def GetKnowledgeBase(rdf_client_obj, allow_uninitialized=False): """Returns a knowledgebase from an rdf client object.""" if not allow_uninitialized: if rdf_client_obj is None: raise artifact_utils.KnowledgeBaseUninitializedError( "No client snapshot given.") if rdf_client_obj.knowledge_base is None: raise artifact_utils.KnowledgeBaseUninitializedError( "KnowledgeBase empty for %s." % rdf_client_obj.client_id) kb = rdf_client_obj.knowledge_base if not kb.os: raise artifact_utils.KnowledgeBaseAttributesMissingError( "KnowledgeBase missing OS for %s. Knowledgebase content: %s" % (rdf_client_obj.client_id, kb)) if rdf_client_obj is None or rdf_client_obj.knowledge_base is None: return rdf_client.KnowledgeBase() version = rdf_client_obj.os_version.split(".") kb = rdf_client_obj.knowledge_base try: kb.os_major_version = int(version[0]) if len(version) > 1: kb.os_minor_version = int(version[1]) except ValueError: pass return kb
def GetArtifactKnowledgeBase(client_obj, allow_uninitialized=False): """This generates an artifact knowledge base from a GRR client. Args: client_obj: A GRRClient object which is opened for reading. allow_uninitialized: If True we accept an uninitialized knowledge_base. Returns: A KnowledgeBase semantic value. Raises: ArtifactProcessingError: If called when the knowledge base has not been initialized. KnowledgeBaseUninitializedError: If we failed to initialize the knowledge base. This is needed so that the artifact library has a standardized interface to the data that is actually stored in the GRRClient object in the GRR datastore. We expect that the client KNOWLEDGE_BASE is already filled out through the, KnowledgeBaseInitialization flow, but attempt to make some intelligent guesses if things failed. """ client_schema = client_obj.Schema kb = client_obj.Get(client_schema.KNOWLEDGE_BASE) if not allow_uninitialized: if not kb: raise artifact_utils.KnowledgeBaseUninitializedError( "KnowledgeBase empty for %s." % client_obj.urn) if not kb.os: raise artifact_utils.KnowledgeBaseAttributesMissingError( "KnowledgeBase missing OS for %s. Knowledgebase content: %s" % (client_obj.urn, kb)) if not kb: kb = client_schema.KNOWLEDGE_BASE() SetCoreGRRKnowledgeBaseValues(kb, client_obj) if kb.os == "Windows": # Add fallback values. if not kb.environ_allusersappdata and kb.environ_allusersprofile: # Guess if we don't have it already. if kb.os_major_version >= 6: kb.environ_allusersappdata = u"c:\\programdata" kb.environ_allusersprofile = u"c:\\programdata" else: kb.environ_allusersappdata = ( u"c:\\documents and settings\\All Users\\" "Application Data") kb.environ_allusersprofile = u"c:\\documents and settings\\All Users" return kb
def StartCollection(self, responses): """Start collecting.""" if not responses.success: raise artifact_utils.KnowledgeBaseUninitializedError( "Attempt to initialize Knowledge Base failed.") # TODO(hanuszczak): Flow arguments also appear to have some knowledgebase. # Do we use it in any way? if not self.state.knowledge_base: self.state.knowledge_base = _ReadClientKnowledgeBase( self.client_id, allow_uninitialized=True) request = GetArtifactCollectorArgs(self.args, self.state.knowledge_base) self.CollectArtifacts(request)
def StartCollection(self, responses): """Start collecting.""" if not responses.success: raise artifact_utils.KnowledgeBaseUninitializedError( "Attempt to initialize Knowledge Base failed.") if not self.state.knowledge_base: with aff4.FACTORY.Open(self.client_id, token=self.token) as client: # If we are processing the knowledge base, it still won't exist yet. self.state.knowledge_base = artifact.GetArtifactKnowledgeBase( client, allow_uninitialized=True) request = GetArtifactCollectorArgs( self.state.knowledge_base, self.args.artifact_list, self.args.apply_parsers, self.args.ignore_interpolation_errors, self.args.use_tsk, self.args.max_file_size) self.CollectArtifacts(request)
def StartCollection(self, responses): """Start collecting.""" if not responses.success: raise artifact_utils.KnowledgeBaseUninitializedError( "Attempt to initialize Knowledge Base failed.") if not self.state.knowledge_base: self.state.knowledge_base = _ReadClientKnowledgeBase( self.client_id, allow_uninitialized=True) for artifact_name in self.args.artifact_list: artifact_obj = self._GetArtifactFromName(artifact_name) # Ensure artifact has been written sanely. Note that this could be # removed if it turns out to be expensive. Artifact tests should catch # these. artifact_registry.Validate(artifact_obj) self.Collect(artifact_obj)
def StartCollection(self, responses): """Start collecting.""" if not responses.success: raise artifact_utils.KnowledgeBaseUninitializedError( "Attempt to initialize Knowledge Base failed.") if not self.state.knowledge_base: self.client = aff4.FACTORY.Open(self.client_id, token=self.token) # If we are processing the knowledge base, it still won't exist yet. self.state.knowledge_base = artifact.GetArtifactKnowledgeBase( self.client, allow_uninitialized=True) for artifact_name in self.args.artifact_list: artifact_obj = artifact_registry.REGISTRY.GetArtifact(artifact_name) # Ensure artifact has been written sanely. Note that this could be # removed if it turns out to be expensive. Artifact tests should catch # these. artifact_registry.Validate(artifact_obj) self.Collect(artifact_obj)