def testGetClientsForHashesWithAge(self): with utils.Stubber(time, "time", lambda: 42): self.AddFile("/Ext2IFS_1_10b.exe") self.AddFile("/idea.dll") hash1 = rdfvalue.FileStoreHash( fingerprint_type="generic", hash_type="md5", hash_value="bb0a15eefe63fd41f8dc9dee01c5cf9a") hash2 = rdfvalue.FileStoreHash( fingerprint_type="generic", hash_type="sha1", hash_value="e1f7e62b3909263f3a2518bbae6a9ee36d5b502b") hits = dict(aff4.HashFileStore.GetClientsForHashes([hash1, hash2], age=41e6, token=self.token)) self.assertEqual(len(hits), 0) hits = dict(aff4.HashFileStore.GetClientsForHashes([hash1, hash2], age=43e6, token=self.token)) self.assertEqual(len(hits), 2) hits = dict(aff4.HashFileStore.GetClientsForHashes([hash1, hash2], token=self.token)) self.assertEqual(len(hits), 2)
def testGetClientsForHashes(self): self.AddFile("/Ext2IFS_1_10b.exe") self.AddFile("/idea.dll") hash1 = rdfvalue.FileStoreHash( fingerprint_type="generic", hash_type="md5", hash_value="bb0a15eefe63fd41f8dc9dee01c5cf9a") hash2 = rdfvalue.FileStoreHash( fingerprint_type="generic", hash_type="sha1", hash_value="e1f7e62b3909263f3a2518bbae6a9ee36d5b502b") hits = dict( aff4.HashFileStore.GetClientsForHashes([hash1, hash2], token=self.token)) self.assertEqual(len(hits), 2) self.assertListEqual(hits[hash1], [ self.client_id.Add("fs/tsk").Add( self.base_path).Add("winexec_img.dd/Ext2IFS_1_10b.exe") ]) self.assertListEqual(hits[hash2], [ self.client_id.Add("fs/tsk").Add( self.base_path).Add("winexec_img.dd/idea.dll") ])
def testGetClientsForHashWithAge(self): with utils.Stubber(time, "time", lambda: 42): self.AddFile("/Ext2IFS_1_10b.exe") self.AddFile("/idea.dll") hits = list(aff4.HashFileStore.GetClientsForHash( rdfvalue.FileStoreHash( fingerprint_type="generic", hash_type="md5", hash_value="bb0a15eefe63fd41f8dc9dee01c5cf9a"), age=41e6, token=self.token)) self.assertEqual(len(hits), 0) hits = list(aff4.HashFileStore.GetClientsForHash( rdfvalue.FileStoreHash( fingerprint_type="generic", hash_type="md5", hash_value="bb0a15eefe63fd41f8dc9dee01c5cf9a"), age=43e6, token=self.token)) self.assertEqual(len(hits), 1) hits = list(aff4.HashFileStore.GetClientsForHash( rdfvalue.FileStoreHash( fingerprint_type="generic", hash_type="md5", hash_value="bb0a15eefe63fd41f8dc9dee01c5cf9a"), token=self.token)) self.assertEqual(len(hits), 1)
def testListHashes(self): self.AddFile("/Ext2IFS_1_10b.exe") hashes = list(aff4.HashFileStore.ListHashes(token=self.token)) self.assertEqual(len(hashes), 5) self.assertTrue( rdfvalue.FileStoreHash( fingerprint_type="pecoff", hash_type="md5", hash_value="a3a3259f7b145a21c7b512d876a5da06") in hashes) self.assertTrue( rdfvalue.FileStoreHash( fingerprint_type="pecoff", hash_type="sha1", hash_value="019bddad9cac09f37f3941a7f285c79d3c7e7801") in hashes) self.assertTrue( rdfvalue.FileStoreHash( fingerprint_type="generic", hash_type="md5", hash_value="bb0a15eefe63fd41f8dc9dee01c5cf9a") in hashes) self.assertTrue( rdfvalue.FileStoreHash( fingerprint_type="generic", hash_type="sha1", hash_value="7dd6bee591dfcb6d75eb705405302c3eab65e21a") in hashes) self.assertTrue( rdfvalue.FileStoreHash( fingerprint_type="generic", hash_type="sha256", hash_value="0e8dc93e150021bb4752029ebbff51394aa36f06" "9cf19901578e4f06017acdb5") in hashes)
def testExportWithDummyPlugin(self): pathspec = rdfvalue.PathSpec( pathtype=rdfvalue.PathSpec.PathType.OS, path=os.path.join(self.base_path, "winexec_img.dd")) pathspec.Append(path="/Ext2IFS_1_10b.exe", pathtype=rdfvalue.PathSpec.PathType.TSK) urn = aff4.AFF4Object.VFSGRRClient.PathspecToURN(pathspec, self.client_id) client_mock = action_mocks.ActionMock("TransferBuffer", "StatFile", "HashBuffer") for _ in test_lib.TestFlowHelper( "GetFile", client_mock, token=self.token, client_id=self.client_id, pathspec=pathspec): pass auth_state = rdfvalue.GrrMessage.AuthorizationState.AUTHENTICATED flow.Events.PublishEvent( "FileStore.AddFileToStore", rdfvalue.GrrMessage(payload=urn, auth_state=auth_state), token=self.token) worker = test_lib.MockWorker(token=self.token) worker.Simulate() plugin = hash_file_store_plugin.HashFileStoreExportPlugin() parser = argparse.ArgumentParser() plugin.ConfigureArgParser(parser) plugin.Run(parser.parse_args(args=[ "--threads", "0", "dummy" ])) responses = DummyOutputPlugin.responses self.assertEqual(len(responses), 5) for response in responses: self.assertTrue(isinstance(response, rdfvalue.FileStoreHash)) self.assertTrue(rdfvalue.FileStoreHash( fingerprint_type="pecoff", hash_type="md5", hash_value="a3a3259f7b145a21c7b512d876a5da06") in responses) self.assertTrue(rdfvalue.FileStoreHash( fingerprint_type="pecoff", hash_type="sha1", hash_value="019bddad9cac09f37f3941a7f285c79d3c7e7801") in responses) self.assertTrue(rdfvalue.FileStoreHash( fingerprint_type="generic", hash_type="md5", hash_value="bb0a15eefe63fd41f8dc9dee01c5cf9a") in responses) self.assertTrue(rdfvalue.FileStoreHash( fingerprint_type="generic", hash_type="sha1", hash_value="7dd6bee591dfcb6d75eb705405302c3eab65e21a") in responses) self.assertTrue(rdfvalue.FileStoreHash( fingerprint_type="generic", hash_type="sha256", hash_value="0e8dc93e150021bb4752029ebbff51394aa36f06" "9cf19901578e4f06017acdb5") in responses)
def ListHashes(token=None, age=aff4.NEWEST_TIME): """Yields all the hashes in the file store. Args: token: Security token, instance of ACLToken. age: AFF4 age specification. Only get hits corresponding to the given age spec. Should be aff4.NEWEST_TIME or a time range given as a tuple (start, end) in microseconds since Jan 1st, 1970. If just a microseconds value is given it's treated as the higher end of the range, i.e. (0, age). See aff4.FACTORY.ParseAgeSpecification for details. Yields: FileStoreHash instances corresponding to all the hashes in the file store. Raises: ValueError: if age was set to aff4.ALL_TIMES. """ if age == aff4.ALL_TIMES: raise ValueError("age==aff4.ALL_TIMES is not allowed.") urns = [] for fingerprint_type, hash_types in HashFileStore.HASH_TYPES.iteritems( ): for hash_type in hash_types: urns.append( HashFileStore.PATH.Add(fingerprint_type).Add(hash_type)) for _, values in aff4.FACTORY.MultiListChildren(urns, token=token, age=age): for value in values: yield rdfvalue.FileStoreHash(value)
def GetHitsForHashes(hashes, token=None, age=aff4.NEWEST_TIME): """Yields (hash, hash_hit) pairs for all the specified hashes. Args: hashes: List of FileStoreHash instances. token: Security token. age: AFF4 age specification. Only get hits corresponding to the given age spec. Should be aff4.NEWEST_TIME or a time range given as a tuple (start, end) in microseconds since Jan 1st, 1970. If just a microsends value is given it's treated as the higher end of the range, i.e. (0, age). See aff4.FACTORY.ParseAgeSpecification for details. Yields: (hash, hash_hit) tuples, where hash is FileStoreHash instance and hash_hit is an RDFURN corresponding to a file that has the hash. Raises: ValueError: if age was set to aff4.ALL_TIMES. """ if age == aff4.ALL_TIMES: raise ValueError("age==aff4.ALL_TIMES is not allowed.") timestamp = aff4.FACTORY.ParseAgeSpecification(age) for hash_obj, hash_hits in data_store.DB.MultiResolveRegex( hashes, "index:target:.*", token=token, timestamp=timestamp): yield (rdfvalue.FileStoreHash(hash_obj), [hit_urn for _, hit_urn, _ in hash_hits])
def testHashIsInitializedFromConstructorArguments(self): """Test that we can construct FileStoreHash from keyword arguments.""" sample = rdfvalue.FileStoreHash( fingerprint_type="pecoff", hash_type="sha1", hash_value="eb875812858d27b22cb2b75f992dffadc1b05c60") self.assertEqual(sample, self.GenerateSample())
def testGetClientsForHash(self): self.AddFile("/Ext2IFS_1_10b.exe") self.AddFile("/idea.dll") hits = list(aff4.HashFileStore.GetClientsForHash(rdfvalue.FileStoreHash( fingerprint_type="generic", hash_type="md5", hash_value="bb0a15eefe63fd41f8dc9dee01c5cf9a"), token=self.token)) self.assertListEqual(hits, [self.client_id.Add( "fs/tsk").Add(self.base_path).Add("winexec_img.dd/Ext2IFS_1_10b.exe")])
def GenerateSample(self, number=0): """Make a sample FileStoreHash instance.""" return rdfvalue.FileStoreHash( "aff4:/files/hash/pecoff/sha1/" "eb875812858d27b22cb2b75f992dffadc1b05c6%d" % number)