def grr_ls_impl(path: Optional[Text] = None,
cached: bool = False,
path_type: Text = OS) -> pd.DataFrame:
"""Lists files in the specified directory or the current directory.
Args:
path: Directory path to ls.
cached: If true, use cached filesystem instead of making call to a client.
path_type: Path type to use (one of os, tsk, registry).
Returns:
A sequence of stat entries.
Raises:
NoClientSelectedError: Client is not selected to perform this operation.
"""
if _state.client is None:
raise NoClientSelectedError()
path = _build_absolute_path(path) if path else _state.cur_dir
filesystem = _get_filesystem(path_type)
if cached:
return convert.from_sequence(filesystem.cached.ls(path))
return convert.from_sequence(filesystem.ls(path))
def grr_grep_impl(pattern: Text,
path: Text,
fixed_strings: bool = False,
path_type: Text = OS,
hex_string: bool = False) -> pd.DataFrame:
"""Greps for a given content of a specified file.
Args:
pattern: Pattern to search for.
path: File path to grep.
fixed_strings: If true, interpret pattern as a fixed string (literal).
path_type: Path type to use (one of os, tsk, registry).
hex_string: If true, interpret pattern as a hex-encoded byte string.
Returns:
A list of buffer references to the matched content.
Raises:
NoClientSelectedError: Client is not selected to perform this operation.
"""
if _state.client is None:
raise NoClientSelectedError()
if hex_string:
byte_pattern = binascii.unhexlify(pattern)
else:
byte_pattern = pattern.encode('utf-8')
path = _build_absolute_path(path)
filesystem = _get_filesystem(path_type)
if fixed_strings:
return convert.from_sequence(filesystem.fgrep(path, byte_pattern))
return convert.from_sequence(filesystem.grep(path, byte_pattern))
def grr_fgrep_impl(literal, path, path_type=OS, hex_string=False):
"""Greps for a given literal content of a specified file.
Is the same as running: %grr_grep -F
Args:
literal: Literal to search for.
path: File path to grep.
path_type: Path type to use (one of os, tsk, registry).
hex_string: If true, interpret pattern as a hex-encoded byte string.
Returns:
A list of buffer references to the matched content.
Raises:
NoClientSelectedError: Client is not selected to perform this operation.
"""
if _state.client is None:
raise NoClientSelectedError()
if hex_string:
byte_literal = binascii.unhexlify(literal)
else:
byte_literal = literal.encode('utf-8')
path = _build_absolute_path(path)
filesystem = _get_filesystem(path_type)
return convert.from_sequence(filesystem.fgrep(path, byte_literal))
def grr_ls_impl(path=None, cached=False):
"""Lists files in the specified directory or the current directory.
Args:
path: Directory path to ls.
cached: If true, use cached filesystem instead of making call to a client.
Returns:
A sequence of stat entries.
Raises:
NoClientSelectedError: Client is not selected to perform this operation.
"""
if _state.client is None:
raise NoClientSelectedError()
path = _build_absolute_path(path) if path else _state.cur_dir
if cached:
return convert.from_sequence(_state.client.cached.ls(path))
return convert.from_sequence(_state.client.ls(path))
def grr_ps_impl() -> pd.DataFrame:
"""Lists processes of the selected client.
Returns:
Sequence of processes.
Raises:
NoClientSelectedError: Client is not selected to perform this operation.
"""
if _state.client is None:
raise NoClientSelectedError()
return convert.from_sequence(_state.client.ps())
def grr_grep_impl(pattern, path, fixed_strings=False):
"""Greps for a given content of a specified file.
Args:
pattern: Pattern to search for.
path: File path to grep.
fixed_strings: If true, interpret pattern as a fixed string (literal).
Returns:
A list of buffer references to the matched content.
Raises:
NoClientSelectedError: Client is not selected to perform this operation.
"""
if _state.client is None:
raise NoClientSelectedError()
path = _build_absolute_path(path)
if fixed_strings:
return convert.from_sequence(_state.client.fgrep(path, pattern))
return convert.from_sequence(_state.client.grep(path, pattern))
def grr_collect_impl(artifact: Text) -> pd.DataFrame:
"""Collects specified artifact.
Args:
artifact: A name of the artifact to collect.
Returns:
A list of results that artifact collection yielded.
Raises:
NoClientSelectedError: Client is not selected to perform this operation.
