def GetArtifactKnowledgeBase(client_obj, allow_uninitialized=False): """This generates an artifact knowledge base from a GRR client. Args: client_obj: A GRRClient object which is opened for reading. allow_uninitialized: If True we accept an uninitialized knowledge_base. Returns: A KnowledgeBase semantic value. Raises: ArtifactProcessingError: If called when the knowledge base has not been initialized. KnowledgeBaseUninitializedError: If we failed to initialize the knowledge base. This is needed so that the artifact library has a standardized interface to the data that is actually stored in the GRRClient object in the GRR datastore. We expect that the client KNOWLEDGE_BASE is already filled out through the, KnowledgeBaseInitialization flow, but attempt to make some intelligent guesses if things failed. """ client_schema = client_obj.Schema kb = client_obj.Get(client_schema.KNOWLEDGE_BASE) if not allow_uninitialized: if not kb: raise artifact_lib.KnowledgeBaseUninitializedError( "KnowledgeBase empty for %s." % client_obj.urn) if not kb.os: raise artifact_lib.KnowledgeBaseAttributesMissingError( "KnowledgeBase missing OS for %s. Knowledgebase content: %s" % (client_obj.urn, kb)) if not kb: kb = client_schema.KNOWLEDGE_BASE() SetCoreGRRKnowledgeBaseValues(kb, client_obj) if kb.os == "Windows": # Add fallback values. if not kb.environ_allusersappdata and kb.environ_allusersprofile: # Guess if we don't have it already. if kb.os_major_version >= 6: kb.environ_allusersappdata = u"c:\\programdata" kb.environ_allusersprofile = u"c:\\programdata" else: kb.environ_allusersappdata = ( u"c:\\documents and settings\\All Users\\" "Application Data") kb.environ_allusersprofile = u"c:\\documents and settings\\All Users" return kb
def StartCollection(self, responses): """Start collecting.""" if not responses.success: raise artifact_lib.KnowledgeBaseUninitializedError( "Attempt to initialize Knowledge Base failed.") if not self.state.knowledge_base: self.client = aff4.FACTORY.Open(self.client_id, token=self.token) # If we are processing the knowledge base, it still won't exist yet. self.state.knowledge_base = artifact.GetArtifactKnowledgeBase( self.client, allow_uninitialized=True) for artifact_name in self.args.artifact_list: artifact_obj = self._GetArtifactFromName(artifact_name) # Ensure artifact has been written sanely. Note that this could be # removed if it turns out to be expensive. Artifact tests should catch # these. artifact_obj.Validate() self.Collect(artifact_obj)