def testMultipleHits(self):
filename = "/fs/os/c/Downloads/grepfile.txt"
data = "random content here. I am a HIT!!" * 100
self.CreateFile(filename, data)
grepspec = rdf_client.BareGrepSpec(
mode=rdf_client.GrepSpec.Mode.ALL_HITS, literal="HIT")
for s in test_lib.TestFlowHelper(
"SearchFileContent",
self.client_mock,
client_id=self.client_id,
paths=["/c/Downloads/grepfile.txt"],
pathtype=rdf_paths.PathSpec.PathType.OS,
grep=grepspec,
token=self.token):
session_id = s
# Check the output file is created
fd = aff4.FACTORY.Open(
session_id.Add(flow_runner.RESULTS_SUFFIX), token=self.token)
self.assertEqual(len(fd), 100)
self.assertEqual(fd[15].offset, 523)
self.assertEqual(fd[38], "e. I am a HIT!!random c")
self.assertEqual(fd[99], "e. I am a HIT!!")
self.DeleteFile(filename)
def testPatternAtBufsize(self):
old_size = searching.Grep.BUFF_SIZE
try:
searching.Grep.BUFF_SIZE = 10000
filename = "/fs/os/c/Downloads/grepfile.txt"
data = "X" * (searching.Grep.BUFF_SIZE - len("HIT")) + "HIT" + "X" * 1000
self.CreateFile(filename, data)
grepspec = rdf_client.BareGrepSpec(
mode=rdf_client.GrepSpec.Mode.FIRST_HIT, literal="HIT")
for s in test_lib.TestFlowHelper(
"SearchFileContent",
self.client_mock,
client_id=self.client_id,
paths=["/c/Downloads/grepfile.txt"],
pathtype=rdf_paths.PathSpec.PathType.OS,
token=self.token,
grep=grepspec):
session_id = s
# Check the output file is created
fd = aff4.FACTORY.Open(
session_id.Add(flow_runner.RESULTS_SUFFIX), token=self.token)
self.assertEqual(len(fd), 1)
self.assertEqual(fd[0].offset, searching.Grep.BUFF_SIZE - len("HIT"))
self.assertEqual(fd[0].length, 23)
self.DeleteFile(filename)
finally:
searching.Grep.BUFF_SIZE = old_size
def testPatternAtBufsize(self):
old_size = searching.Grep.BUFF_SIZE
try:
searching.Grep.BUFF_SIZE = 10000
filename = "/fs/os/c/Downloads/grepfile.txt"
data = "X" * (searching.Grep.BUFF_SIZE - len("HIT")) + "HIT" + "X" * 1000
self.CreateFile(filename, data)
grepspec = rdf_client.BareGrepSpec(
mode=rdf_client.GrepSpec.Mode.FIRST_HIT, literal="HIT")
for s in flow_test_lib.TestFlowHelper(
grep.SearchFileContent.__name__,
self.client_mock,
client_id=self.client_id,
paths=["/c/Downloads/grepfile.txt"],
pathtype=rdf_paths.PathSpec.PathType.OS,
token=self.token,
grep=grepspec):
session_id = s
fd = flow.GRRFlow.ResultCollectionForFID(session_id)
self.assertEqual(len(fd), 1)
self.assertEqual(fd[0].offset, searching.Grep.BUFF_SIZE - len("HIT"))
self.assertEqual(fd[0].length, 23)
self.DeleteFile(filename)
finally:
searching.Grep.BUFF_SIZE = old_size
def testMultipleHits(self):
filename = "/fs/os/c/Downloads/grepfile.txt"
data = "random content here. I am a HIT!!" * 100
self.CreateFile(filename, data)
grepspec = rdf_client.BareGrepSpec(
mode=rdf_client.GrepSpec.Mode.ALL_HITS, literal="HIT")
for s in flow_test_lib.TestFlowHelper(
grep.SearchFileContent.__name__,
self.client_mock,
client_id=self.client_id,
paths=["/c/Downloads/grepfile.txt"],
pathtype=rdf_paths.PathSpec.PathType.OS,
grep=grepspec,
token=self.token):
session_id = s
fd = flow.GRRFlow.ResultCollectionForFID(session_id)
self.assertEqual(len(fd), 100)
self.assertEqual(fd[15].offset, 523)
self.assertEqual(fd[38], "e. I am a HIT!!random c")
self.assertEqual(fd[99], "e. I am a HIT!!")
self.DeleteFile(filename)
class TestGrepMemory(base.AutomatedTest):
"""Test ScanMemory."""
