def Run(self, unused_args): """List all local filesystems mounted on this system.""" for fs_struct in client_utils_osx.GetFileSystems(): self.SendReply( rdf_client.Filesystem(device=fs_struct.f_mntfromname, mount_point=fs_struct.f_mntonname, type=fs_struct.f_fstypename)) drive_re = re.compile("r?disk[0-9].*") for drive in os.listdir("/dev"): if not drive_re.match(drive): continue path = os.path.join("/dev", drive) try: img_inf = pytsk3.Img_Info(path) # This is a volume or a partition - we send back a TSK device. self.SendReply(rdf_client.Filesystem(device=path)) vol_inf = pytsk3.Volume_Info(img_inf) for volume in vol_inf: if volume.flags == pytsk3.TSK_VS_PART_FLAG_ALLOC: offset = volume.start * vol_inf.info.block_size self.SendReply( rdf_client.Filesystem(device=path + ":" + str(offset), type="partition")) except (IOError, RuntimeError): continue
def testParse(self): filt = filters.ItemFilter() one = rdf_protodict.AttributedDict(test1="1", test2=[2, 3]) foo = rdf_protodict.AttributedDict(test1="foo", test2=["bar", "baz"]) fs = rdf_client.Filesystem(device="/dev/sda1", mount_point="/root") objs = [one, foo, fs] results = filt.Parse(objs, "test1 is '1'") self.assertEqual(1, len(results)) self.assertEqual("test1", results[0].key) self.assertEqual("1", results[0].value) results = filt.Parse(objs, "test1 is '2'") self.assertFalse(results) results = filt.Parse(objs, "test2 contains 3") self.assertEqual(1, len(results)) self.assertEqual("test2", results[0].key) self.assertEqual([2, 3], results[0].value) results = filt.Parse(objs, "test1 is '1' or test1 contains 'foo'") self.assertEqual(2, len(results)) self.assertEqual("test1", results[0].key) self.assertEqual("1", results[0].value) self.assertEqual("test1", results[1].key) self.assertEqual("foo", results[1].value) results = filt.Parse(objs, "mount_point is '/root'") self.assertEqual(1, len(results)) self.assertEqual("mount_point", results[0].key) self.assertEqual("/root", results[0].value)
def Parse(self, cmd, args, stdout, stderr, return_val, time_taken, knowledge_base): """Parse the mount command output.""" _ = stderr, time_taken, args, knowledge_base # Unused. self.CheckReturn(cmd, return_val) result = rdf_protodict.AttributedDict() for entry in self.ParseEntries(stdout): line_str = " ".join(entry) mount_rslt = self.mount_re.match(line_str) if mount_rslt: device, mount_point, fs_type, option_str = mount_rslt.groups() result = rdf_client.Filesystem() result.device = device result.mount_point = mount_point result.type = fs_type # Parse these options as a dict as some items may be key/values. # KeyValue parser uses OrderedDict as the native parser method. Use it. options = KeyValueParser( term=",").ParseToOrderedDict(option_str) # Keys without values get assigned [] by default. Because these keys are # actually true, if declared, change any [] values to True. for k, v in options.iteritems(): options[k] = v or [True] result.options = rdf_protodict.AttributedDict(**options) yield result
def Run(self, unused_args): """List all the filesystems mounted on the system.""" self.devices = {} # For now we check all the mounted filesystems. self.CheckMounts("/proc/mounts") self.CheckMounts("/etc/mtab") for device, (fs_type, mnt_point) in iteritems(self.devices): self.SendReply( rdf_client.Filesystem(mount_point=mnt_point, type=fs_type, device=device))
def Parse(self, unused_stat, file_obj, unused_knowledge_base): for entry in self.ParseEntries(file_obj.read()): if not entry: continue result = rdf_client.Filesystem() result.device = entry[0].decode("string_escape") result.mount_point = entry[1].decode("string_escape") result.type = entry[2].decode("string_escape") options = KeyValueParser(term=",").ParseToOrderedDict(entry[3]) # Keys without values get assigned [] by default. Because these keys are # actually true, if declared, change any [] values to True. for k, v in options.iteritems(): options[k] = v or [True] result.options = rdf_protodict.AttributedDict(**options) yield result
def Run(self, unused_args): """List all local filesystems mounted on this system.""" for drive in win32api.GetLogicalDriveStrings().split("\x00"): if drive: try: volume = win32file.GetVolumeNameForVolumeMountPoint( drive).rstrip("\\") label, _, _, _, fs_type = win32api.GetVolumeInformation( drive) self.SendReply( rdf_client.Filesystem( device=volume, mount_point="/%s:/" % drive[0], type=fs_type, label=UnicodeFromCodePage(label))) except win32api.error: pass
def EnumerateFilesystems(self, _): self.response_count += 1 return [rdf_client.Filesystem(device="/dev/sda", mount_point="/mnt/data")]