def Collect(self, artifact_obj):
"""Collect the raw data from the client for this artifact."""
artifact_name = artifact_obj.name
test_conditions = list(artifact_obj.conditions)
# Turn supported_os into a condition.
if artifact_obj.supported_os:
filt = " OR ".join("os == '%s'" % o
for o in artifact_obj.supported_os)
test_conditions.append(filt)
# Check each of the conditions match our target.
for condition in test_conditions:
if not artifact_lib.CheckCondition(condition,
self.state.knowledge_base):
logging.debug("Artifact %s condition %s failed on %s",
artifact_name, condition, self.client_id)
self.state.artifacts_skipped_due_to_condition.append(
(artifact_name, condition))
return
# Call the collector defined action for each collector.
for collector in artifact_obj.collectors:
# Check conditions on the collector.
collector_conditions_met = True
if collector.conditions:
for condition in collector.conditions:
if not artifact_lib.CheckCondition(
condition, self.state.knowledge_base):
collector_conditions_met = False
if collector_conditions_met:
action_name = collector.action
self.current_artifact_name = artifact_name
if action_name == "Bootstrap":
# Can't do anything with a bootstrap action.
pass
elif action_name == "RunCommand":
self.RunCommand(collector)
elif action_name == "GetFile":
self.GetFiles(collector, self.state.path_type)
elif action_name == "GetFiles":
self.GetFiles(collector, self.state.path_type)
elif action_name == "Grep":
self.Grep(collector, self.state.path_type)
elif action_name == "ListFiles":
self.Glob(collector, self.state.path_type)
elif action_name == "GetRegistryKeys":
self.Glob(collector, rdfvalue.PathSpec.PathType.REGISTRY)
elif action_name == "GetRegistryValue":
self.GetRegistryValue(collector)
elif action_name == "GetRegistryValues":
self.GetRegistryValue(collector)
elif action_name == "WMIQuery":
self.WMIQuery(collector)
elif action_name == "VolatilityPlugin":
self.VolatilityPlugin(collector)
elif action_name == "CollectArtifacts":
self.CollectArtifacts(collector)
elif action_name == "CollectArtifactFiles":
self.CollectArtifactFiles(collector)
elif action_name == "RunGrrClientAction":
self.RunGrrClientAction(collector)
else:
raise RuntimeError("Invalid action %s in %s" %
(action_name, artifact_name))
else:
logging.debug(
"Artifact %s no collectors run due to all collectors "
"having failing conditons on %s", artifact_name,
self.client_id)
def Collect(self, artifact_obj):
"""Collect the raw data from the client for this artifact."""
artifact_name = artifact_obj.name
test_conditions = list(artifact_obj.conditions)
self.ConvertSupportedOSToConditions(artifact_obj, test_conditions)
# Check each of the conditions match our target.
for condition in test_conditions:
if not artifact_lib.CheckCondition(condition,
self.state.knowledge_base):
logging.debug("Artifact %s condition %s failed on %s",
artifact_name, condition, self.client_id)
self.state.artifacts_skipped_due_to_condition.append(
(artifact_name, condition))
return
# Call the source defined action for each source.
for source in artifact_obj.sources:
# Check conditions on the source.
source_conditions_met = True
self.ConvertSupportedOSToConditions(source, source.conditions)
if source.conditions:
for condition in source.conditions:
if not artifact_lib.CheckCondition(
condition, self.state.knowledge_base):
source_conditions_met = False
if source_conditions_met:
type_name = source.type
self.current_artifact_name = artifact_name
if type_name == artifact_lib.ArtifactSource.SourceType.COMMAND:
self.RunCommand(source)
elif type_name == artifact_lib.ArtifactSource.SourceType.FILE:
self.GetFiles(source, self.state.path_type,
self.args.max_file_size)
elif type_name == artifact_lib.ArtifactSource.SourceType.GREP:
self.Grep(source, self.state.path_type)
elif type_name == artifact_lib.ArtifactSource.SourceType.LIST_FILES:
self.Glob(source, self.state.path_type)
elif type_name == artifact_lib.ArtifactSource.SourceType.PATH:
