def testGetClientsForHashesWithAge(self):
with utils.Stubber(time, "time", lambda: 42):
self.AddFile("/Ext2IFS_1_10b.exe")
self.AddFile("/idea.dll")
hash1 = rdfvalue.FileStoreHash(
fingerprint_type="generic", hash_type="md5",
hash_value="bb0a15eefe63fd41f8dc9dee01c5cf9a")
hash2 = rdfvalue.FileStoreHash(
fingerprint_type="generic", hash_type="sha1",
hash_value="e1f7e62b3909263f3a2518bbae6a9ee36d5b502b")
hits = dict(aff4.HashFileStore.GetClientsForHashes([hash1, hash2],
age=41e6,
token=self.token))
self.assertEqual(len(hits), 0)
hits = dict(aff4.HashFileStore.GetClientsForHashes([hash1, hash2],
age=43e6,
token=self.token))
self.assertEqual(len(hits), 2)
hits = dict(aff4.HashFileStore.GetClientsForHashes([hash1, hash2],
token=self.token))
self.assertEqual(len(hits), 2)
def testGetClientsForHashes(self):
self.AddFile("/Ext2IFS_1_10b.exe")
self.AddFile("/idea.dll")
hash1 = rdfvalue.FileStoreHash(
fingerprint_type="generic",
hash_type="md5",
hash_value="bb0a15eefe63fd41f8dc9dee01c5cf9a")
hash2 = rdfvalue.FileStoreHash(
fingerprint_type="generic",
hash_type="sha1",
hash_value="e1f7e62b3909263f3a2518bbae6a9ee36d5b502b")
hits = dict(
aff4.HashFileStore.GetClientsForHashes([hash1, hash2],
token=self.token))
self.assertEqual(len(hits), 2)
self.assertListEqual(hits[hash1], [
self.client_id.Add("fs/tsk").Add(
self.base_path).Add("winexec_img.dd/Ext2IFS_1_10b.exe")
])
self.assertListEqual(hits[hash2], [
self.client_id.Add("fs/tsk").Add(
self.base_path).Add("winexec_img.dd/idea.dll")
])
def testGetClientsForHashWithAge(self):
with utils.Stubber(time, "time", lambda: 42):
self.AddFile("/Ext2IFS_1_10b.exe")
self.AddFile("/idea.dll")
hits = list(aff4.HashFileStore.GetClientsForHash(
rdfvalue.FileStoreHash(
fingerprint_type="generic", hash_type="md5",
hash_value="bb0a15eefe63fd41f8dc9dee01c5cf9a"),
age=41e6,
token=self.token))
self.assertEqual(len(hits), 0)
hits = list(aff4.HashFileStore.GetClientsForHash(
rdfvalue.FileStoreHash(
fingerprint_type="generic", hash_type="md5",
hash_value="bb0a15eefe63fd41f8dc9dee01c5cf9a"),
age=43e6,
token=self.token))
self.assertEqual(len(hits), 1)
hits = list(aff4.HashFileStore.GetClientsForHash(
rdfvalue.FileStoreHash(
fingerprint_type="generic", hash_type="md5",
hash_value="bb0a15eefe63fd41f8dc9dee01c5cf9a"),
token=self.token))
self.assertEqual(len(hits), 1)
def testListHashes(self):
self.AddFile("/Ext2IFS_1_10b.exe")
hashes = list(aff4.HashFileStore.ListHashes(token=self.token))
self.assertEqual(len(hashes), 5)
self.assertTrue(
rdfvalue.FileStoreHash(
fingerprint_type="pecoff",
hash_type="md5",
hash_value="a3a3259f7b145a21c7b512d876a5da06") in hashes)
self.assertTrue(
rdfvalue.FileStoreHash(
fingerprint_type="pecoff",
hash_type="sha1",
hash_value="019bddad9cac09f37f3941a7f285c79d3c7e7801") in
hashes)
self.assertTrue(
rdfvalue.FileStoreHash(
fingerprint_type="generic",
hash_type="md5",
hash_value="bb0a15eefe63fd41f8dc9dee01c5cf9a") in hashes)
self.assertTrue(
rdfvalue.FileStoreHash(
fingerprint_type="generic",
hash_type="sha1",
hash_value="7dd6bee591dfcb6d75eb705405302c3eab65e21a") in
hashes)
self.assertTrue(
rdfvalue.FileStoreHash(
fingerprint_type="generic",
hash_type="sha256",
hash_value="0e8dc93e150021bb4752029ebbff51394aa36f06"
"9cf19901578e4f06017acdb5") in hashes)
def testExportWithDummyPlugin(self):
pathspec = rdfvalue.PathSpec(
pathtype=rdfvalue.PathSpec.PathType.OS,
path=os.path.join(self.base_path, "winexec_img.dd"))
pathspec.Append(path="/Ext2IFS_1_10b.exe",
pathtype=rdfvalue.PathSpec.PathType.TSK)
urn = aff4.AFF4Object.VFSGRRClient.PathspecToURN(pathspec, self.client_id)
client_mock = action_mocks.ActionMock("TransferBuffer", "StatFile",
"HashBuffer")
for _ in test_lib.TestFlowHelper(
"GetFile", client_mock, token=self.token,
client_id=self.client_id, pathspec=pathspec):
pass
auth_state = rdfvalue.GrrMessage.AuthorizationState.AUTHENTICATED
flow.Events.PublishEvent(
"FileStore.AddFileToStore",
rdfvalue.GrrMessage(payload=urn, auth_state=auth_state),
token=self.token)
worker = test_lib.MockWorker(token=self.token)
worker.Simulate()
plugin = hash_file_store_plugin.HashFileStoreExportPlugin()
