示例#1
0
    def ParseRunKeys(self, responses):
        """Get filenames from the RunKeys and download the files."""
        filenames = []
        client = aff4.FACTORY.Open(self.client_id, mode="r", token=self.token)
        kb = artifact.GetArtifactKnowledgeBase(client)

        for response in responses:
            runkey = response.registry_data.string

            environ_vars = artifact_utils.GetWindowsEnvironmentVariablesMap(kb)
            path_guesses = path_detection_windows.DetectExecutablePaths(
                [runkey], environ_vars)

            if not path_guesses:
                self.Log("Couldn't guess path for %s", runkey)

            for path in path_guesses:
                filenames.append(
                    rdf_paths.PathSpec(
                        path=path, pathtype=rdf_paths.PathSpec.PathType.TSK))

        if filenames:
            self.CallFlow("MultiGetFile",
                          pathspecs=filenames,
                          next_state="Done")
示例#2
0
  def testKnowledgeBaseRootAttributesGetMappedCorrectly(self):
    kb = rdf_client.KnowledgeBase(
        environ_path="the_path",
        environ_temp="the_temp",
        environ_systemroot="the_systemroot",
        environ_windir="the_windir",
        environ_programfiles="the_programfiles",
        environ_programfilesx86="the_programfilesx86",
        environ_systemdrive="the_systemdrive",
        environ_allusersprofile="the_allusersprofile",
        environ_allusersappdata="the_allusersappdata")

    mapping = artifact_utils.GetWindowsEnvironmentVariablesMap(kb)

    self.assertEqual(mapping, {
        "allusersappdata": "the_allusersappdata",
        "allusersprofile": "the_allusersprofile",
        "path": "the_path",
        "programdata": "the_allusersprofile",
        "programfiles": "the_programfiles",
        "programfiles(x86)": "the_programfilesx86",
        "programw6432": "the_programfiles",
        "systemdrive": "the_systemdrive",
        "systemroot": "the_systemroot",
        "temp": "the_temp",
        "windir": "the_windir"
    })
示例#3
0
  def _GetFilePaths(self, path, pathtype, kb):
    """Guess windows filenames from a commandline string."""

    environ_vars = artifact_utils.GetWindowsEnvironmentVariablesMap(kb)
    path_guesses = path_detection_windows.DetectExecutablePaths(
        [path], environ_vars)

    if not path_guesses:
      # TODO(user): yield a ParserAnomaly object
      return []

    return [rdf_paths.PathSpec(path=path, pathtype=pathtype)
            for path in path_guesses]
示例#4
0
    def testKnowlegeBaseUsersAttributesExpandIntoLists(self):
        kb = rdf_client.KnowledgeBase()
        kb.users.append(
            rdf_client.User(appdata="the_appdata_1",
                            localappdata="the_localappdata_1",
                            userdomain="the_userdomain_1",
                            userprofile="the_userprofile_1"))
        kb.users.append(
            rdf_client.User(appdata="the_appdata_2",
                            localappdata="the_localappdata_2",
                            userdomain="the_userdomain_2",
                            userprofile="the_userprofile_2"))

        mapping = artifact_utils.GetWindowsEnvironmentVariablesMap(kb)

        self.assertEqual(
            mapping, {
                "appdata": ["the_appdata_1", "the_appdata_2"],
                "localappdata": ["the_localappdata_1", "the_localappdata_2"],
                "userdomain": ["the_userdomain_1", "the_userdomain_2"],
                "userprofile": ["the_userprofile_1", "the_userprofile_2"]
            })