def testMemoryImageLiteralMatchFilterWithSendToSocketAction(self):
literal_filter = rdfvalue.MemoryScannerFilter(
filter_type=rdfvalue.MemoryScannerFilter.Type.LITERAL_MATCH,
literal_match=rdfvalue.FileFinderContentsLiteralMatchFilter(
mode=rdfvalue.FileFinderContentsLiteralMatchFilter.Mode.
ALL_HITS,
literal="session opened for user dearjohn"))
dump_option = rdfvalue.MemoryScannerDumpOption(
option_type=rdfvalue.MemoryScannerDumpOption.Option.
WITH_LOCAL_COPY,
with_local_copy=rdfvalue.MemoryScannerWithLocalCopyDumpOption(
gzip=False))
flow_urn, encrypted, decrypted = self.RunWithSendToSocket(
dump_option, filters=[literal_filter])
# Check that matches are in the collection
output = aff4.FACTORY.Open(self.client_id.Add(self.output_path),
aff4_type="RDFValueCollection",
token=self.token)
self.assertEqual(len(output), 1)
self.assertEqual(output[0].offset, 350)
self.assertEqual(output[0].length, 52)
self.assertEqual(
output[0].data, "session): session opened for user "
"dearjohn by (uid=0")
flow_obj = aff4.FACTORY.Open(flow_urn, token=self.token)
# There was a local file, so dest_path should not be empty
self.assertTrue(flow_obj.state.memory_src_path is not None)
# Data should be encrypted, so they're not equal
self.assertNotEqual(encrypted, self.memory_dump)
# Decrypted data should be equal to the memory dump
self.assertEqual(decrypted, self.memory_dump)
def testMemoryImageWithoutLocalCopySendToSocket(self):
dump_option = rdfvalue.MemoryScannerDumpOption(
option_type=rdfvalue.MemoryScannerDumpOption.Option.
WITHOUT_LOCAL_COPY)
(flow_urn, encrypted,
decrypted) = self.RunWithSendToSocket(dump_option)
flow_obj = aff4.FACTORY.Open(flow_urn, token=self.token)
# There was a local file, so dest_path should not be empty
self.assertTrue(flow_obj.state.memory_src_path is not None)
# Data should be encrypted, so they're not equal
self.assertNotEqual(encrypted, self.memory_dump)
# Decrypted data should be equal to the memory dump
self.assertEqual(decrypted, self.memory_dump)
def testMemoryImageWithoutLocalCopyDownload(self):
dump_option = rdfvalue.MemoryScannerDumpOption(
option_type=rdfvalue.MemoryScannerDumpOption.Option.
WITHOUT_LOCAL_COPY)
flow_obj = self.RunWithDownload(dump_option)
self.assertEqual(flow_obj.state.memory_src_path.path, self.memory_file)
self.assertEqual(
flow_obj.state.downloaded_file,
self.client_id.Add("fs/os").Add(
flow_obj.state.memory_src_path.path))
fd = aff4.FACTORY.Open(flow_obj.state.downloaded_file,
token=self.token)
self.assertEqual(fd.Read(1024 * 1024), self.memory_dump)
def testMemoryImageLocalCopySendToSocketWithOffsetAndLength(self):
dump_option = rdfvalue.MemoryScannerDumpOption(
option_type=rdfvalue.MemoryScannerDumpOption.Option.
WITH_LOCAL_COPY,
with_local_copy=rdfvalue.MemoryScannerWithLocalCopyDumpOption(
offset=10, length=42, gzip=False))
flow_urn, encrypted, decrypted = self.RunWithSendToSocket(dump_option)
flow_obj = aff4.FACTORY.Open(flow_urn, token=self.token)
# There was a local file, so dest_path should not be empty
self.assertTrue(flow_obj.state.memory_src_path is not None)
# Data should be encrypted, so they're not equal
self.assertNotEqual(encrypted, self.memory_dump)
# Decrypted data should be equal to the memory dump
self.assertEqual(decrypted, self.memory_dump[10:52])
def testMemoryImageLocalCopyDownload(self):
dump_option = rdfvalue.MemoryScannerDumpOption(
option_type=rdfvalue.MemoryScannerDumpOption.Option.
WITH_LOCAL_COPY,
with_local_copy=rdfvalue.MemoryScannerWithLocalCopyDumpOption(
gzip=False))
flow_obj = self.RunWithDownload(dump_option)
self.assertTrue(flow_obj.state.memory_src_path is not None)
self.assertEqual(
flow_obj.state.downloaded_file,
self.client_id.Add("fs/os").Add(
flow_obj.state.memory_src_path.path))
fd = aff4.FACTORY.Open(flow_obj.state.downloaded_file,
token=self.token)
self.assertEqual(fd.Read(1024 * 1024), self.memory_dump)
def testDoesNothingWhenFilterDoesNotMatch(self):
literal_filter = rdfvalue.MemoryScannerFilter(
filter_type=rdfvalue.MemoryScannerFilter.Type.LITERAL_MATCH,
literal_match=rdfvalue.FileFinderContentsLiteralMatchFilter(
mode=rdfvalue.FileFinderContentsLiteralMatchFilter.Mode.
ALL_HITS,
literal="session opened for user foobar"))
dump_option = rdfvalue.MemoryScannerDumpOption(
option_type=rdfvalue.MemoryScannerDumpOption.Option.
WITH_LOCAL_COPY,
with_local_copy=rdfvalue.MemoryScannerWithLocalCopyDumpOption(
gzip=False))
flow_obj = self.RunWithDownload(dump_option, filters=[literal_filter])
# Check that there are no matches
with self.assertRaises(aff4.InstantiationError):
aff4.FACTORY.Open(self.client_id.Add(self.output_path),
aff4_type="RDFValueCollection",
token=self.token)
# Assert nothing got downloaded
self.assertTrue("dest_path" not in flow_obj.state)
self.assertTrue("downloaded_file" not in flow_obj.state)
def testMemoryImageLiteralMatchFilterWithDownloadAction(self):
literal_filter = rdfvalue.MemoryScannerFilter(
filter_type=rdfvalue.MemoryScannerFilter.Type.LITERAL_MATCH,
literal_match=rdfvalue.FileFinderContentsLiteralMatchFilter(
mode=rdfvalue.FileFinderContentsLiteralMatchFilter.Mode.
ALL_HITS,
literal="session opened for user dearjohn"))
dump_option = rdfvalue.MemoryScannerDumpOption(
option_type=rdfvalue.MemoryScannerDumpOption.Option.
WITH_LOCAL_COPY,
with_local_copy=rdfvalue.MemoryScannerWithLocalCopyDumpOption(
gzip=False))
flow_obj = self.RunWithDownload(dump_option, filters=[literal_filter])
# Check that matches are in the collection
output = aff4.FACTORY.Open(self.client_id.Add(self.output_path),
aff4_type="RDFValueCollection",
token=self.token)
# First item of the collection is the BufferReference, second is the
# path of the downloaded
self.assertEqual(len(output), 1)
self.assertEqual(output[0].offset, 350)
self.assertEqual(output[0].length, 52)
self.assertEqual(
output[0].data, "session): session opened for user "
"dearjohn by (uid=0")
self.assertTrue(flow_obj.state.memory_src_path is not None)
self.assertEqual(
flow_obj.state.downloaded_file,
self.client_id.Add("fs/os").Add(
flow_obj.state.memory_src_path.path))
fd = aff4.FACTORY.Open(flow_obj.state.downloaded_file,
token=self.token)
self.assertEqual(fd.Read(1024 * 1024), self.memory_dump)
