def _FindMatchingPathspecs(self, response): # If we're dealing with plain file StatEntry, just # return it's pathspec - there's nothing to parse # and guess. if (isinstance(response, rdf_client_fs.StatEntry) and response.pathspec.pathtype in [ rdf_paths.PathSpec.PathType.TSK, rdf_paths.PathSpec.PathType.OS, rdf_paths.PathSpec.PathType.NTFS, ]): return [response.pathspec] knowledge_base = _ReadClientKnowledgeBase(self.client_id) if self.args.use_raw_filesystem_access or self.args.use_tsk: path_type = rdf_paths.PathSpec.PathType.TSK else: path_type = rdf_paths.PathSpec.PathType.OS p = windows_persistence.WindowsPersistenceMechanismsParser() parsed_items = p.ParseResponse(knowledge_base, response) parsed_pathspecs = [item.pathspec for item in parsed_items] for pathspec in parsed_pathspecs: pathspec.pathtype = path_type return parsed_pathspecs
def testParse(self): parser = windows_persistence.WindowsPersistenceMechanismsParser() path = (r"HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion" r"\Run\test") pathspec = rdf_paths.PathSpec( path=path, pathtype=rdf_paths.PathSpec.PathType.REGISTRY) reg_data = "C:\\blah\\some.exe /v" reg_type = rdf_client_fs.StatEntry.RegistryType.REG_SZ stat = rdf_client_fs.StatEntry( pathspec=pathspec, registry_type=reg_type, registry_data=rdf_protodict.DataBlob(string=reg_data)) persistence = [stat] image_paths = [ "system32\\drivers\\ACPI.sys", "%systemroot%\\system32\\svchost.exe -k netsvcs", "\\SystemRoot\\system32\\drivers\\acpipmi.sys" ] reg_key = "HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/services/AcpiPmi" for path in image_paths: serv_info = rdf_client.WindowsServiceInformation( name="blah", display_name="GRRservice", image_path=path, registry_key=reg_key) persistence.append(serv_info) knowledge_base = rdf_client.KnowledgeBase() knowledge_base.environ_systemroot = "C:\\Windows" expected = [ "C:\\blah\\some.exe", "C:\\Windows\\system32\\drivers\\ACPI.sys", "C:\\Windows\\system32\\svchost.exe", "C:\\Windows\\system32\\drivers\\acpipmi.sys" ] for index, item in enumerate(persistence): results = list( parser.Parse(item, knowledge_base, rdf_paths.PathSpec.PathType.OS)) self.assertEqual(results[0].pathspec.path, expected[index]) self.assertEqual(len(results), 1)
def FindMatchingPathspecs(self, response): # If we're dealing with plain file StatEntry, just # return it's pathspec - there's nothing to parse # and guess. if (isinstance(response, rdf_client.StatEntry) and response.pathspec.pathtype in [ rdf_paths.PathSpec.PathType.TSK, rdf_paths.PathSpec.PathType.OS ]): return [response.pathspec] client = aff4.FACTORY.Open(self.client_id, token=self.token) knowledge_base = artifact.GetArtifactKnowledgeBase(client) if self.args.use_tsk: path_type = rdf_paths.PathSpec.PathType.TSK else: path_type = rdf_paths.PathSpec.PathType.OS p = windows_persistence.WindowsPersistenceMechanismsParser() parsed_items = p.Parse(response, knowledge_base, path_type) return [item.pathspec for item in parsed_items]