def testWMIArtifact(self, registry): """Test collecting a WMI artifact.""" registry.AddFileSource(self.test_artifacts_file) artifact = registry.GetArtifact("WMIActiveScriptEventConsumer") ext_src = rdf_artifact.ExpandedSource(base_source=artifact.sources[0]) ext_art = rdf_artifact.ExpandedArtifact(name=artifact.name, sources=[ext_src]) request = rdf_artifact.ClientArtifactCollectorArgs( artifacts=[ext_art], knowledge_base=None, ignore_interpolation_errors=True, apply_parsers=False) result = self.RunAction(artifact_collector.ArtifactCollector, request)[0] self.assertIsInstance(result, rdf_artifact.ClientArtifactCollectorResult) coll = artifact_collector.ArtifactCollector() coll.knowledge_base = None coll.ignore_interpolation_errors = True expected = rdf_client_action.WMIRequest( query="SELECT * FROM ActiveScriptEventConsumer", base_object="winmgmts:\\root\\subscription") for action, request in coll._ProcessWmiSource(ext_src): self.assertEqual(request, expected) self.assertEqual(action, self.windows.WmiQueryFromClient) self.windows.WmiQueryFromClient.assert_called_with(request)
def testMultipleArtifacts(self, registry): """Test collecting multiple artifacts.""" client_test_lib.Command("/usr/bin/dpkg", args=["--list"], system="Linux") registry.AddFileSource(self.test_artifacts_file) artifact = registry.GetArtifact("TestCmdArtifact") ext_src = rdf_artifact.ExpandedSource(base_source=artifact.sources[0]) ext_art = rdf_artifact.ExpandedArtifact(name=artifact.name, sources=[ext_src]) request = rdf_artifact.ClientArtifactCollectorArgs(artifacts=[ext_art], apply_parsers=False) request.artifacts.append(ext_art) result = self.RunAction(artifact_collector.ArtifactCollector, request)[0] collected_artifacts = list(result.collected_artifacts) self.assertEqual(len(collected_artifacts), 2) self.assertEqual(collected_artifacts[0].name, "TestCmdArtifact") self.assertEqual(collected_artifacts[1].name, "TestCmdArtifact") execute_response_1 = collected_artifacts[0].action_results[0].value execute_response_2 = collected_artifacts[1].action_results[0].value self.assertGreater(execute_response_1.time_used, 0) self.assertGreater(execute_response_2.time_used, 0)
def testFilterRequestedArtifactResults(self, registry): """Test that only artifacts requested by the user are sent to the server.""" client_test_lib.Command("/usr/bin/dpkg", args=["--list"], system="Linux") registry.AddFileSource(self.test_artifacts_file) artifact = registry.GetArtifact("TestCmdArtifact") ext_src = rdf_artifact.ExpandedSource(base_source=artifact.sources[0]) ext_art = rdf_artifact.ExpandedArtifact(name=artifact.name, sources=[ext_src]) request = rdf_artifact.ClientArtifactCollectorArgs(artifacts=[ext_art], apply_parsers=False) ext_art = rdf_artifact.ExpandedArtifact(name=artifact.name, sources=[ext_src], requested_by_user=False) request.artifacts.append(ext_art) result = self.RunAction(artifact_collector.ArtifactCollector, request)[0] collected_artifacts = list(result.collected_artifacts) self.assertEqual(len(collected_artifacts), 1) self.assertEqual(collected_artifacts[0].name, "TestCmdArtifact") execute_response = collected_artifacts[0].action_results[0].value self.assertGreater(execute_response.time_used, 0)
def InitializeRequest(self, initial_knowledge_base=None, provides=None): """Prepare ClientArtifactCollectorArgs.""" expanded_source = rdf_artifact.ExpandedSource() expanded_artifact = rdf_artifact.ExpandedArtifact( name="EmptyArtifact", sources=[expanded_source], provides=provides) return rdf_artifact.ClientArtifactCollectorArgs( artifacts=[expanded_artifact], knowledge_base=initial_knowledge_base)