parser = argparse.ArgumentParser()
plugin.ConfigureArgParser(parser)
plugin.Run(parser.parse_args(args=[
"--threads",
"0",
"dummy"
]))
responses = DummyOutputPlugin.responses
self.assertEqual(len(responses), 5)
for response in responses:
self.assertTrue(isinstance(response, rdfvalue.FileStoreHash))
self.assertTrue(rdfvalue.FileStoreHash(
fingerprint_type="pecoff", hash_type="md5",
hash_value="a3a3259f7b145a21c7b512d876a5da06") in responses)
self.assertTrue(rdfvalue.FileStoreHash(
fingerprint_type="pecoff", hash_type="sha1",
hash_value="019bddad9cac09f37f3941a7f285c79d3c7e7801") in responses)
self.assertTrue(rdfvalue.FileStoreHash(
fingerprint_type="generic", hash_type="md5",
hash_value="bb0a15eefe63fd41f8dc9dee01c5cf9a") in responses)
self.assertTrue(rdfvalue.FileStoreHash(
fingerprint_type="generic", hash_type="sha1",
hash_value="7dd6bee591dfcb6d75eb705405302c3eab65e21a") in responses)
self.assertTrue(rdfvalue.FileStoreHash(
fingerprint_type="generic", hash_type="sha256",
hash_value="0e8dc93e150021bb4752029ebbff51394aa36f06"
"9cf19901578e4f06017acdb5") in responses)
def ListHashes(token=None, age=aff4.NEWEST_TIME):
"""Yields all the hashes in the file store.
Args:
token: Security token, instance of ACLToken.
age: AFF4 age specification. Only get hits corresponding to the given
age spec. Should be aff4.NEWEST_TIME or a time range given as a
tuple (start, end) in microseconds since Jan 1st, 1970. If just
a microseconds value is given it's treated as the higher end of the
range, i.e. (0, age). See aff4.FACTORY.ParseAgeSpecification for
details.
Yields:
FileStoreHash instances corresponding to all the hashes in the file store.
Raises:
ValueError: if age was set to aff4.ALL_TIMES.
"""
if age == aff4.ALL_TIMES:
raise ValueError("age==aff4.ALL_TIMES is not allowed.")
urns = []
for fingerprint_type, hash_types in HashFileStore.HASH_TYPES.iteritems(
):
for hash_type in hash_types:
urns.append(
HashFileStore.PATH.Add(fingerprint_type).Add(hash_type))
for _, values in aff4.FACTORY.MultiListChildren(urns,
token=token,
age=age):
for value in values:
yield rdfvalue.FileStoreHash(value)
def GetHitsForHashes(hashes, token=None, age=aff4.NEWEST_TIME):
"""Yields (hash, hash_hit) pairs for all the specified hashes.
Args:
hashes: List of FileStoreHash instances.
token: Security token.
age: AFF4 age specification. Only get hits corresponding to the given
age spec. Should be aff4.NEWEST_TIME or a time range given as a
tuple (start, end) in microseconds since Jan 1st, 1970. If just
a microsends value is given it's treated as the higher end of the
range, i.e. (0, age). See aff4.FACTORY.ParseAgeSpecification for
details.
Yields:
(hash, hash_hit) tuples, where hash is FileStoreHash instance and
hash_hit is an RDFURN corresponding to a file that has the hash.
Raises:
ValueError: if age was set to aff4.ALL_TIMES.
"""
if age == aff4.ALL_TIMES:
raise ValueError("age==aff4.ALL_TIMES is not allowed.")
timestamp = aff4.FACTORY.ParseAgeSpecification(age)
for hash_obj, hash_hits in data_store.DB.MultiResolveRegex(
hashes, "index:target:.*", token=token, timestamp=timestamp):
yield (rdfvalue.FileStoreHash(hash_obj),
[hit_urn for _, hit_urn, _ in hash_hits])
def testHashIsInitializedFromConstructorArguments(self):
"""Test that we can construct FileStoreHash from keyword arguments."""
sample = rdfvalue.FileStoreHash(
fingerprint_type="pecoff",
hash_type="sha1",
hash_value="eb875812858d27b22cb2b75f992dffadc1b05c60")
self.assertEqual(sample, self.GenerateSample())
def testGetClientsForHash(self):
self.AddFile("/Ext2IFS_1_10b.exe")
self.AddFile("/idea.dll")
hits = list(aff4.HashFileStore.GetClientsForHash(rdfvalue.FileStoreHash(
fingerprint_type="generic", hash_type="md5",
hash_value="bb0a15eefe63fd41f8dc9dee01c5cf9a"), token=self.token))
self.assertListEqual(hits, [self.client_id.Add(
"fs/tsk").Add(self.base_path).Add("winexec_img.dd/Ext2IFS_1_10b.exe")])
def GenerateSample(self, number=0):
"""Make a sample FileStoreHash instance."""
return rdfvalue.FileStoreHash(
"aff4:/files/hash/pecoff/sha1/"
"eb875812858d27b22cb2b75f992dffadc1b05c6%d" % number)
