def GetRegistryValue(self, source):
"""Retrieve directly specified registry values, returning Stat objects."""
new_paths = set()
for kvdict in source.attributes["key_value_pairs"]:
# TODO(user): this needs to be improved to support globbing for both
# key and value, and possibly also support forward slash.
path = "\\".join((kvdict["key"], kvdict["value"]))
expanded_paths = artifact_lib.InterpolateKbAttributes(
path, self.state.knowledge_base)
new_paths.update(expanded_paths)
for new_path in new_paths:
pathspec = paths.PathSpec(
path=new_path, pathtype=paths.PathSpec.PathType.REGISTRY)
self.CallClient("StatFile",
pathspec=pathspec,
request_data={
"artifact_name": self.current_artifact_name,
"source": source.ToPrimitiveDict()
},
next_state="ProcessCollected")
def testCronTabParser(self):
"""Ensure we can extract jobs from a crontab file."""
parser = cron_file_parser.CronTabParser()
results = []
path = os.path.join(self.base_path, "parser_test", "crontab")
plist_file = open(path, "rb")
stat = rdf_client.StatEntry(
pathspec=rdf_paths.PathSpec(
path=path, pathtype=rdf_paths.PathSpec.PathType.OS),
st_mode=16877)
results.extend(list(parser.Parse(stat, plist_file, None)))
self.assertEqual(len(results), 1)
for result in results:
self.assertEqual(result.jobs[0].minute, "1")
self.assertEqual(result.jobs[0].hour, "2")
self.assertEqual(result.jobs[0].dayofmonth, "3")
self.assertEqual(result.jobs[0].month, "4")
self.assertEqual(result.jobs[0].dayofweek, "5")
self.assertEqual(result.jobs[0].command, "/usr/bin/echo \"test\"")
def testEmptySourceData(self):
test_data = ("# comment 1\n"
"baseurl=\n"
"# Trailing whitespace on purpose\n"
"baseurl= \n"
"# Trailing whitespace on purpose\n"
"baseurl = \n"
"baseurl\n"
"# comment 2\n")
file_obj = StringIO.StringIO(test_data)
pathspec = rdf_paths.PathSpec(path="/etc/yum.repos.d/emptytest.repo")
stat = rdf_client.StatEntry(pathspec=pathspec)
parser = config_file.YumPackageSourceParser()
results = list(parser.Parse(stat, file_obj, None))
result = [
d for d in results if isinstance(d, rdf_protodict.AttributedDict)
][0]
self.assertEqual("/etc/yum.repos.d/emptytest.repo", result.filename)
self.assertEqual(0, len(result.uris))
def Start(self):
"""Create some files to transfer.
Using /dev/urandom ensures the file actually gets transferred and we don't
just test the cache. The files created on the client will be automatically
deleted. If you need the client files for debugging, remove the lifetime
parameter from CopyPathToFile.
"""
self.state.Register("client_hashes", {})
urandom = rdf_paths.PathSpec(path="/dev/urandom",
pathtype=rdf_paths.PathSpec.PathType.OS)
for _ in range(self.args.file_limit):
self.CallClient(
"CopyPathToFile",
offset=0,
length=2 * 1024 * 1024, # 4 default sized blobs
src_path=urandom,
dest_dir="",
gzip_output=False,
lifetime=600,
next_state="HashFile")
def testVFSFileStartsOnlyOneMultiGetFileFlowOnUpdate(self):
"""File updates should only start one MultiGetFile at any point in time."""
client_id = self.SetupClient(0)
# We need to create a file path having a pathspec.
path = "fs/os/c/bin/bash"
with aff4.FACTORY.Create(
client_id.Add(path),
aff4_type=aff4_grr.VFSFile,
mode="rw",
token=self.token) as file_fd:
file_fd.Set(
file_fd.Schema.STAT,
rdf_client.StatEntry(
pathspec=rdf_paths.PathSpec(path="/bin/bash", pathtype="OS")))
# Starts a MultiGetFile flow.
file_fd.Update()
# Check that there is exactly one flow on the client.
flows_fd = aff4.FACTORY.Open(client_id.Add("flows"), token=self.token)
flows = list(flows_fd.ListChildren())
self.assertEqual(len(flows), 1)