def testRegistryValueArtifact(self): """Test the basic Registry Value collection.""" with vfs_test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.REGISTRY, vfs_test_lib.FakeRegistryVFSHandler): with vfs_test_lib.VFSOverrider(rdf_paths.PathSpec.PathType.OS, vfs_test_lib.FakeFullVFSHandler): source = rdf_artifact.ArtifactSource( type=rdf_artifact.ArtifactSource.SourceType.REGISTRY_VALUE, attributes={ "key_value_pairs": [{ "key": (r"HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet" r"\Control\Session Manager"), "value": "BootExecute" }] }) ext_src = rdf_artifact.ExpandedSource(base_source=source) ext_art = rdf_artifact.ExpandedArtifact( name="FakeRegistryValue", sources=[ext_src]) request = rdf_artifact.ClientArtifactCollectorArgs( artifacts=[ext_art], apply_parsers=False) result = self.RunAction(artifact_collector.ArtifactCollector, request)[0] collected_artifact = list(result.collected_artifacts)[0] file_stat = list(collected_artifact.action_results)[0].value self.assertTrue(isinstance(file_stat, rdf_client_fs.StatEntry)) urn = file_stat.pathspec.AFF4Path(self.SetupClient(0)) self.assertTrue(str(urn).endswith("BootExecute"))
def testGRRClientActionEnumerateUsers(self): """Test the GRR Client Action EnumerateUsers.""" def MockedOpen(requested_path, mode="rb"): try: fixture_path = os.path.join(self.base_path, "VFSFixture", requested_path.lstrip("/")) return __builtin__.open.old_target(fixture_path, mode) except IOError: return __builtin__.open.old_target(requested_path, mode) source = rdf_artifact.ArtifactSource( type=rdf_artifact.ArtifactSource.SourceType.GRR_CLIENT_ACTION) ext_src = rdf_artifact.ExpandedSource(base_source=source) ext_art = rdf_artifact.ExpandedArtifact( name="TestClientActionArtifact", sources=[ext_src]) request = rdf_artifact.ClientArtifactCollectorArgs(artifacts=[ext_art], apply_parsers=False) source.attributes["client_action"] = "EnumerateUsers" with utils.MultiStubber((__builtin__, "open", MockedOpen), (glob, "glob", lambda x: ["/var/log/wtmp"])): result = self.RunAction(artifact_collector.ArtifactCollector, request)[0] collected_artifact = result.collected_artifacts[0] self.assertEqual(len(collected_artifact.action_results), 4) for action_result in collected_artifact.action_results: value = action_result.value self.assertIsInstance(value, rdf_client.User) if value.username not in ["user1", "user2", "user3", "utuser"]: self.fail("Unexpected user found: %s" % result.username)
def GetRequest(self, source, artifact_name): expanded_source = rdf_artifact.ExpandedSource(base_source=source) expanded_artifact = rdf_artifact.ExpandedArtifact( name=artifact_name, sources=[expanded_source]) request = rdf_artifact.ClientArtifactCollectorArgs( artifacts=[expanded_artifact], apply_parsers=False) return request
def testCmdArtifactAction(self): """Test the actual client action with parsers.""" client_test_lib.Command("/bin/echo", args=["1"]) source = rdf_artifact.ArtifactSource( type=rdf_artifact.ArtifactSource.SourceType.COMMAND, attributes={ "cmd": "/bin/echo", "args": ["1"] }) ext_src = rdf_artifact.ExpandedSource(base_source=source) ext_art = rdf_artifact.ExpandedArtifact(name="TestEchoCmdArtifact", sources=[ext_src]) request = rdf_artifact.ClientArtifactCollectorArgs( artifacts=[ext_art], knowledge_base=None, ignore_interpolation_errors=True, apply_parsers=True) result = self.RunAction(artifact_collector.ArtifactCollector, request)[0] self.assertIsInstance(result, rdf_artifact.ClientArtifactCollectorResult) self.assertTrue(len(result.collected_artifacts), 1) res = result.collected_artifacts[0].action_results[0].value self.assertIsInstance(res, rdf_client.SoftwarePackage) self.assertEqual(res.description, "1\n")
