def testWhenFetchingFiltersOutProcessesWithoutExeAndConnectionState(self):
client_id = self.SetupClient(0)
p1 = rdf_client.Process(pid=2,
ppid=1,
cmdline=["test_img.dd"],
ctime=long(1333718907.167083 * 1e6))
p2 = rdf_client.Process(pid=2,
ppid=1,
cmdline=["cmd.exe"],
exe="c:\\windows\\cmd.exe",
ctime=long(1333718907.167083 * 1e6),
connections=rdf_client.NetworkConnection(
family="INET", state="ESTABLISHED"))
client_mock = action_mocks.ListProcessesMock([p1, p2])
session_id = flow_test_lib.TestFlowHelper(
flow_processes.ListProcesses.__name__,
client_mock,
fetch_binaries=True,
client_id=client_id,
connection_states=["LISTEN"],
token=self.token)
# No output matched.
processes = flow.GRRFlow.ResultCollectionForFID(session_id)
self.assertEqual(len(processes), 0)
def Start(cls, args):
for proc in psutil.process_iter():
try:
connections = proc.connections()
except (psutil.NoSuchProcess, psutil.AccessDenied):
continue
for conn in connections:
if args.listening_only and conn.status != "LISTEN":
continue
res = rdf_client.NetworkConnection()
res.pid = proc.pid
res.process_name = proc.name()
res.family = conn.family
res.type = conn.type
try:
if conn.status:
res.state = conn.status
except ValueError:
logging.warn("Encountered unknown connection status (%s).",
conn.status)
res.local_address.ip, res.local_address.port = conn.laddr
if conn.raddr:
res.remote_address.ip, res.remote_address.port = conn.raddr
yield res
def AddListener(self, ip, port, family="INET", sock_type="SOCK_STREAM"):
"""Create a network connection."""
conn = rdf_client.NetworkConnection()
conn.state = "LISTEN"
conn.family = family
conn.type = sock_type
conn.local_address = rdf_client.NetworkEndpoint(ip=ip, port=port)
return conn
def ListNetworkConnections(self, _):
"""Returns fake connections."""
conn1 = rdf_client.NetworkConnection(
state=rdf_client.NetworkConnection.State.CLOSED,
type=rdf_client.NetworkConnection.Type.SOCK_STREAM,
local_address=rdf_client.NetworkEndpoint(ip="0.0.0.0", port=22),
remote_address=rdf_client.NetworkEndpoint(ip="0.0.0.0", port=0),
pid=2136,
ctime=0)
conn2 = rdf_client.NetworkConnection(
state=rdf_client.NetworkConnection.State.LISTEN,
type=rdf_client.NetworkConnection.Type.SOCK_STREAM,
local_address=rdf_client.NetworkEndpoint(ip="192.168.1.1",
port=31337),
remote_address=rdf_client.NetworkEndpoint(ip="1.2.3.4", port=6667),
pid=1,
ctime=0)
return [conn1, conn2]
def testProcessListingFilterConnectionState(self):
client_id = self.SetupClient(0)
p1 = rdf_client.Process(pid=2,
ppid=1,
cmdline=["cmd.exe"],
exe="c:\\windows\\cmd.exe",
ctime=long(1333718907.167083 * 1e6),
connections=rdf_client.NetworkConnection(
family="INET", state="CLOSED"))
p2 = rdf_client.Process(pid=3,
ppid=1,
cmdline=["cmd2.exe"],
exe="c:\\windows\\cmd2.exe",
ctime=long(1333718907.167083 * 1e6),
connections=rdf_client.NetworkConnection(
family="INET", state="LISTEN"))
p3 = rdf_client.Process(pid=4,
ppid=1,
cmdline=["missing_exe.exe"],
ctime=long(1333718907.167083 * 1e6),
connections=rdf_client.NetworkConnection(
family="INET", state="ESTABLISHED"))
client_mock = action_mocks.ListProcessesMock([p1, p2, p3])
flow_urn = flow.GRRFlow.StartFlow(
client_id=client_id,
flow_name=flow_processes.ListProcesses.__name__,
connection_states=["ESTABLISHED", "LISTEN"],
token=self.token)
session_id = flow_test_lib.TestFlowHelper(flow_urn,
client_mock,
client_id=client_id,
token=self.token)
processes = flow.GRRFlow.ResultCollectionForFID(session_id)
self.assertEqual(len(processes), 2)
states = set()
for process in processes:
states.add(str(process.connections[0].state))
self.assertItemsEqual(states, ["ESTABLISHED", "LISTEN"])
def Start(self):
self.SendReply(rdf_client.NetworkConnection(pid=42))