# The flow is the MultiGetFile flow holding the lock on the file.
flow_obj = aff4.FACTORY.Open(flows[0], token=self.token)
self.assertEqual(
flow_obj.Get(flow_obj.Schema.TYPE), transfer.MultiGetFile.__name__)
self.assertEqual(flow_obj.urn, file_fd.Get(file_fd.Schema.CONTENT_LOCK))
# Since there is already a running flow having the lock on the file,
# this call shouldn't do anything.
file_fd.Update()
# There should still be only one flow on the client.
flows_fd = aff4.FACTORY.Open(client_id.Add("flows"), token=self.token)
flows = list(flows_fd.ListChildren())
self.assertEqual(len(flows), 1)
def testFindAction(self):
"""Test the find action."""
# First get all the files at once
pathspec = rdf_paths.PathSpec(path="/mock2/",
pathtype=rdf_paths.PathSpec.PathType.OS)
request = rdf_client.FindSpec(pathspec=pathspec, path_regex=".")
request.iterator.number = 200
result = self.RunAction(searching.Find, request)
all_files = [
x.hit for x in result if isinstance(x, rdf_client.FindSpec)
]
# Ask for the files one at the time
files = []
request = rdf_client.FindSpec(pathspec=pathspec, path_regex=".")
request.iterator.number = 1
while True:
result = self.RunAction(searching.Find, request)
if request.iterator.state == rdf_client.Iterator.State.FINISHED:
break
self.assertEqual(len(result), 2)
self.assertTrue(isinstance(result[0], rdf_client.FindSpec))
self.assertTrue(isinstance(result[1], rdf_client.Iterator))
files.append(result[0].hit)
request.iterator = result[1].Copy()
for x, y in zip(all_files, files):
self.assertRDFValuesEqual(x, y)
# Make sure the iterator is finished
self.assertEqual(request.iterator.state,
rdf_client.Iterator.State.FINISHED)
# Ensure we remove old states from client_state
self.assertEqual(len(request.iterator.client_state.dat), 0)
def testCopyHuntPreservesRuleType(self):
implementation.GRRHunt.StartHunt(
hunt_name=standard.GenericHunt.__name__,
description="model hunt",
flow_runner_args=rdf_flows.FlowRunnerArgs(
flow_name=transfer.GetFile.__name__),
flow_args=transfer.GetFileArgs(pathspec=rdf_paths.PathSpec(
path="/tmp/evil.txt",
pathtype=rdf_paths.PathSpec.PathType.TSK,)),
client_rule_set=rdf_foreman.ForemanClientRuleSet(
rules=[
rdf_foreman.ForemanClientRule(
rule_type=rdf_foreman.ForemanClientRule.Type.OS,
os=rdf_foreman.ForemanOsClientRule(os_darwin=True))
]),
token=self.token)
self.Open("/#main=ManageHunts")
self.Click("css=tr:contains('model hunt')")
self.Click("css=button[name=CopyHunt]:not([disabled])")
# Wait until dialog appears.
self.WaitUntil(self.IsElementPresent,
"css=grr-wizard-form:contains('What to run?')")
# Click on "Next" button
self.Click("css=grr-new-hunt-wizard-form button.Next")
self.WaitUntil(self.IsElementPresent,
"css=grr-wizard-form:contains('Hunt parameters')")
# Click on "Next" button.
self.Click("css=grr-new-hunt-wizard-form button.Next")
self.WaitUntil(self.IsElementPresent,
"css=grr-wizard-form:contains('How to process results')")
# Click on "Next" button
self.Click("css=grr-new-hunt-wizard-form button.Next")
self.WaitUntil(self.IsElementPresent,
"css=grr-wizard-form:contains('Where to run?')")