def testGRRClientActionOSXEnumerateRunningServices(self): """Test the GRR Client Action OSXEnumerateRunningServices.""" source = rdf_artifact.ArtifactSource( type=rdf_artifact.ArtifactSource.SourceType.GRR_CLIENT_ACTION) ext_src = rdf_artifact.ExpandedSource(base_source=source) ext_art = rdf_artifact.ExpandedArtifact( name="TestClientActionArtifact", sources=[ext_src]) request = rdf_artifact.ClientArtifactCollectorArgs(artifacts=[ext_art], apply_parsers=False) source.attributes["client_action"] = "OSXEnumerateRunningServices" with self.assertRaises(ValueError): self.RunAction(artifact_collector.ArtifactCollector, request)
def _ExpandArtifactFilesSource(self, source, requested): """Recursively expands an artifact files source.""" expanded_source = rdf_artifacts.ExpandedSource(base_source=source) sub_sources = [] artifact_list = [] if "artifact_list" in source.attributes: artifact_list = source.attributes["artifact_list"] for artifact_name in artifact_list: if artifact_name in self.processed_artifacts: continue artifact_obj = artifact_registry.REGISTRY.GetArtifact(artifact_name) for expanded_artifact in self.Expand(artifact_obj, requested): sub_sources.extend(expanded_artifact.sources) expanded_source.artifact_sources = sub_sources expanded_source.path_type = self._path_type return [expanded_source]
def testGRRClientActionGetHostname(self): """Test the GRR Client Action GetHostname.""" source = rdf_artifact.ArtifactSource( type=rdf_artifact.ArtifactSource.SourceType.GRR_CLIENT_ACTION) ext_src = rdf_artifact.ExpandedSource(base_source=source) ext_art = rdf_artifact.ExpandedArtifact( name="TestClientActionArtifact", sources=[ext_src]) request = rdf_artifact.ClientArtifactCollectorArgs(artifacts=[ext_art], apply_parsers=False) source.attributes["client_action"] = "GetHostname" result = self.RunAction(artifact_collector.ArtifactCollector, request)[0] collected_artifact = result.collected_artifacts[0] for action_result in collected_artifact.action_results: value = action_result.value self.assertTrue(value.string)
def testUnsupportedSourceType(self, registry): """Test that an unsupported source type raises an Error.""" registry.AddFileSource(self.test_artifacts_file) artifact = registry.GetArtifact("TestAggregationArtifact") ext_src = rdf_artifact.ExpandedSource(base_source=artifact.sources[0]) ext_art = rdf_artifact.ExpandedArtifact(name=artifact.name, sources=[ext_src]) request = rdf_artifact.ClientArtifactCollectorArgs( artifacts=[ext_art], knowledge_base=None, ignore_interpolation_errors=True, apply_parsers=False) # The type ARTIFACT_GROUP will raise an error because the group should have # been expanded on the server. with self.assertRaises(ValueError): self.RunAction(artifact_collector.ArtifactCollector, request)
def testGRRClientActionListNetworkConnections(self): """Test the GRR Client Action ListNetworkConnections.""" source = rdf_artifact.ArtifactSource( type=rdf_artifact.ArtifactSource.SourceType.GRR_CLIENT_ACTION) ext_src = rdf_artifact.ExpandedSource(base_source=source) ext_art = rdf_artifact.ExpandedArtifact( name="TestClientActionArtifact", sources=[ext_src]) request = rdf_artifact.ClientArtifactCollectorArgs(artifacts=[ext_art], apply_parsers=False) source.attributes["client_action"] = "ListNetworkConnections" result = self.RunAction(artifact_collector.ArtifactCollector, request)[0] collected_artifact = result.collected_artifacts[0] for action_result in collected_artifact.action_results: value = action_result.value self.assertIsInstance(value, rdf_client_network.NetworkConnection)
