def testGrepLength(self):
data = "X" * 100 + "HIT"
MockVFSHandlerFind.filesystem[self.filename] = data
request = rdf_client.GrepSpec(literal=utils.Xor(
"HIT", self.XOR_IN_KEY),
xor_in_key=self.XOR_IN_KEY,
xor_out_key=self.XOR_OUT_KEY)
request.target.path = self.filename
request.target.pathtype = rdf_paths.PathSpec.PathType.OS
request.start_offset = 0
result = self.RunAction(searching.Grep, request)
self.assertEqual(len(result), 1)
self.assertEqual(result[0].offset, 100)
request = rdf_client.GrepSpec(literal=utils.Xor(
"HIT", self.XOR_IN_KEY),
xor_in_key=self.XOR_IN_KEY,
xor_out_key=self.XOR_OUT_KEY)
request.target.path = self.filename
request.target.pathtype = rdf_paths.PathSpec.PathType.OS
request.start_offset = 0
request.length = 100
result = self.RunAction(searching.Grep, request)
self.assertEqual(len(result), 0)
def ContentsLiteralMatchCondition(self, response, condition_options,
condition_index):
"""Applies literal match condition to responses."""
if not (self.args.process_non_regular_files or
stat.S_ISREG(response.stat_entry.st_mode)):
return
options = condition_options.contents_literal_match
grep_spec = rdf_client.GrepSpec(
target=response.stat_entry.pathspec,
literal=options.literal,
mode=options.mode,
start_offset=options.start_offset,
length=options.length,
bytes_before=options.bytes_before,
bytes_after=options.bytes_after,
xor_in_key=options.xor_in_key,
xor_out_key=options.xor_out_key)
self.CallClient(
server_stubs.Grep,
request=grep_spec,
next_state="ProcessGrep",
request_data=dict(
original_result=response, condition_index=condition_index + 1))
def testGrepOffset(self):
data = "X" * 10 + "HIT" + "X" * 100
MockVFSHandlerFind.filesystem[self.filename] = data
request = rdf_client.GrepSpec(literal=utils.Xor(
"HIT", self.XOR_IN_KEY),
xor_in_key=self.XOR_IN_KEY,
xor_out_key=self.XOR_OUT_KEY)
request.target.path = self.filename
request.target.pathtype = rdf_paths.PathSpec.PathType.OS
request.start_offset = 0
result = self.RunAction("Grep", request)
self.assertEqual(len(result), 1)
self.assertEqual(result[0].offset, 10)
request = rdf_client.GrepSpec(literal=utils.Xor(
"HIT", self.XOR_IN_KEY),
xor_in_key=self.XOR_IN_KEY,
xor_out_key=self.XOR_OUT_KEY)
request.target.path = self.filename
request.target.pathtype = rdf_paths.PathSpec.PathType.OS
request.start_offset = 5
result = self.RunAction("Grep", request)
self.assertEqual(len(result), 1)
# This should still report 10.
self.assertEqual(result[0].offset, 10)
request = rdf_client.GrepSpec(literal=utils.Xor(
"HIT", self.XOR_IN_KEY),
xor_in_key=self.XOR_IN_KEY,
xor_out_key=self.XOR_OUT_KEY)
request.target.path = self.filename
request.target.pathtype = rdf_paths.PathSpec.PathType.OS
request.start_offset = 11
result = self.RunAction("Grep", request)
self.assertEqual(len(result), 0)
def Grep(self, responses):
"""Run Grep on memory device pathspec."""
if not responses.success:
raise flow.FlowError("Error while loading memory driver: %s" %
responses.status.error_message)
memory_information = responses.First()
# Coerce the BareGrepSpec into a GrepSpec explicitly.
grep_request = rdf_client.GrepSpec(target=memory_information.device,
**self.args.grep.AsDict())
# For literal matches we xor the search term. This stops us matching the GRR
# client itself.
if self.args.grep.literal:
grep_request.literal = utils.Xor(
utils.SmartStr(self.args.grep.literal), self.XOR_IN_KEY)
self.CallClient("Grep", request=grep_request, next_state="Done")
def testGrepRegex(self):
# Use the real file system.
vfs.VFSInit().Run()
request = rdf_client.GrepSpec(
regex="1[0]",
xor_out_key=self.XOR_OUT_KEY,
start_offset=0,
target=rdf_paths.PathSpec(path=os.path.join(
self.base_path, "numbers.txt"),
pathtype=rdf_paths.PathSpec.PathType.OS))
result = self.RunAction(searching.Grep, request)
hits = [x.offset for x in result]
self.assertEqual(hits, [
18, 288, 292, 296, 300, 304, 308, 312, 316, 320, 324, 329, 729,
1129, 1529, 1929, 2329, 2729, 3129, 3529, 3888
])
for x in result:
self.assertTrue("10" in utils.Xor(x.data, self.XOR_OUT_KEY))
def testGrep(self):
# Use the real file system.
vfs.VFSInit().Run()
request = rdf_client.GrepSpec(literal=utils.Xor("10", self.XOR_IN_KEY),
xor_in_key=self.XOR_IN_KEY,
xor_out_key=self.XOR_OUT_KEY)
request.target.path = os.path.join(self.base_path, "numbers.txt")
request.target.pathtype = rdf_paths.PathSpec.PathType.OS
request.start_offset = 0
result = self.RunAction("Grep", request)
hits = [x.offset for x in result]
self.assertEqual(hits, [
18, 288, 292, 296, 300, 304, 308, 312, 316, 320, 324, 329, 729,
1129, 1529, 1929, 2329, 2729, 3129, 3529, 3888
])
for x in result:
self.assertTrue("10" in utils.Xor(x.data, self.XOR_OUT_KEY))
self.assertEqual(request.target.path, x.pathspec.path)
def Grep(self, responses):
if responses.success:
# Grep not specified - just list all hits.
if not self.args.grep:
msgs = [rdf_client.BufferReference(pathspec=r.pathspec)
for r in responses]
self.CallStateInline(messages=msgs, next_state="WriteHits")
else:
# Grep specification given, ask the client to grep the files.
for response in responses:
# Only fetch regular files here.
if not stat.S_ISDIR(response.st_mode):
# Cast the BareGrepSpec to a GrepSpec type.
request = rdf_client.GrepSpec(target=response.pathspec,
**self.args.grep.AsDict())
self.CallClient("Grep",
request=request,
next_state="WriteHits",
request_data=dict(pathspec=response.pathspec))
def testHitLimit(self):
limit = searching.Grep.HIT_LIMIT
hit = "x" * 10 + "HIT" + "x" * 10
data = hit * (limit + 100)
MockVFSHandlerFind.filesystem[self.filename] = data
request = rdf_client.GrepSpec(literal=utils.Xor(
"HIT", self.XOR_IN_KEY),
xor_in_key=self.XOR_IN_KEY,
xor_out_key=self.XOR_OUT_KEY)
request.target.path = self.filename
request.target.pathtype = rdf_paths.PathSpec.PathType.OS
request.start_offset = 0
request.bytes_before = 10
request.bytes_after = 10
result = self.RunAction(searching.Grep, request)
self.assertEqual(len(result), limit + 1)
error = "maximum number of hits"
self.assertTrue(error in utils.Xor(result[-1].data, self.XOR_OUT_KEY))
def ContentsRegexMatchCondition(self, response, condition_options,
condition_index):
"""Applies contents regex condition to responses."""
if not (self.args.no_file_type_check
or stat.S_ISREG(response.stat_entry.st_mode)):
return
options = condition_options.contents_regex_match
grep_spec = rdf_client.GrepSpec(target=response.stat_entry.pathspec,
regex=options.regex,
mode=options.mode,
start_offset=options.start_offset,
length=options.length,
bytes_before=options.bytes_before,
bytes_after=options.bytes_after)
self.CallClient("Grep",
request=grep_spec,
next_state="ProcessGrep",
request_data=dict(original_result=response,
condition_index=condition_index + 1))
def testBufferBoundaries(self):
for offset in xrange(-20, 20):
data = "X" * (1000 + offset) + "HIT" + "X" * 100
MockVFSHandlerFind.filesystem[self.filename] = data
request = rdf_client.GrepSpec(
literal=utils.Xor("HIT", self.XOR_IN_KEY),
xor_in_key=self.XOR_IN_KEY,
xor_out_key=self.XOR_OUT_KEY)
request.target.path = self.filename
request.target.pathtype = rdf_paths.PathSpec.PathType.OS
request.start_offset = 0
result = self.RunAction(searching.Grep, request)
self.assertEqual(len(result), 1)
self.assertEqual(result[0].offset, 1000 + offset)
expected = "X" * 10 + "HIT" + "X" * 10
self.assertEqual(result[0].length, len(expected))
self.assertEqual(utils.Xor(result[0].data, self.XOR_OUT_KEY), expected)
def testGrepEverywhere(self):
for offset in xrange(500):
data = "X" * offset + "HIT" + "X" * (500 - offset)
MockVFSHandlerFind.filesystem[self.filename] = data
request = rdf_client.GrepSpec(
literal=utils.Xor("HIT", self.XOR_IN_KEY),
xor_in_key=self.XOR_IN_KEY,
xor_out_key=self.XOR_OUT_KEY)
request.target.path = self.filename
request.target.pathtype = rdf_paths.PathSpec.PathType.OS
request.start_offset = 0
request.bytes_before = 10
request.bytes_after = 10
result = self.RunAction(searching.Grep, request)
self.assertEqual(len(result), 1)
self.assertEqual(result[0].offset, offset)
expected = data[max(0, offset - 10):offset + 3 + 10]
self.assertEqual(result[0].length, len(expected))
self.assertEqual(utils.Xor(result[0].data, self.XOR_OUT_KEY), expected)
def testSnippetSize(self):
data = "X" * 100 + "HIT" + "X" * 100
MockVFSHandlerFind.filesystem[self.filename] = data
for before in [50, 10, 1, 0]:
for after in [50, 10, 1, 0]:
request = rdf_client.GrepSpec(
literal=utils.Xor("HIT", self.XOR_IN_KEY),
xor_in_key=self.XOR_IN_KEY,
xor_out_key=self.XOR_OUT_KEY)
request.target.path = self.filename
request.target.pathtype = rdf_paths.PathSpec.PathType.OS
request.start_offset = 0
request.bytes_before = before
request.bytes_after = after
result = self.RunAction(searching.Grep, request)
self.assertEqual(len(result), 1)
self.assertEqual(result[0].offset, 100)
expected = "X" * before + "HIT" + "X" * after
self.assertEqual(result[0].length, len(expected))
self.assertEqual(utils.Xor(result[0].data, self.XOR_OUT_KEY), expected)
