUser(username="******")
self.assertEqual(user.last_logon.AsSecondsFromEpoch(),
1296552099)
self.assertEqual(user.homedir, "/home/user1")
def testKnowledgeBaseRetrievalDarwin(self):
"""Check we can retrieve a Darwin kb."""
test_lib.ClientFixture(self.client_id, token=self.token)
self.SetDarwinClient()
with test_lib.ConfigOverrider(
{"Artifacts.knowledge_base": ["OSXUsers"]}):
with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
test_lib.ClientVFSHandlerFixture):
client_mock = action_mocks.ActionMock("TransferBuffer",
"StatFile", "Find",
"HashBuffer",
"ListDirectory",
"FingerprintFile")
for _ in test_lib.TestFlowHelper(
"KnowledgeBaseInitializationFlow",
client_mock,
client_id=self.client_id,
token=self.token):
pass
client = aff4.FACTORY.Open(self.client_id,
token=self.token,
mode="rw")
kb = artifact.GetArtifactKnowledgeBase(client)
self.assertEqual(kb.os_major_version, 10)
self.assertEqual(kb.os_minor_version, 9)
# scalzi from /Users dir listing.
# Bert and Ernie not present (Users fixture overriden by kb).
self.assertItemsEqual([x.username for x in kb.users],
["scalzi"])
user = kb.GetUser(username="******")
self.assertEqual(user.homedir, "/Users/scalzi")
def setUp(self):
super(TestMemoryCollector, self).setUp()
self.output_path = "analysis/memory_scanner"
self.key = rdf_crypto.AES128Key("1a5eafcc77d428863d4c2441ea26e5a5")
self.iv = rdf_crypto.AES128Key("2241b14c64874b1898dad4de7173d8c0")
self.memory_file = os.path.join(config_lib.CONFIG["Test.data_dir"],
"searching/auth.log")
with open(self.memory_file, "r") as f:
self.memory_dump = f.read()
self.assertTrue(self.memory_dump)
self.client_mock = action_mocks.ActionMock("TransferBuffer", "HashBuffer",
"StatFile", "CopyPathToFile",
"SendFile", "DeleteGRRTempFiles",
"GetConfiguration", "Find",
"Grep")
self.old_driver_flow = flow.GRRFlow.classes["LoadMemoryDriver"]
flow.GRRFlow.classes["LoadMemoryDriver"] = DummyLoadMemoryDriverFlow
self.old_diskvolume_flow = flow.GRRFlow.classes["DiskVolumeInfo"]
flow.GRRFlow.classes["DiskVolumeInfo"] = DummyDiskVolumeInfo
self.vfs_overrider = test_lib.VFSOverrider(
rdf_paths.PathSpec.PathType.MEMORY, test_lib.FakeTestDataVFSHandler)
self.vfs_overrider.Start()
def testArtifactOutput(self):
"""Check we can run command based artifacts."""
self.SetLinuxClient()
with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
test_lib.FakeTestDataVFSHandler):
client_mock = action_mocks.ActionMock("TransferBuffer", "StatFile",
"FingerprintFile",
"HashBuffer",
"ListDirectory", "Find")
# Will raise if something goes wrong.
self.RunCollectorAndGetCollection(["TestFilesArtifact"],
client_mock=client_mock)
# Will raise if something goes wrong.
self.RunCollectorAndGetCollection(["TestFilesArtifact"],
client_mock=client_mock,
split_output_by_artifact=True)
# Test the on_no_results_error option.
with self.assertRaises(RuntimeError) as context:
self.RunCollectorAndGetCollection(
["NullArtifact"],
client_mock=client_mock,
split_output_by_artifact=True,
on_no_results_error=True)
if "collector returned 0 responses" not in str(context.exception):
raise RuntimeError("0 responses should have been returned")
def testFlowNotification(self):
FlowDoneListener.received_events = []
with test_lib.VFSOverrider(
rdf_paths.PathSpec.PathType.OS, MockVFSHandler):
path = rdf_paths.PathSpec(path="/",
pathtype=rdf_paths.PathSpec.PathType.OS)
# Run the flow in the simulated way
client_mock = action_mocks.ActionMock("IteratedListDirectory")
for _ in test_lib.TestFlowHelper(
"IteratedListDirectory", client_mock, client_id=self.client_id,
notification_urn=rdfvalue.SessionID(queue=rdfvalue.RDFURN("EV"),
flow_name="FlowDone"),
pathspec=path, token=self.token):
