def GetFiles(self, source, path_type, max_size):
"""Get a set of files."""
new_path_list = []
for path in source.attributes["paths"]:
# Interpolate any attributes from the knowledgebase.
new_path_list.extend(
artifact_utils.InterpolateKbAttributes(
path,
self.state.knowledge_base,
ignore_errors=self.args.ignore_interpolation_errors))
action = file_finder.FileFinderAction(
action_type=file_finder.FileFinderAction.Action.DOWNLOAD,
download=file_finder.FileFinderDownloadActionOptions(
max_size=max_size))
self.CallFlow("FileFinder",
paths=new_path_list,
pathtype=path_type,
action=action,
file_size=max_size,
request_data={
"artifact_name": self.current_artifact_name,
"source": source.ToPrimitiveDict()
},
next_state="ProcessFileFinderResults")
def GetRegistryValue(self, source):
"""Retrieve directly specified registry values, returning Stat objects."""
new_paths = set()
has_glob = False
for kvdict in source.attributes["key_value_pairs"]:
if "*" in kvdict["key"] or paths.GROUPING_PATTERN.search(
kvdict["key"]):
has_glob = True
if kvdict["value"]:
# This currently only supports key value pairs specified using forward
# slash.
path = "\\".join((kvdict["key"], kvdict["value"]))
else:
# If value is not set, we want to get the default value. In
# GRR this is done by specifying the key only, so this is what
# we do here.
path = kvdict["key"]
expanded_paths = artifact_utils.InterpolateKbAttributes(
path,
self.state.knowledge_base,
ignore_errors=self.args.ignore_interpolation_errors)
new_paths.update(expanded_paths)
if has_glob:
self.CallFlow(filesystem.Glob.__name__,
paths=new_paths,
pathtype=paths.PathSpec.PathType.REGISTRY,
request_data={
"artifact_name": self.current_artifact_name,
"source": source.ToPrimitiveDict()
},
next_state="ProcessCollected")
else:
# We call statfile directly for keys that don't include globs because it
# is faster and some artifacts rely on getting an IOError to trigger
# fallback processing.
for new_path in new_paths:
pathspec = paths.PathSpec(
path=new_path, pathtype=paths.PathSpec.PathType.REGISTRY)
# TODO(hanuszczak): Support for old clients ends on 2021-01-01.
# This conditional should be removed after that date.
if self.client_version >= 3221:
stub = server_stubs.GetFileStat
request = rdf_client.GetFileStatRequest(pathspec=pathspec)
else:
stub = server_stubs.StatFile
request = rdf_client.ListDirRequest(pathspec=pathspec)
self.CallClient(stub,
request,
request_data={
"artifact_name":
self.current_artifact_name,
"source": source.ToPrimitiveDict()
},
next_state="ProcessCollectedRegistryStatEntry")
def _InterpolatePaths(self, globs):
client = aff4.FACTORY.Open(self.client_id, token=self.token)
kb = client.Get(client.Schema.KNOWLEDGE_BASE)
for glob in globs:
param_path = glob.SerializeToString()
for path in artifact_utils.InterpolateKbAttributes(param_path, kb):
yield path
def _GetSingleExpansion(self, value):
results = list(artifact_utils.InterpolateKbAttributes(
value, self.state.knowledge_base,
ignore_errors=self.args.ignore_interpolation_errors))
if len(results) > 1:
raise ValueError("Interpolation generated multiple results, use a"
" list for multi-value expansions. %s yielded: %s" %
(value, results))
return results[0]
def Interpolate(self, client=None):
kb = client.Get(client.Schema.KNOWLEDGE_BASE)
patterns = artifact_utils.InterpolateKbAttributes(self._value, kb)
for pattern in patterns:
# Normalize the component path (this allows us to resolve ../
# sequences).
pattern = utils.NormalizePath(pattern.replace("\\", "/"))
for pattern in self.InterpolateGrouping(pattern):
yield pattern
def testInterpolation(self):
"""Check we can interpolate values from the knowledge base."""
kb = rdf_client.KnowledgeBase()
# No users yet, this should raise
self.assertRaises(
artifact_utils.KnowledgeBaseInterpolationError, list,
artifact_utils.InterpolateKbAttributes(
"test%%users.username%%test", kb))
# Now we have two users
kb.users.Append(rdf_client.KnowledgeBaseUser(username="******", uid=1))
kb.users.Append(rdf_client.KnowledgeBaseUser(username="******", uid=2))
kb.Set("environ_allusersprofile", "c:\\programdata")
paths = artifact_utils.InterpolateKbAttributes(
"test%%users.username%%test", kb)
paths = list(paths)
self.assertEqual(len(paths), 2)
self.assertItemsEqual(paths, ["testjoetest", "testjimtest"])
paths = artifact_utils.InterpolateKbAttributes(
"%%environ_allusersprofile%%\\a", kb)
self.assertEqual(list(paths), ["c:\\programdata\\a"])
# Check a bad attribute raises
self.assertRaises(
artifact_utils.KnowledgeBaseInterpolationError, list,
artifact_utils.InterpolateKbAttributes("%%nonexistent%%\\a", kb))
# Empty values should also raise
kb.Set("environ_allusersprofile", "")
self.assertRaises(
artifact_utils.KnowledgeBaseInterpolationError, list,
artifact_utils.InterpolateKbAttributes(
"%%environ_allusersprofile%%\\a", kb))
# No users have temp defined, so this should raise
self.assertRaises(
artifact_utils.KnowledgeBaseInterpolationError, list,
artifact_utils.InterpolateKbAttributes("%%users.temp%%\\a", kb))