# GRR currently ignores PATH types, they are currently only useful
# to plaso during bootstrapping when the registry is unavailable.
pass
elif type_name == artifact_lib.ArtifactSource.SourceType.REGISTRY_KEY:
self.GetRegistryKey(source)
elif type_name == artifact_lib.ArtifactSource.SourceType.REGISTRY_VALUE:
self.GetRegistryValue(source)
elif type_name == artifact_lib.ArtifactSource.SourceType.WMI:
self.WMIQuery(source)
elif type_name == artifact_lib.ArtifactSource.SourceType.REKALL_PLUGIN:
self.RekallPlugin(source)
elif type_name == artifact_lib.ArtifactSource.SourceType.ARTIFACT:
self.CollectArtifacts(source)
elif type_name == artifact_lib.ArtifactSource.SourceType.ARTIFACT_FILES:
self.CollectArtifactFiles(source)
elif (type_name == artifact_lib.ArtifactSource.SourceType.
GRR_CLIENT_ACTION):
self.RunGrrClientAction(source)
else:
raise RuntimeError("Invalid type %s in %s" %
(type_name, artifact_name))
else:
logging.debug(
"Artifact %s no sources run due to all sources "
"having failing conditions on %s", artifact_name,
self.client_id)
def Collect(self, artifact_obj):
"""Collect the raw data from the client for this artifact."""
artifact_name = artifact_obj.name
test_conditions = list(artifact_obj.conditions)
self.ConvertSupportedOSToConditions(artifact_obj, test_conditions)
# Check each of the conditions match our target.
for condition in test_conditions:
if not artifact_lib.CheckCondition(condition, self.state.knowledge_base):
logging.debug("Artifact %s condition %s failed on %s",
artifact_name, condition, self.client_id)
self.state.artifacts_skipped_due_to_condition.append(
(artifact_name, condition))
return
# Call the collector defined action for each collector.
for collector in artifact_obj.collectors:
# Check conditions on the collector.
collector_conditions_met = True
self.ConvertSupportedOSToConditions(collector, collector.conditions)
if collector.conditions:
for condition in collector.conditions:
if not artifact_lib.CheckCondition(condition,
self.state.knowledge_base):
collector_conditions_met = False
if collector_conditions_met:
type_name = collector.collector_type
self.current_artifact_name = artifact_name
if type_name == rdfvalue.Collector.CollectorType.COMMAND:
self.RunCommand(collector)
elif type_name == rdfvalue.Collector.CollectorType.FILE:
self.GetFiles(collector, self.state.path_type,
self.args.max_file_size)
elif type_name == rdfvalue.Collector.CollectorType.GREP:
self.Grep(collector, self.state.path_type)
elif type_name == rdfvalue.Collector.CollectorType.LIST_FILES:
self.Glob(collector, self.state.path_type)
elif type_name == rdfvalue.Collector.CollectorType.REGISTRY_KEY:
self.Glob(collector, rdfvalue.PathSpec.PathType.REGISTRY)
elif type_name == rdfvalue.Collector.CollectorType.REGISTRY_VALUE:
self.GetRegistryValue(collector)
elif type_name == rdfvalue.Collector.CollectorType.WMI:
self.WMIQuery(collector)
elif type_name == rdfvalue.Collector.CollectorType.REKALL_PLUGIN:
self.RekallPlugin(collector)
elif type_name == rdfvalue.Collector.CollectorType.ARTIFACT:
self.CollectArtifacts(collector)
elif type_name == rdfvalue.Collector.CollectorType.ARTIFACT_FILES:
self.CollectArtifactFiles(collector)
elif type_name == rdfvalue.Collector.CollectorType.GRR_CLIENT_ACTION:
self.RunGrrClientAction(collector)
else:
raise RuntimeError("Invalid type %s in %s" % (type_name,
artifact_name))
else:
logging.debug("Artifact %s no collectors run due to all collectors "
"having failing conditons on %s", artifact_name,
self.client_id)