def GetFiles(self, source, path_type, max_size):
"""Get a set of files."""
new_path_list = []
for path in source.attributes["paths"]:
# Interpolate any attributes from the knowledgebase.
new_path_list.extend(
artifact_utils.InterpolateKbAttributes(
path,
self.state.knowledge_base,
ignore_errors=self.args.ignore_interpolation_errors))
action = file_finder.FileFinderAction(
action_type=file_finder.FileFinderAction.Action.DOWNLOAD,
download=file_finder.FileFinderDownloadActionOptions(
max_size=max_size))
self.CallFlow("FileFinder",
paths=new_path_list,
pathtype=path_type,
action=action,
file_size=max_size,
request_data={
"artifact_name": self.current_artifact_name,
"source": source.ToPrimitiveDict()
},
next_state="ProcessFileFinderResults")
class TestFileFinderOSLinuxProc(transfer.TestGetFileOSLinux):
"""Download a /proc/sys entry with FileFinder."""
platforms = ["Linux"]
flow = "FileFinder"
test_output_path = "/fs/os/proc/sys/net/ipv4/ip_forward"
client_min_version = 3007
sizecondition = file_finder.FileFinderSizeCondition(max_file_size=1000000)
filecondition = file_finder.FileFinderCondition(
condition_type=file_finder.FileFinderCondition.Type.SIZE,
size=sizecondition)
download = file_finder.FileFinderDownloadActionOptions()
action = file_finder.FileFinderAction(
action_type=file_finder.FileFinderAction.Action.DOWNLOAD,
download=download)
args = {
"paths": ["/proc/sys/net/ipv4/ip_forward"],
"conditions": filecondition,
"action": action
}
def CheckFile(self, fd):
data = fd.Read(10)
# Some value was read from the sysctl.
self.assertTrue(data)
class TestFileFinderOSDarwin(base.VFSPathContentIsMachO):
platforms = ["Darwin"]
flow = "FileFinder"
download = file_finder.FileFinderDownloadActionOptions()
action = file_finder.FileFinderAction(
action_type=file_finder.FileFinderAction.Action.DOWNLOAD,
download=download)
args = {"paths": ["/bin/ps"], "action": action}
test_output_path = "/fs/os/bin/ps"
class TestFileFinderTSKWindows(TestFileFinderOSWindows):
download = file_finder.FileFinderDownloadActionOptions()
action = file_finder.FileFinderAction(
action_type=file_finder.FileFinderAction.Action.DOWNLOAD,
download=download)
test_output_path = "/fs/tsk/.*/Windows/System32/notepad.exe"
args = {"paths": ["%%environ_systemroot%%\\System32\\notepad.*"],
"action": action,
"pathtype": "TSK"}
class TestFileFinderTSKWindows(base.VFSPathContentIsPE):
"""Download notepad with TSK on windows."""
platforms = ["Windows"]
flow = "FileFinder"
test_output_path = "/fs/tsk/.*/Windows/System32/notepad.exe"
download = file_finder.FileFinderDownloadActionOptions()
action = file_finder.FileFinderAction(
action_type=file_finder.FileFinderAction.Action.DOWNLOAD,
download=download)
args = {"paths": ["%%environ_systemroot%%\\System32\\notepad.*"],
"action": action,
"pathtype": "TSK"}
class TestFileFinderOSLinux(base.VFSPathContentIsELF):
"""Download a file with FileFinder."""
platforms = ["Linux"]
flow = "FileFinder"
test_output_path = "/fs/os/bin/ps"
sizecondition = file_finder.FileFinderSizeCondition(max_file_size=1000000)
filecondition = file_finder.FileFinderCondition(
condition_type=file_finder.FileFinderCondition.Type.SIZE,
size=sizecondition)
download = file_finder.FileFinderDownloadActionOptions()
action = file_finder.FileFinderAction(
action_type=file_finder.FileFinderAction.Action.DOWNLOAD,
download=download)
args = {"paths": ["/bin/ps"],
"conditions": filecondition,
"action": action}
class TestFileFinderOSLinuxProc(base.VFSPathContentExists):
"""Download a /proc/sys entry with FileFinder."""
platforms = ["Linux"]
flow = "FileFinder"
test_output_path = "/fs/os/proc/sys/net/ipv4/ip_forward"
client_min_version = 3007
sizecondition = file_finder.FileFinderSizeCondition(max_file_size=1000000)
filecondition = file_finder.FileFinderCondition(
condition_type=file_finder.FileFinderCondition.Type.SIZE,
size=sizecondition)
download = file_finder.FileFinderDownloadActionOptions()
action = file_finder.FileFinderAction(
action_type=file_finder.FileFinderAction.Action.DOWNLOAD,
download=download)
args = {"paths": ["/proc/sys/net/ipv4/ip_forward"],
"conditions": filecondition,
"action": action}
class TestFileFinderOSWindows(transfer.TestGetFileOSWindows):
"""Download a file with FileFinder.
Exercise globbing, interpolation and filtering.
"""
flow = "FileFinder"
test_output_path = "/fs/os/.*/Windows/System32/notepad.exe"
sizecondition = file_finder.FileFinderSizeCondition(max_file_size=1000000)
filecondition = file_finder.FileFinderCondition(
condition_type=file_finder.FileFinderCondition.Type.SIZE,
size=sizecondition)
download = file_finder.FileFinderDownloadActionOptions()
action = file_finder.FileFinderAction(
action_type=file_finder.FileFinderAction.Action.DOWNLOAD,
download=download)
args = {"paths": ["%%environ_systemroot%%\\System32\\notepad.*"],
"conditions": filecondition,
"action": action}