self.WaitUntil(self.IsElementPresent, "css=grr-new-hunt-wizard-form "
"label:contains('Os darwin') ~ * input:checked")
def testShowsNotificationIfArchiveStreamingFailsInProgress(self):
pathspec = rdf_paths.PathSpec(path=os.path.join(
self.base_path, "test.plist"),
pathtype=rdf_paths.PathSpec.PathType.OS)
flow_urn = flow.GRRFlow.StartFlow(
flow_name=flows_transfer.GetFile.__name__,
client_id=self.client_id,
pathspec=pathspec,
token=self.token)
with self.ACLChecksDisabled():
for _ in test_lib.TestFlowHelper(flow_urn,
self.action_mock,
client_id=self.client_id,
token=self.token):
pass
def RaisingStub(*unused_args, **unused_kwargs):
yield "foo"
yield "bar"
raise RuntimeError("something went wrong")
with utils.Stubber(api_call_handler_utils.CollectionArchiveGenerator,
"Generate", RaisingStub):
self.Open("/#c=C.0000000000000001")
self.Click("css=a[grrtarget='client.flows']")
self.Click("css=td:contains('GetFile')")
self.Click("link=Results")
self.Click("css=button.DownloadButton")
self.WaitUntil(
self.IsUserNotificationPresent,
"Archive generation failed for flow %s" % flow_urn.Basename())
# There will be no failure message, as we can't get a status from an
# iframe that triggers the download.
self.WaitUntilNot(self.IsTextPresent,
"Can't generate archive: Unknown error")
def testMultiGetFileSizeLimit(self):
client_mock = action_mocks.ActionMock("TransferBuffer", "HashFile",
"StatFile", "HashBuffer")
image_path = os.path.join(self.base_path, "test_img.dd")
pathspec = rdf_paths.PathSpec(pathtype=rdf_paths.PathSpec.PathType.OS,
path=image_path)
# Read a bit more than one chunk (600 * 1024).
expected_size = 750 * 1024
args = transfer.MultiGetFileArgs(pathspecs=[pathspec],
file_size=expected_size)
for _ in test_lib.TestFlowHelper("MultiGetFile",
client_mock,
token=self.token,
client_id=self.client_id,
args=args):
pass
urn = aff4.AFF4Object.VFSGRRClient.PathspecToURN(
pathspec, self.client_id)
blobimage = aff4.FACTORY.Open(urn, token=self.token)
# Make sure a VFSBlobImage got written.
self.assertTrue(isinstance(blobimage, aff4_grr.VFSBlobImage))
self.assertEqual(len(blobimage), expected_size)
data = blobimage.read(100 * expected_size)
self.assertEqual(len(data), expected_size)
expected_data = open(image_path, "rb").read(expected_size)
self.assertEqual(data, expected_data)
hash_obj = blobimage.Get(blobimage.Schema.HASH)
d = hashlib.sha1()
d.update(expected_data)
expected_hash = d.hexdigest()
self.assertEqual(hash_obj.sha1, expected_hash)
def checkClickingOnDownloadAsStartsDownloadForType(self, mock_method,
plugin,
plugin_display_name):
pathspec = rdf_paths.PathSpec(path=os.path.join(
self.base_path, "test.plist"),
pathtype=rdf_paths.PathSpec.PathType.OS)
flow_urn = flow.GRRFlow.StartFlow(
flow_name=flows_transfer.GetFile.__name__,
client_id=self.client_id,
pathspec=pathspec,
token=self.token)
flow_test_lib.TestFlowHelper(flow_urn,
self.action_mock,
client_id=self.client_id,
token=self.token)
self.Open("/#/clients/%s/flows/%s" %
(self.client_id, flow_urn.Basename()))
self.Click("link=Results")
self.Select("id=plugin-select", plugin_display_name)
self.Click("css=grr-download-collection-as button[name='download-as']")
def MockMethodIsCalled():
try:
# Mock should be called twice: once for HEAD (to check permissions)
# and once for GET methods.
mock_method.assert_called_with(
api_flow.ApiGetExportedFlowResultsArgs(
client_id=self.client_id,
flow_id=flow_urn.Basename(),
plugin_name=plugin),
token=mock.ANY)
return True
except AssertionError:
return False
self.WaitUntil(MockMethodIsCalled)
def testDeleteMultipleRoots(self):
temp_dir = "grr_temp"
test_data = self._SetUpTempDirStructure(temp_dir)
roots, _, invalid_temp_dirs, temp_files, other_files = test_data
with test_lib.ConfigOverrider({
"Client.tempdir_roots": roots,
"Client.grr_tempdir": temp_dir
}):
result = self.RunAction(tempfiles.DeleteGRRTempFiles,
rdf_paths.PathSpec())
self.assertEqual(len(result), 1)
log = result[0].data
for f in temp_files:
self.assertIn(f, log)
for f in invalid_temp_dirs:
self.assertNotIn(f, log)
for f in temp_files:
self.assertFalse(os.path.exists(f))
for f in other_files:
self.assertTrue(os.path.exists(f))
def testFindWithMaxFiles(self):
"""Test that the Find flow works when specifying proto directly."""