# One user has users.temp defined, the others do not. This is common on
# windows where users have been created but have never logged in. We should
# get just one value back.
kb.users.Append(
rdf_client.KnowledgeBaseUser(
username="******",
uid=1,
temp="C:\\Users\\jason\\AppData\\Local\\Temp"))
paths = artifact_utils.InterpolateKbAttributes(r"%%users.temp%%\abcd",
kb)
self.assertItemsEqual(paths,
["C:\\Users\\jason\\AppData\\Local\\Temp\\abcd"])
def WMIQuery(self, source):
"""Run a Windows WMI Query."""
query = source.attributes["query"]
queries = artifact_utils.InterpolateKbAttributes(
query, self.state.knowledge_base,
ignore_errors=self.args.ignore_interpolation_errors)
base_object = source.attributes.get("base_object")
for query in queries:
self.CallClient(
"WmiQuery", query=query, base_object=base_object,
request_data={"artifact_name": self.current_artifact_name,
"source": source.ToPrimitiveDict()},
next_state="ProcessCollected"
)
def InterpolateList(self, input_list):
"""Interpolate all items from a given source array.
Args:
input_list: list of values to interpolate
Returns:
original list of values extended with strings interpolated
"""
new_args = []
for value in input_list:
if isinstance(value, basestring):
results = list(artifact_utils.InterpolateKbAttributes(
value, self.state.knowledge_base,
ignore_errors=self.args.ignore_interpolation_errors))
new_args.extend(results)
else:
new_args.extend(value)
return new_args
def GetRegistryValue(self, source):
"""Retrieve directly specified registry values, returning Stat objects."""
new_paths = set()
has_glob = False
for kvdict in source.attributes["key_value_pairs"]:
if "*" in kvdict["key"] or paths.GROUPING_PATTERN.search(
kvdict["key"]):
has_glob = True
# This currently only supports key value pairs specified using forward
# slash.
path = "\\".join((kvdict["key"], kvdict["value"]))
expanded_paths = artifact_utils.InterpolateKbAttributes(
path, self.state.knowledge_base)
new_paths.update(expanded_paths)
if has_glob:
self.CallFlow("Glob",
paths=new_paths,
pathtype=paths.PathSpec.PathType.REGISTRY,
request_data={
"artifact_name": self.current_artifact_name,
"source": source.ToPrimitiveDict()
},
next_state="ProcessCollected")
else:
# We call statfile directly for keys that don't include globs because it
# is faster and some artifacts rely on getting an IOError to trigger
# fallback processing.
for new_path in new_paths:
pathspec = paths.PathSpec(
path=new_path, pathtype=paths.PathSpec.PathType.REGISTRY)
self.CallClient("StatFile",
pathspec=pathspec,
request_data={
"artifact_name":
self.current_artifact_name,
"source": source.ToPrimitiveDict()
},
next_state="ProcessCollectedRegistryStatEntry")
def GetRegistryValue(self, source):
"""Retrieve directly specified registry values, returning Stat objects."""
new_paths = set()
for kvdict in source.attributes["key_value_pairs"]:
# TODO(user): this needs to be improved to support globbing for both
# key and value, and possibly also support forward slash.
path = "\\".join((kvdict["key"], kvdict["value"]))
expanded_paths = artifact_utils.InterpolateKbAttributes(
path, self.state.knowledge_base)
new_paths.update(expanded_paths)
for new_path in new_paths:
pathspec = paths.PathSpec(
path=new_path, pathtype=paths.PathSpec.PathType.REGISTRY)
self.CallClient("StatFile",
pathspec=pathspec,
request_data={
"artifact_name": self.current_artifact_name,
"source": source.ToPrimitiveDict()
},
next_state="ProcessCollected")
def Interpolate(self, client=None):
try:
kb = client.Get(client.Schema.KNOWLEDGE_BASE)
if not kb:
raise artifact_utils.KnowledgeBaseInterpolationError(
"Client has no knowledge base")
patterns = artifact_utils.InterpolateKbAttributes(self._value, kb)
except artifact_utils.KnowledgeBaseInterpolationError:
# TODO(user): Deprecate InterpolateClientAttributes() support and
# make KnowledgeBase the default and only option as soon as we're
# confident that it's fully populated.
logging.debug(
"Can't interpolate glob %s with knowledge base attributes, "
"reverting to client attributes.", utils.SmartUnicode(self))
patterns = self.InterpolateClientAttributes(client=client)
for pattern in patterns:
# Normalize the component path (this allows us to resolve ../
# sequences).
pattern = utils.NormalizePath(pattern.replace("\\", "/"))
for pattern in self.InterpolateGrouping(pattern):
yield pattern
