def ParseRunKeys(self, responses): """Get filenames from the RunKeys and download the files.""" filenames = [] client = aff4.FACTORY.Open(self.client_id, mode="r", token=self.token) kb = artifact.GetArtifactKnowledgeBase(client) for response in responses: runkey = response.registry_data.string environ_vars = artifact_utils.GetWindowsEnvironmentVariablesMap(kb) path_guesses = path_detection_windows.DetectExecutablePaths( [runkey], environ_vars) if not path_guesses: self.Log("Couldn't guess path for %s", runkey) for path in path_guesses: filenames.append( rdf_paths.PathSpec( path=path, pathtype=rdf_paths.PathSpec.PathType.TSK)) if filenames: self.CallFlow("MultiGetFile", pathspecs=filenames, next_state="Done")
def testExtractsPathsFromNonRunDllStrings(self): """Test it extracts paths from non-rundll strings.""" fixture = [(r"C:\Program Files\Realtek\Audio\blah.exe -s", r"C:\Program Files\Realtek\Audio\blah.exe"), (r"'C:\Program Files\Realtek\Audio\blah.exe' -s", r"C:\Program Files\Realtek\Audio\blah.exe"), (r"C:\Program Files\NVIDIA Corporation\nwiz.exe /quiet /blah", r"C:\Program Files\NVIDIA Corporation\nwiz.exe")] for in_str, result in fixture: self.assertEqual(list(windows.DetectExecutablePaths([in_str])), [result])
def testReplacesEnvironmentVariable(self): """Test it replaces environment variables.""" mapping = {"programfiles": r"C:\Program Files",} fixture = [(r"%ProgramFiles%\Realtek\Audio\blah.exe -s", r"C:\Program Files\Realtek\Audio\blah.exe"), (r"'%ProgramFiles%\Realtek\Audio\blah.exe' -s", r"C:\Program Files\Realtek\Audio\blah.exe")] for in_str, result in fixture: self.assertEqual( list(windows.DetectExecutablePaths( [in_str], mapping)), [result])
def _GetFilePaths(self, path, pathtype, kb): """Guess windows filenames from a commandline string.""" environ_vars = artifact_utils.GetWindowsEnvironmentVariablesMap(kb) path_guesses = path_detection_windows.DetectExecutablePaths( [path], environ_vars) if not path_guesses: # TODO(user): yield a ParserAnomaly object return [] return [rdf_paths.PathSpec(path=path, pathtype=pathtype) for path in path_guesses]
def testExctactsPathsFromRunDllStrings(self): """Test it extracts paths from rundll strings.""" fixture = [ (r"rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32", r"C:\Windows\system32\advpack.dll"), (r"rundll32.exe 'C:\Program Files\Realtek\Audio\blah.exe',blah", r"C:\Program Files\Realtek\Audio\blah.exe"), (r"'rundll32.exe' 'C:\Program Files\Realtek\Audio\blah.exe',blah", r"C:\Program Files\Realtek\Audio\blah.exe")] for in_str, result in fixture: self.assertEqual(set(windows.DetectExecutablePaths([in_str])), set([result, "rundll32.exe"]))
def testReplacesEnvironmentVariablesWithMultipleMappings(self): """Test it replaces environment variables with multiple mappings.""" mapping = { "appdata": [r"C:\Users\foo\Application Data", r"C:\Users\bar\Application Data"] } fixture = [(r"%AppData%\Realtek\Audio\blah.exe -s", [r"C:\Users\foo\Application Data\Realtek\Audio\blah.exe", r"C:\Users\bar\Application Data\Realtek\Audio\blah.exe"]), (r"'%AppData%\Realtek\Audio\blah.exe' -s", [r"C:\Users\foo\Application Data\Realtek\Audio\blah.exe", r"C:\Users\bar\Application Data\Realtek\Audio\blah.exe"])] for in_str, result in fixture: self.assertEqual(set(windows.DetectExecutablePaths( [in_str], mapping)), set(result))