pass
# The event goes to an external queue so we need another worker.
worker = test_lib.MockWorker(queues=[rdfvalue.RDFURN("EV")],
token=self.token)
worker.Simulate()
self.assertEqual(len(FlowDoneListener.received_events), 1)
flow_event = FlowDoneListener.received_events[0].payload
self.assertEqual(flow_event.flow_name, "IteratedListDirectory")
self.assertEqual(flow_event.client_id, "aff4:/C.1000000000000000")
self.assertEqual(flow_event.status, rdf_flows.FlowNotification.Status.OK)
def setUp(self):
super(FindTest, self).setUp()
# Install the mock
self.vfs_overrider = test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
MockVFSHandlerFind)
self.vfs_overrider.Start()
def testVFSVirtualRoot(self):
# Let's open a file in the virtual root.
os_root = "os:%s" % self.base_path
with test_lib.ConfigOverrider({"Client.vfs_virtualroots": [os_root]}):
# We need to reset the vfs.VFS_VIRTUALROOTS too.
vfs.VFSInit().Run()
fd = vfs.VFSOpen(
rdf_paths.PathSpec(path="/morenumbers.txt",
pathtype=rdf_paths.PathSpec.PathType.OS))
data = fd.read(10)
self.assertEqual(data, "1\n2\n3\n4\n5\n")
# This should also work with TSK.
tsk_root = "tsk:%s" % os.path.join(self.base_path, "test_img.dd")
with test_lib.ConfigOverrider({"Client.vfs_virtualroots": [tsk_root]}):
vfs.VFSInit().Run()
image_file_ps = rdf_paths.PathSpec(
path=u"איןד ןד ש אקדא/איןד.txt",
pathtype=rdf_paths.PathSpec.PathType.TSK)
fd = vfs.VFSOpen(image_file_ps)
data = fd.read(10)
self.assertEqual(data, "1\n2\n3\n4\n5\n")
# This should not influence vfs handlers other than OS and TSK.
reg_type = rdf_paths.PathSpec.PathType.REGISTRY
os_handler = vfs.VFS_HANDLERS[rdf_paths.PathSpec.PathType.OS]
with test_lib.VFSOverrider(reg_type, os_handler):
with self.assertRaises(IOError):
image_file_ps.pathtype = reg_type
vfs.VFSOpen(image_file_ps)
def setUp(self):
super(TestSearchFileContentWithFixture, self).setUp()
self.client_mock = action_mocks.ActionMock("Grep", "StatFile", "Find")
self.vfs_overrider = test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
test_lib.ClientVFSHandlerFixture)
self.vfs_overrider.Start()
def testFilesArtifact(self):
"""Check GetFiles artifacts."""
with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
test_lib.FakeTestDataVFSHandler):
self.RunCollectorAndGetCollection(["TestFilesArtifact"],
client_mock=self.client_mock)
urn = self.client_id.Add("fs/os/").Add("var/log/auth.log")
aff4.FACTORY.Open(urn, aff4_type="VFSBlobImage", token=self.token)
def setUp(self):
super(GrepTest, self).setUp()
# Install the mock
self.vfs_overrider = test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
MockVFSHandlerFind)
self.vfs_overrider.Start()
self.filename = "/mock2/directory1/grepfile.txt"
def testInterrogateWindows(self):
"""Test the Interrogate flow."""
test_lib.ClientFixture(self.client_id, token=self.token)
self.SetupClients(1, system="Windows", os_version="6.2", arch="AMD64")
with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.REGISTRY,
test_lib.FakeRegistryVFSHandler):
with test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS,
test_lib.FakeFullVFSHandler):
client_mock = action_mocks.InterrogatedClient()
client_mock.InitializeClient(system="Windows",
version="6.1.7600",
kernel="6.1.7601")
# Run the flow in the simulated way
for _ in test_lib.TestFlowHelper("Interrogate",
client_mock,
token=self.token,
client_id=self.client_id):
pass
self.fd = aff4.FACTORY.Open(self.client_id, token=self.token)
self._CheckAFF4Object("test_node", "Windows", 100 * 1000000)
self._CheckClientInfo()
self._CheckGRRConfig()
self._CheckNotificationsCreated()
self._CheckClientSummary("Windows",
"6.1.7600",
kernel="6.1.7601")
# jim parsed from registry profile keys
self._CheckUsers(["jim", "kovacs"])
self._CheckNetworkInfo()
self._CheckVFS()
self._CheckLabelIndex()
self._CheckWindowsDiskInfo()
self._CheckRegistryPathspec()
self._CheckClientKwIndex(["Linux"], 0)
self._CheckClientKwIndex(["Windows"], 1)
self._CheckClientKwIndex(["Label2"], 1)
self._CheckMemory()