"""
if _state.client is None:
raise NoClientSelectedError()
return convert.from_sequence(_state.client.collect(artifact))
def grr_list_artifacts_impl() -> pd.DataFrame:
"""Lists all registered GRR artifacts.
Returns:
A list of artifact descriptors.
"""
df = convert.from_sequence(grr_colab.list_artifacts())
priority_columns = [
'artifact.name',
'artifact.doc',
'artifact.supported_os',
'artifact.labels',
]
df = convert.reindex_dataframe(df, priority_columns=priority_columns)
return df
def grr_yara_impl(signature, pids=None, regex=None):
"""Scans processes using provided YARA rule.
Args:
signature: YARA rule to run.
pids: List of pids of processes to scan.
regex: A regex to match against the process name.
Returns:
A sequence of YARA matches.
Raises:
NoClientSelectedError: Client is not selected to perform this operation.
"""
if _state.client is None:
raise NoClientSelectedError()
return convert.from_sequence(_state.client.yara(signature, pids, regex))
def grr_stat_impl(path):
"""Stats the file specified.
Accepts glob expressions as a file path.
Args:
path: File path to stat.
Returns:
A sequence of stat entries.
Raises:
NoClientSelectedError: Client is not selected to perform this operation.
"""
if _state.client is None:
raise NoClientSelectedError()
path = _build_absolute_path(path)
return convert.from_sequence(_state.client.glob(path))
def grr_search_clients_impl(
ip: Optional[Text] = None,
mac: Optional[Text] = None,
host: Optional[Text] = None,
user: Optional[Text] = None,
version: Optional[Text] = None,
labels: Optional[List[Text]] = None) -> pd.DataFrame:
"""Searches for clients with specified keywords.
Args:
ip: IP address.
mac: MAC address.
host: Hostname.
user: Username.
version: Client version.
labels: List of client labels.
Returns:
List of clients.
"""
clients = grr_colab.Client.search(ip=ip,
mac=mac,
host=host,
user=user,
version=version,
labels=labels)
clients_data = [_._client.data for _ in clients] # pylint: disable=protected-access
df = convert.from_sequence(clients_data)
_add_last_seen_column(df)
_add_online_status_columns(df)
priority_columns = [
'online.pretty', 'online', 'client_id', 'last_seen_ago',
'last_seen_at.pretty', 'knowledge_base.fqdn', 'os_info.version'
]
df = convert.reindex_dataframe(df, priority_columns=priority_columns)
if 'last_seen_at' in df.columns:
return df.sort_values(by='last_seen_at',
ascending=False).reset_index(drop=True)
return df
def grr_fgrep_impl(literal, path):
"""Greps for a given literal content of a specified file.
Is the same as running: %grr_grep -F
Args:
literal: Literal to search for.
path: File path to grep.
Returns:
A list of buffer references to the matched content.
Raises:
NoClientSelectedError: Client is not selected to perform this operation.
"""
if _state.client is None:
raise NoClientSelectedError()
path = _build_absolute_path(path)
return convert.from_sequence(_state.client.fgrep(path, literal))
def grr_ifconfig_impl() -> pd.DataFrame:
"""Lists network interfaces of the selected client.
Returns:
Sequence of interfaces.
Raises:
NoClientSelectedError: Client is not selected to perform this operation.
"""
if _state.client is None:
raise NoClientSelectedError()
df = convert.from_sequence(_state.client.ifaces)
if 'addresses' in df.columns:
for i in range(len(df['addresses'])):
if isinstance(df['addresses'][i], pd.DataFrame):
df['addresses'][i] = _add_pretty_ipaddress_column(
df['addresses'][i], 'packed_bytes')
df = _add_pretty_mac_column(df, 'mac_address')
return df
def grr_stat_impl(path: Text, path_type: Text = OS) -> pd.DataFrame:
"""Stats the file specified.
Accepts glob expressions as a file path.
Args:
path: File path to stat.
path_type: Path type to use (one of os, tsk, registry).
Returns:
A sequence of stat entries.
Raises:
NoClientSelectedError: Client is not selected to perform this operation.
"""
if _state.client is None:
raise NoClientSelectedError()
path = _build_absolute_path(path)
filesystem = _get_filesystem(path_type)
return convert.from_sequence(filesystem.glob(path))