platforms = ["Windows"]
flow = "ScanMemory"
test_output_path = "analysis/grep/testing"
args = {
"also_download":
False,
"grep":
rdf_client.BareGrepSpec(literal="grr",
length=4 * 1024 * 1024 * 1024,
mode=rdf_client.GrepSpec.Mode.FIRST_HIT,
bytes_before=10,
bytes_after=10),
"output":
test_output_path
}
def CheckFlow(self):
collection = aff4.FACTORY.Open(self.client_id.Add(
self.test_output_path),
token=self.token)
self.assertIsInstance(collection, aff4.RDFValueCollection)
self.assertEqual(len(list(collection)), 1)
reference = collection[0]
self.assertEqual(reference.length, 23)
self.assertEqual(reference.data[10:10 + 3], "grr")
class TestSearchFilesGrep(base.AutomatedTest):
"""Test SearchFileContent with grep."""
platforms = ["Linux"]
flow = "SearchFileContent"
args = {"paths": ["/bin/ls*"],
"grep": rdf_client.BareGrepSpec(literal="ELF"),
"also_download": True}
def CheckFlow(self):
results = self.CheckCollectionNotEmptyWithRetry(
self.session_id.Add(flow_runner.RESULTS_SUFFIX), self.token)
for result in results:
self.assertTrue("ELF" in result.data)
self.assertTrue("ls" in result.pathspec.path)
class TestSearchFilesGrep(base.AutomatedTest):
"""Test SearchFileContent with grep."""
platforms = ["Linux"]
flow = "SearchFileContent"
test_output_path = "analysis/SearchFilesGrep/testing"
args = {"output": test_output_path,
"paths": ["/bin/ls*"],
"grep": rdf_client.BareGrepSpec(literal="ELF"),
"also_download": True}
def CheckFlow(self):
results = aff4.FACTORY.Open(self.client_id.Add(self.test_output_path),
token=self.token)
self.assertGreater(len(results), 1)
for result in results:
self.assertTrue("ELF" in result.data)
self.assertTrue("ls" in result.pathspec.path)
def testNormalGrep(self):
grepspec = rdf_client.BareGrepSpec(
mode=rdf_client.GrepSpec.Mode.FIRST_HIT, literal="hello")
for s in flow_test_lib.TestFlowHelper(
grep.SearchFileContent.__name__,
self.client_mock,
client_id=self.client_id,
paths=["/proc/10/cmdline"],
pathtype=rdf_paths.PathSpec.PathType.OS,
token=self.token,
grep=grepspec):
session_id = s
fd = flow.GRRFlow.ResultCollectionForFID(session_id)
self.assertEqual(len(fd), 1)
self.assertEqual(fd[0].offset, 3)
self.assertEqual(fd[0], "ls\x00hello world\'\x00-l")
self.assertEqual(fd[0].length, 18)
def testScanMemory(self):
# Use a file in place of a memory image for simplicity
image_path = os.path.join(self.base_path, "numbers.txt")
self.CreateClient()
self.CreateSignedDriver()
class ClientMock(action_mocks.MemoryClientMock):
"""A mock which returns the image as the driver path."""
def GetMemoryInformation(self, _):
"""Mock out the driver loading code to pass the memory image."""
reply = rdf_rekall_types.MemoryInformation(
device=rdf_paths.PathSpec(
path=image_path,
pathtype=rdf_paths.PathSpec.PathType.OS))
reply.runs.Append(offset=0, length=1000000000)
return [reply]
args = dict(grep=rdf_client.BareGrepSpec(
literal="88",
mode="ALL_HITS",
),
output="analysis/grep/testing")
# Run the flow.
for _ in test_lib.TestFlowHelper("ScanMemory",
ClientMock("Grep"),
client_id=self.client_id,
token=self.token,
**args):
pass
fd = aff4.FACTORY.Open(rdfvalue.RDFURN(
self.client_id).Add("/analysis/grep/testing"),
token=self.token)
self.assertEqual(len(fd), 20)
self.assertEqual(fd[0].offset, 252)
self.assertEqual(fd[0].data, "\n85\n86\n87\n88\n89\n90\n91\n")
def testNormalGrep(self):
grepspec = rdf_client.BareGrepSpec(
mode=rdf_client.GrepSpec.Mode.FIRST_HIT, literal="hello")
for s in test_lib.TestFlowHelper(
"SearchFileContent",
self.client_mock,
client_id=self.client_id,
paths=["/proc/10/cmdline"],
pathtype=rdf_paths.PathSpec.PathType.OS,
token=self.token,
grep=grepspec):
session_id = s
# Check the output file is created
fd = aff4.FACTORY.Open(
session_id.Add(flow_runner.RESULTS_SUFFIX), token=self.token)
self.assertEqual(len(fd), 1)
self.assertEqual(fd[0].offset, 3)
self.assertEqual(fd[0], "ls\x00hello world\'\x00-l")
self.assertEqual(fd[0].length, 18)