client_mock = action_mocks.ActionMock("Find")
output_path = "analysis/FindFlowTest4"
# Prepare a findspec.
findspec = rdf_client.FindSpec(
path_regex=".*",
pathspec=rdf_paths.PathSpec(path="/",
pathtype=rdf_paths.PathSpec.PathType.OS))
for _ in test_lib.TestFlowHelper(
"FindFiles", client_mock, client_id=self.client_id, token=self.token,
findspec=findspec, iteration_count=3, output=output_path,
max_results=7):
pass
# Check the output file is created
fd = aff4.FACTORY.Open(self.client_id.Add(output_path), token=self.token)
# Make sure we got the right number of results.
self.assertEqual(len(fd), 7)
def testExistingFileStat(self):
bash_stat = {
"st_ctime": rdfvalue.RDFDatetimeSeconds(1299502221),
"st_rdev": 0,
"st_mtime": rdfvalue.RDFDatetimeSeconds(1284154642),
"st_blocks": 16,
"st_nlink": 1,
"st_gid": 0,
"st_blksize": 4096,
"pathspec": rdf_paths.PathSpec(
path="/bin/bash",
pathtype="OS",
path_options="CASE_LITERAL"),
"st_dev": 51713,
"st_size": 4874,
"st_ino": 1026148,
"st_uid": 0,
"st_mode": rdf_client.StatMode(33261),
"st_atime": rdfvalue.RDFDatetimeSeconds(1299502220)
}
bash_path = os.path.join("/", self.client_name, "fs/os/c/bin/bash")
self.assertItemsEqual(self.passthrough.getattr(bash_path), bash_stat)
class TestNetworkFlowLimit(base.AutomatedTest):
"""Test limit on bytes transferred for a flow."""
platforms = ["Linux", "Darwin"]
flow = "GetFile"
args = {
"pathspec": rdf_paths.PathSpec(path="/bin/bash",
pathtype=rdf_paths.PathSpec.PathType.OS),
"network_bytes_limit": 500 * 1024
}
test_output_path = "/fs/os/bin/bash"
def CheckFlow(self):
# Reopen the object to check the state. We use OpenWithLock to avoid
# reading old state.
with aff4.FACTORY.OpenWithLock(
self.session_id, token=self.token) as flow_obj:
# Make sure we transferred approximately the right amount of data.
self.assertAlmostEqual(flow_obj.state.context.network_bytes_sent,
500 * 1024, delta=30000)
backtrace = flow_obj.state.context.get("backtrace", "")
self.assertIsNotNone(backtrace)
self.assertTrue("Network bytes limit exceeded." in backtrace)
def setUp(self):
super(DeleteGRRTempFiles, self).setUp()
filename = "%s_blah" % config_lib.CONFIG["Client.tempfile_prefix"]
self.tempfile = utils.JoinPath(self.temp_dir,
"delete_test", filename)
self.dirname = os.path.dirname(self.tempfile)
os.makedirs(self.dirname)
self.tempdir_overrider = test_lib.ConfigOverrider({
"Client.tempdir_roots": [os.path.dirname(self.dirname)],
"Client.grr_tempdir": os.path.basename(self.dirname)})
self.tempdir_overrider.Start()
self.not_tempfile = os.path.join(self.temp_dir, "notatempfile")
open(self.not_tempfile, "w").write("something")
self.temp_fd = tempfiles.CreateGRRTempFile(self.dirname)
self.temp_fd2 = tempfiles.CreateGRRTempFile(self.dirname)
self.assertTrue(os.path.exists(self.not_tempfile))
self.assertTrue(os.path.exists(self.temp_fd.name))
self.assertTrue(os.path.exists(self.temp_fd2.name))
self.pathspec = rdf_paths.PathSpec(
path=self.dirname, pathtype=rdf_paths.PathSpec.PathType.OS)
def testGetFile(self):
"""Test that the GetFile flow works."""
