예제 #1
0
    def ParseRunKeys(self, responses):
        """Get filenames from the RunKeys and download the files."""
        filenames = []
        client = aff4.FACTORY.Open(self.client_id, mode="r", token=self.token)
        kb = artifact.GetArtifactKnowledgeBase(client)

        for response in responses:
            runkey = response.registry_data.string

            environ_vars = artifact_utils.GetWindowsEnvironmentVariablesMap(kb)
            path_guesses = path_detection_windows.DetectExecutablePaths(
                [runkey], environ_vars)

            if not path_guesses:
                self.Log("Couldn't guess path for %s", runkey)

            for path in path_guesses:
                filenames.append(
                    rdf_paths.PathSpec(
                        path=path, pathtype=rdf_paths.PathSpec.PathType.TSK))

        if filenames:
            self.CallFlow(transfer.MultiGetFile.__name__,
                          pathspecs=filenames,
                          next_state="Done")
예제 #2
0
    def testKnowledgeBaseRootAttributesGetMappedCorrectly(self):
        kb = rdf_client.KnowledgeBase(
            environ_path="the_path",
            environ_temp="the_temp",
            environ_systemroot="the_systemroot",
            environ_windir="the_windir",
            environ_programfiles="the_programfiles",
            environ_programfilesx86="the_programfilesx86",
            environ_systemdrive="the_systemdrive",
            environ_allusersprofile="the_allusersprofile",
            environ_allusersappdata="the_allusersappdata")

        mapping = artifact_utils.GetWindowsEnvironmentVariablesMap(kb)

        self.assertEqual(
            mapping, {
                "allusersappdata": "the_allusersappdata",
                "allusersprofile": "the_allusersprofile",
                "path": "the_path",
                "programdata": "the_allusersprofile",
                "programfiles": "the_programfiles",
                "programfiles(x86)": "the_programfilesx86",
                "programw6432": "the_programfiles",
                "systemdrive": "the_systemdrive",
                "systemroot": "the_systemroot",
                "temp": "the_temp",
                "windir": "the_windir"
            })
예제 #3
0
  def _GetFilePaths(self, path, pathtype, kb):
    """Guess windows filenames from a commandline string."""

    environ_vars = artifact_utils.GetWindowsEnvironmentVariablesMap(kb)
    path_guesses = path_detection_windows.DetectExecutablePaths([path],
                                                                environ_vars)

    if not path_guesses:
      # TODO(user): yield a ParserAnomaly object
      return []

    return [
        rdf_paths.PathSpec(path=path, pathtype=pathtype)
        for path in path_guesses
    ]
예제 #4
0
    def testKnowlegeBaseUsersAttributesExpandIntoLists(self):
        kb = rdf_client.KnowledgeBase()
        kb.users.append(
            rdf_client.User(appdata="the_appdata_1",
                            localappdata="the_localappdata_1",
                            userdomain="the_userdomain_1",
                            userprofile="the_userprofile_1"))
        kb.users.append(
            rdf_client.User(appdata="the_appdata_2",
                            localappdata="the_localappdata_2",
                            userdomain="the_userdomain_2",
                            userprofile="the_userprofile_2"))

        mapping = artifact_utils.GetWindowsEnvironmentVariablesMap(kb)

        self.assertEqual(
            mapping, {
                "appdata": ["the_appdata_1", "the_appdata_2"],
                "localappdata": ["the_localappdata_1", "the_localappdata_2"],
                "userdomain": ["the_userdomain_1", "the_userdomain_2"],
                "userprofile": ["the_userprofile_1", "the_userprofile_2"]
            })