def testTSKRaiseValueError(self, registry): """Test Raise Error if path type is not OS.""" registry.AddFileSource(self.test_artifacts_file) ext_src = rdf_artifact.ExpandedSource( path_type=rdf_paths.PathSpec.PathType.TSK) ext_art = rdf_artifact.ExpandedArtifact(name="TestArtifact", sources=[ext_src]) request = rdf_artifact.ClientArtifactCollectorArgs(artifacts=[ext_art], apply_parsers=False) artifact = registry.GetArtifact("FakeFileArtifact") ext_src.base_source = artifact.sources[0] with self.assertRaises(ValueError): self.RunAction(artifact_collector.ArtifactCollector, request) artifact = registry.GetArtifact("BadPathspecArtifact") ext_src.base_source = artifact.sources[0] with self.assertRaises(ValueError): self.RunAction(artifact_collector.ArtifactCollector, request)
def testGRRClientActionListProcesses(self): """Test the GRR Client Action ListProcesses.""" def ProcessIter(): return iter([client_test_lib.MockWindowsProcess()]) source = rdf_artifact.ArtifactSource( type=rdf_artifact.ArtifactSource.SourceType.GRR_CLIENT_ACTION) ext_src = rdf_artifact.ExpandedSource(base_source=source) ext_art = rdf_artifact.ExpandedArtifact( name="TestClientActionArtifact", sources=[ext_src]) request = rdf_artifact.ClientArtifactCollectorArgs(artifacts=[ext_art], apply_parsers=False) source.attributes["client_action"] = "ListProcesses" with utils.Stubber(psutil, "process_iter", ProcessIter): result = self.RunAction(artifact_collector.ArtifactCollector, request)[0] collected_artifact = result.collected_artifacts[0] value = collected_artifact.action_results[0].value self.assertIsInstance(value, rdf_client.Process) self.assertEqual(value.pid, 10)
def testCommandArtifact(self, registry): """Test the basic ExecuteCommand action.""" client_test_lib.Command("/usr/bin/dpkg", args=["--list"], system="Linux") registry.AddFileSource(self.test_artifacts_file) artifact = registry.GetArtifact("TestCmdArtifact") ext_src = rdf_artifact.ExpandedSource( base_source=list(artifact.sources)[0]) ext_art = rdf_artifact.ExpandedArtifact(name=artifact.name, sources=[ext_src]) request = rdf_artifact.ClientArtifactCollectorArgs(artifacts=[ext_art], apply_parsers=False) result = self.RunAction(artifact_collector.ArtifactCollector, request)[0] collected_artifact = list(result.collected_artifacts)[0] execute_response = list(collected_artifact.action_results)[0].value self.assertEqual(collected_artifact.name, "TestCmdArtifact") self.assertTrue(execute_response.time_used > 0)
def testFakeFileArtifactActionProcessTogether(self): """Test collecting a file artifact and parsing the responses together.""" file_path = os.path.join(self.base_path, "numbers.txt") source = rdf_artifact.ArtifactSource( type=rdf_artifact.ArtifactSource.SourceType.FILE, attributes={"paths": [file_path]}) ext_src = rdf_artifact.ExpandedSource(base_source=source) ext_art = rdf_artifact.ExpandedArtifact( name="FakeFileArtifact2", sources=[ext_src]) request = rdf_artifact.ClientArtifactCollectorArgs( artifacts=[ext_art], knowledge_base=None, ignore_interpolation_errors=True, apply_parsers=True) result = self.RunAction(artifact_collector.ArtifactCollector, request)[0] self.assertEqual(len(result.collected_artifacts[0].action_results), 1) res = result.collected_artifacts[0].action_results[0].value self.assertIsInstance(res, rdf_protodict.AttributedDict) self.assertEqual(len(res.users), 1000) self.assertEqual(res.filename, file_path)
def _ExpandBasicSource(self, source): expanded_source = rdf_artifacts.ExpandedSource( base_source=source, path_type=self._path_type, max_bytesize=self._max_file_size) return [expanded_source]