client_mock = action_mocks.ActionMock("TransferBuffer", "StatFile")
pathspec = rdf_paths.PathSpec(
pathtype=rdf_paths.PathSpec.PathType.OS,
path=os.path.join(self.base_path, "test_img.dd"))
for _ in test_lib.TestFlowHelper("GetFile", client_mock, token=self.token,
client_id=self.client_id,
pathspec=pathspec):
pass
# Fix path for Windows testing.
pathspec.path = pathspec.path.replace("\\", "/")
# Test the AFF4 file that was created.
urn = aff4.AFF4Object.VFSGRRClient.PathspecToURN(pathspec, self.client_id)
fd1 = aff4.FACTORY.Open(urn, token=self.token)
fd2 = open(pathspec.path)
fd2.seek(0, 2)
self.assertEqual(fd2.tell(), int(fd1.Get(fd1.Schema.SIZE)))
self.CompareFDs(fd1, fd2)
def testShowsNotificationWhenArchiveGenerationIsDone(self):
pathspec = rdf_paths.PathSpec(
path=os.path.join(self.base_path, "test.plist"),
pathtype=rdf_paths.PathSpec.PathType.OS)
flow_urn = flow.GRRFlow.StartFlow(
flow_name=flows_transfer.GetFile.__name__,
client_id=self.client_id,
pathspec=pathspec,
token=self.token)
for _ in flow_test_lib.TestFlowHelper(
flow_urn, self.action_mock, client_id=self.client_id, token=self.token):
pass
self.Open("/#c=C.0000000000000001")
self.Click("css=a[grrtarget='client.flows']")
self.Click("css=td:contains('GetFile')")
self.Click("link=Results")
self.Click("css=button.DownloadButton")
self.WaitUntil(self.IsTextPresent, "Generation has started")
self.WaitUntil(self.IsUserNotificationPresent,
"Downloaded archive of flow %s" % flow_urn.Basename())
def CreateSampleHunt(description, token=None):
hunts.GRRHunt.StartHunt(
hunt_name="GenericHunt",
description=description,
flow_runner_args=rdf_flows.FlowRunnerArgs(flow_name="GetFile"),
flow_args=transfer.GetFileArgs(pathspec=rdf_paths.PathSpec(
path="/tmp/evil.txt",
pathtype=rdf_paths.PathSpec.PathType.TSK,
)),
client_rule_set=rdf_foreman.ForemanClientRuleSet(rules=[
rdf_foreman.ForemanClientRule(
rule_type=rdf_foreman.ForemanClientRule.Type.REGEX,
regex=rdf_foreman.ForemanRegexClientRule(
attribute_name="GRR client", attribute_regex="GRR"))
]),
output_plugins=[
output_plugin.OutputPluginDescriptor(
plugin_name="DummyOutputPlugin",
plugin_args=DummyOutputPlugin.args_type(
filename_regex="blah!", fetch_binaries=True))
],
client_rate=60,
token=token)
def testRegistryListing(self):
"""Test our ability to list registry keys."""
reg = rdf_paths.PathSpec.PathType.REGISTRY
with test_lib.VFSOverrider(reg, test_lib.FakeRegistryVFSHandler):
pathspec = rdf_paths.PathSpec(
pathtype=rdf_paths.PathSpec.PathType.REGISTRY,
path=("/HKEY_USERS/S-1-5-20/Software/Microsoft"
"/Windows/CurrentVersion/Run"))
expected_names = {
"MctAdmin": stat.S_IFDIR,
"Sidebar": stat.S_IFDIR
}
expected_data = [
u"%ProgramFiles%\\Windows Sidebar\\Sidebar.exe /autoRun",
u"%TEMP%\\Sidebar.exe"
]
for f in vfs.VFSOpen(pathspec).ListFiles():
base, name = os.path.split(f.pathspec.CollapsePath())
self.assertEqual(base, pathspec.CollapsePath())
self.assertIn(name, expected_names)
self.assertIn(f.registry_data.GetValue(), expected_data)
def testNestedProtobufAssignment(self):
"""Check that we can assign a nested protobuf."""
