def GetFiles(self, source, path_type, max_size): """Get a set of files.""" new_path_list = [] for path in source.attributes["paths"]: # Interpolate any attributes from the knowledgebase. new_path_list.extend( artifact_utils.InterpolateKbAttributes( path, self.state.knowledge_base, ignore_errors=self.args.ignore_interpolation_errors)) action = file_finder.FileFinderAction( action_type=file_finder.FileFinderAction.Action.DOWNLOAD, download=file_finder.FileFinderDownloadActionOptions( max_size=max_size)) self.CallFlow("FileFinder", paths=new_path_list, pathtype=path_type, action=action, file_size=max_size, request_data={ "artifact_name": self.current_artifact_name, "source": source.ToPrimitiveDict() }, next_state="ProcessFileFinderResults")
class TestFileFinderOSLinuxProc(transfer.TestGetFileOSLinux): """Download a /proc/sys entry with FileFinder.""" platforms = ["Linux"] flow = "FileFinder" test_output_path = "/fs/os/proc/sys/net/ipv4/ip_forward" client_min_version = 3007 sizecondition = file_finder.FileFinderSizeCondition(max_file_size=1000000) filecondition = file_finder.FileFinderCondition( condition_type=file_finder.FileFinderCondition.Type.SIZE, size=sizecondition) download = file_finder.FileFinderDownloadActionOptions() action = file_finder.FileFinderAction( action_type=file_finder.FileFinderAction.Action.DOWNLOAD, download=download) args = { "paths": ["/proc/sys/net/ipv4/ip_forward"], "conditions": filecondition, "action": action } def CheckFile(self, fd): data = fd.Read(10) # Some value was read from the sysctl. self.assertTrue(data)
class TestFileFinderOSDarwin(base.VFSPathContentIsMachO): platforms = ["Darwin"] flow = "FileFinder" download = file_finder.FileFinderDownloadActionOptions() action = file_finder.FileFinderAction( action_type=file_finder.FileFinderAction.Action.DOWNLOAD, download=download) args = {"paths": ["/bin/ps"], "action": action} test_output_path = "/fs/os/bin/ps"
class TestFileFinderTSKWindows(TestFileFinderOSWindows): download = file_finder.FileFinderDownloadActionOptions() action = file_finder.FileFinderAction( action_type=file_finder.FileFinderAction.Action.DOWNLOAD, download=download) test_output_path = "/fs/tsk/.*/Windows/System32/notepad.exe" args = {"paths": ["%%environ_systemroot%%\\System32\\notepad.*"], "action": action, "pathtype": "TSK"}
class TestFileFinderTSKWindows(base.VFSPathContentIsPE): """Download notepad with TSK on windows.""" platforms = ["Windows"] flow = "FileFinder" test_output_path = "/fs/tsk/.*/Windows/System32/notepad.exe" download = file_finder.FileFinderDownloadActionOptions() action = file_finder.FileFinderAction( action_type=file_finder.FileFinderAction.Action.DOWNLOAD, download=download) args = {"paths": ["%%environ_systemroot%%\\System32\\notepad.*"], "action": action, "pathtype": "TSK"}
class TestFileFinderOSLinux(base.VFSPathContentIsELF): """Download a file with FileFinder.""" platforms = ["Linux"] flow = "FileFinder" test_output_path = "/fs/os/bin/ps" sizecondition = file_finder.FileFinderSizeCondition(max_file_size=1000000) filecondition = file_finder.FileFinderCondition( condition_type=file_finder.FileFinderCondition.Type.SIZE, size=sizecondition) download = file_finder.FileFinderDownloadActionOptions() action = file_finder.FileFinderAction( action_type=file_finder.FileFinderAction.Action.DOWNLOAD, download=download) args = {"paths": ["/bin/ps"], "conditions": filecondition, "action": action}
class TestFileFinderOSLinuxProc(base.VFSPathContentExists): """Download a /proc/sys entry with FileFinder.""" platforms = ["Linux"] flow = "FileFinder" test_output_path = "/fs/os/proc/sys/net/ipv4/ip_forward" client_min_version = 3007 sizecondition = file_finder.FileFinderSizeCondition(max_file_size=1000000) filecondition = file_finder.FileFinderCondition( condition_type=file_finder.FileFinderCondition.Type.SIZE, size=sizecondition) download = file_finder.FileFinderDownloadActionOptions() action = file_finder.FileFinderAction( action_type=file_finder.FileFinderAction.Action.DOWNLOAD, download=download) args = {"paths": ["/proc/sys/net/ipv4/ip_forward"], "conditions": filecondition, "action": action}
class TestFileFinderOSWindows(transfer.TestGetFileOSWindows): """Download a file with FileFinder. Exercise globbing, interpolation and filtering. """ flow = "FileFinder" test_output_path = "/fs/os/.*/Windows/System32/notepad.exe" sizecondition = file_finder.FileFinderSizeCondition(max_file_size=1000000) filecondition = file_finder.FileFinderCondition( condition_type=file_finder.FileFinderCondition.Type.SIZE, size=sizecondition) download = file_finder.FileFinderDownloadActionOptions() action = file_finder.FileFinderAction( action_type=file_finder.FileFinderAction.Action.DOWNLOAD, download=download) args = {"paths": ["%%environ_systemroot%%\\System32\\notepad.*"], "conditions": filecondition, "action": action}