container = rdf_rekall_types.RekallRequest()
pathspec = rdf_paths.PathSpec(path=r"\\.\pmem", pathtype=1)
# Should raise - incompatible RDFType.
self.assertRaises(ValueError, setattr, container, "device",
rdfvalue.RDFString("hello"))
# Should raise - incompatible RDFProto type.
self.assertRaises(ValueError, setattr, container, "device",
rdf_client.StatEntry(st_size=5))
# Assign directly.
container.device = pathspec
self.assertEqual(container.device.path, r"\\.\pmem")
# Clear the field.
container.device = None
# Check the protobuf does not have the field set at all.
self.assertFalse(container.HasField("device"))
def ReadTestImage(self, size_threshold):
path = os.path.join(self.base_path, "test_img.dd")
urn = rdfvalue.RDFURN(self.client_id.Add("fs/os").Add(path))
pathspec = rdf_paths.PathSpec(path=path,
pathtype=rdf_paths.PathSpec.PathType.OS)
client_mock = action_mocks.ActionMock("FingerprintFile", "HashBuffer",
"HashFile", "StatFile", "Find",
"TransferBuffer", "ReadBuffer")
# Get everything as an AFF4SparseImage
for _ in test_lib.TestFlowHelper("MakeNewAFF4SparseImage",
client_mock,
client_id=self.client_id,
token=self.token,
size_threshold=size_threshold,
pathspec=pathspec):
pass
fd = aff4.FACTORY.Open(urn, token=self.token)
return fd
class MockVFSHandler(vfs.VFSHandler):
"""A mock VFS handler with fake files."""
children = []
for x in range(10):
child = rdf_client.StatEntry(pathspec=rdf_paths.PathSpec(
path="Foo%s" % x, pathtype=rdf_paths.PathSpec.PathType.OS))
children.append(child)
supported_pathtype = rdf_paths.PathSpec.PathType.OS
def __init__(self, base_fd, pathspec=None, progress_callback=None,
full_pathspec=None):
super(MockVFSHandler, self).__init__(
base_fd, pathspec=pathspec, progress_callback=progress_callback,
full_pathspec=full_pathspec)
self.pathspec.Append(pathspec)
def ListFiles(self):
return self.children
def IsDirectory(self):
return self.pathspec.path == "/"
def ParseRunKeys(self, responses):
"""Get filenames from the RunKeys and download the files."""
filenames = []
client = aff4.FACTORY.Open(self.client_id, mode="r", token=self.token)
kb = artifact.GetArtifactKnowledgeBase(client)
for response in responses:
runkey = response.registry_data.string
environ_vars = artifact_utils.GetWindowsEnvironmentVariablesMap(kb)
path_guesses = path_detection_windows.DetectExecutablePaths([runkey],
environ_vars)
if not path_guesses:
self.Log("Couldn't guess path for %s", runkey)
for path in path_guesses:
filenames.append(
rdf_paths.PathSpec(
path=path, pathtype=rdf_paths.PathSpec.PathType.TSK))
if filenames:
self.CallFlow("MultiGetFile", pathspecs=filenames, next_state="Done")
def testTSKFileInode(self):
"""Test opening a file through an indirect pathspec."""
pathspec = rdf_paths.PathSpec(
path=os.path.join(self.base_path, "test_img.dd"),
pathtype=rdf_paths.PathSpec.PathType.OS)
pathspec.Append(
pathtype=rdf_paths.PathSpec.PathType.TSK,
inode=12,
path="/Test Directory")
pathspec.Append(
pathtype=rdf_paths.PathSpec.PathType.TSK, path="numbers.txt")
fd = vfs.VFSOpen(pathspec)
# Check that the new pathspec is correctly reduced to two components.
self.assertEqual(
fd.pathspec.first.path,
utils.NormalizePath(os.path.join(self.base_path, "test_img.dd")))
self.assertEqual(fd.pathspec[1].path, "/Test Directory/numbers.txt")
# And the correct inode is placed in the final branch.
self.assertEqual(fd.Stat().pathspec.nested_path.inode, 15)
self.TestFileHandling(fd)
def testFindActionCrossDev(self):
"""Test that devices boundaries don't get crossed, also by default."""
pathspec = rdf_paths.PathSpec(
path="/mock2/", pathtype=rdf_paths.PathSpec.PathType.OS)
request = rdf_client.FindSpec(
pathspec=pathspec, cross_devs=True, path_regex=".")
request.iterator.number = 200
results = self.RunAction(searching.Find, request)
all_files = [x.hit for x in results if isinstance(x, rdf_client.FindSpec)]
self.assertEqual(len(all_files), 9)
request = rdf_client.FindSpec(
pathspec=pathspec, cross_devs=False, path_regex=".")
request.iterator.number = 200
results = self.RunAction(searching.Find, request)
all_files = [x.hit for x in results if isinstance(x, rdf_client.FindSpec)]
self.assertEqual(len(all_files), 7)
request = rdf_client.FindSpec(pathspec=pathspec, path_regex=".")
request.iterator.number = 200
results = self.RunAction(searching.Find, request)
all_files = [x.hit for x in results if isinstance(x, rdf_client.FindSpec)]
self.assertEqual(len(all_files), 7)
def testDownloadFilesPanelIsShownWhenNewResultsAreAdded(self):
f = flow.GRRFlow.StartFlow(
client_id=self.client_id,
flow_name=gui_test_lib.RecursiveTestFlow.__name__,
token=self.token)
with data_store.DB.GetMutationPool() as pool:
flow.GRRFlow.ResultCollectionForFID(f).Add(
rdfvalue.RDFString("foo-result"), mutation_pool=pool)
self.Open("/#/clients/%s" % self.client_id)
# Ensure auto-refresh updates happen every second.
self.GetJavaScriptValue(
"grrUi.core.resultsCollectionDirective.setAutoRefreshInterval(1000);"
)
# Go to the flows page without refreshing the page, so that
# AUTO_REFRESH_INTERVAL_MS setting is not reset.
self.Click("css=a[grrtarget='client.flows']")
self.Click("css=tr:contains('%s')" % f.Basename())
self.Click("css=li[heading=Results]:not([disabled]")
self.WaitUntil(self.IsElementPresent,
"css=grr-results-collection td:contains('foo-result')")
self.WaitUntilNot(
self.IsElementPresent,
"css=grr-results-collection grr-download-collection-files")
stat_entry = rdf_client.StatEntry(pathspec=rdf_paths.PathSpec(
path="/foo/bar", pathtype=rdf_paths.PathSpec.PathType.OS))
with data_store.DB.GetMutationPool() as pool:
flow.GRRFlow.ResultCollectionForFID(f).Add(stat_entry,
mutation_pool=pool)
self.WaitUntil(
self.IsElementPresent,
"css=grr-results-collection grr-download-collection-files")
def Start(self):
"""Issue the find request."""
super(FileFinder, self).Start()
if not self.args.paths:
# Nothing to do.
return
self.state.Register("files_found", 0)
self.state.Register("sorted_conditions",
sorted(self.args.conditions, key=self._ConditionWeight))
self.state.file_size = self.args.file_size
if self.args.pathtype in (rdf_paths.PathSpec.PathType.MEMORY,
rdf_paths.PathSpec.PathType.REGISTRY):
# Memory and Registry StatEntries won't pass the file type check.
self.args.no_file_type_check = True
if self.args.pathtype == rdf_paths.PathSpec.PathType.MEMORY:
# If pathtype is MEMORY, we're treating provided paths not as globs,
# but as paths to memory devices.
for path in self.args.paths:
pathspec = rdf_paths.PathSpec(
path=utils.SmartUnicode(path),
pathtype=rdf_paths.PathSpec.PathType.MEMORY)
aff4path = aff4.AFF4Object.VFSGRRClient.PathspecToURN(
pathspec, self.client_id)
stat_entry = rdf_client.StatEntry(aff4path=aff4path, pathspec=pathspec)
self.ApplyCondition(FileFinderResult(stat_entry=stat_entry),
condition_index=0)
else:
self.GlobForPaths(self.args.paths, pathtype=self.args.pathtype,
no_file_type_check=self.args.no_file_type_check)
def DumpProcess(self, psutil_process, args):
response = rdf_yara.YaraProcessDumpInformation()
response.process = rdf_client.Process.FromPsutilProcess(psutil_process)
process = client_utils.OpenProcessForMemoryAccess(pid=psutil_process.pid)
bytes_limit = args.size_limit
with process:
streamer = streaming.MemoryStreamer(process, chunk_size=args.chunk_size)
with tempfiles.TemporaryDirectory(cleanup=False) as tmp_dir:
for start, length in client_utils.MemoryRegions(process, args):
if bytes_limit and self.bytes_written + length > bytes_limit:
response.error = ("Byte limit exceeded. Wrote %d bytes, "
"next block is %d bytes, limit is %d." %
(self.bytes_written, length, bytes_limit))
return response
end = start + length
filename = "%s_%d_%x_%x.tmp" % (psutil_process.name(),
psutil_process.pid, start, end)
filepath = os.path.join(tmp_dir.path, filename)
bytes_written = self._SaveMemDumpToFilePath(filepath, streamer, start,
length)
if not bytes_written:
continue
self.bytes_written += bytes_written
response.dump_files.Append(
rdf_paths.PathSpec(
path=filepath, pathtype=rdf_paths.PathSpec.PathType.TMPFILE))
return response
def CreateGRRTempFileVFS(directory=None,
filename=None,
lifetime=0,
mode="w+b",
suffix=""):
"""Creates a GRR VFS temp file.
This function is analogous to CreateGRRTempFile but returns an open VFS handle
to the newly created file. Arguments are the same as for CreateGRRTempFile:
Args:
directory: string representing absolute directory where file should be
written. If None, use 'tmp' under the directory we're running
from.
filename: The name of the file to use. Note that setting both filename and
directory name is not allowed.
lifetime: time in seconds before we should delete this tempfile.
mode: The mode to open the file.
suffix: optional suffix to use for the temp file
Returns:
An open file handle to the new file and the corresponding pathspec.
"""
fd = CreateGRRTempFile(
directory=directory,
filename=filename,
lifetime=lifetime,
mode=mode,
suffix=suffix)
pathspec = rdf_paths.PathSpec(
path=fd.name, pathtype=rdf_paths.PathSpec.PathType.TMPFILE)
return fd, pathspec
def testAttributesOfFileFoundInHashFileStoreAreSetCorrectly(self):
client_ids = self.SetupClients(2)
filename = os.path.join(self.base_path, "tcpip.sig")
pathspec = rdf_paths.PathSpec(pathtype=rdf_paths.PathSpec.PathType.OS,
path=filename)
urn1 = pathspec.AFF4Path(client_ids[0])
urn2 = pathspec.AFF4Path(client_ids[1])
for client_id in client_ids:
client_mock = action_mocks.FileFinderClientMock()
for _ in flow_test_lib.TestFlowHelper(
file_finder.FileFinder.__name__,
client_mock,
token=self.token,
client_id=client_id,
paths=[filename],
action=rdf_file_finder.FileFinderAction(
action_type=rdf_file_finder.FileFinderAction.Action.
DOWNLOAD)):
pass
# Running worker to make sure FileStore.AddFileToStore event is processed
# by the worker.
worker = worker_test_lib.MockWorker(token=self.token)
worker.Simulate()
fd1 = aff4.FACTORY.Open(urn1, token=self.token)
self.assertTrue(isinstance(fd1, aff4_grr.VFSBlobImage))
fd2 = aff4.FACTORY.Open(urn2, token=self.token)
self.assertTrue(isinstance(fd2, aff4_grr.VFSBlobImage))
self.assertTrue(fd1.Get(fd1.Schema.STAT))
self.assertTrue(fd2.Get(fd2.Schema.STAT))
self.assertEqual(fd1.Get(fd1.Schema.SIZE), fd2.Get(fd2.Schema.SIZE))
self.assertEqual(fd1.Get(fd1.Schema.CONTENT_LAST),
fd2.Get(fd2.Schema.CONTENT_LAST))
