def testMemoryImageLiteralMatchConditionWithSendToSocketAction(self):
literal_condition = memory.MemoryCollectorCondition(
condition_type=memory.MemoryCollectorCondition.Type.LITERAL_MATCH,
literal_match=file_finder.FileFinderContentsLiteralMatchCondition(
mode=file_finder.FileFinderContentsLiteralMatchCondition.Mode.
ALL_HITS,
literal="session opened for user dearjohn"))
dump_option = memory.MemoryCollectorDumpOption(
option_type=memory.MemoryCollectorDumpOption.Option.
WITH_LOCAL_COPY,
with_local_copy=memory.MemoryCollectorWithLocalCopyDumpOption(
gzip=False))
flow_urn, encrypted, decrypted = self.RunWithSendToSocket(
dump_option, conditions=[literal_condition])
# Check that matches are in the collection
output = aff4.FACTORY.Open(self.client_id.Add(self.output_path),
aff4_type="RDFValueCollection",
token=self.token)
self.assertEqual(len(output), 1)
self.assertEqual(output[0].offset, 350)
self.assertEqual(output[0].length, 52)
self.assertEqual(
output[0].data, "session): session opened for user "
"dearjohn by (uid=0")
flow_obj = aff4.FACTORY.Open(flow_urn, token=self.token)
# There was a local file, so dest_path should not be empty
self.assertTrue(flow_obj.state.memory_src_path is not None)
# Data should be encrypted, so they're not equal
self.assertNotEqual(encrypted, self.memory_dump)
# Decrypted data should be equal to the memory dump
self.assertEqual(decrypted, self.memory_dump)
def testMemoryImageLiteralMatchConditionWithDownloadAction(self):
literal_condition = memory.MemoryCollectorCondition(
condition_type=memory.MemoryCollectorCondition.Type.LITERAL_MATCH,
literal_match=file_finder.FileFinderContentsLiteralMatchCondition(
mode=
file_finder.FileFinderContentsLiteralMatchCondition.Mode.ALL_HITS,
bytes_before=10,
bytes_after=10,
literal="session opened for user dearjohn"))
dump_option = memory.MemoryCollectorDumpOption(
option_type=memory.MemoryCollectorDumpOption.Option.WITH_LOCAL_COPY,
with_local_copy=memory.MemoryCollectorWithLocalCopyDumpOption(
gzip=False))
flow_obj = self.RunWithDownload(dump_option, conditions=[literal_condition])
# Check that matches are in the collection
output = aff4.FACTORY.Open(self.client_id.Add(self.output_path),
aff4_type="RDFValueCollection",
token=self.token)
# First item of the collection is the BufferReference, second is the
# path of the downloaded
self.assertEqual(len(output), 2)
self.assertEqual(output[0].offset, 350)
self.assertEqual(output[0].length, 52)
self.assertEqual(output[0].data, "session): session opened for user "
"dearjohn by (uid=0")
self.assertTrue(isinstance(output[1], rdf_client.StatEntry))
self.assertTrue(flow_obj.state.memory_src_path is not None)
self.assertEqual(
flow_obj.state.downloaded_file,
self.client_id.Add("temp").Add(flow_obj.state.memory_src_path.path))
fd = aff4.FACTORY.Open(flow_obj.state.downloaded_file, token=self.token)
self.assertEqual(fd.Read(1024 * 1024), self.memory_dump)
def testMemoryImageLocalCopyNoSpace(self):
dump_option = memory.MemoryCollectorDumpOption(
option_type=memory.MemoryCollectorDumpOption.Option.WITH_LOCAL_COPY,
with_local_copy=memory.MemoryCollectorWithLocalCopyDumpOption(
gzip=False, destdir="/opt/tmp/testing"))
self.assertRaises(RuntimeError, self.RunWithDownload, dump_option)
def testDoesNothingWhenConditionDoesNotMatch(self):
literal_condition = memory.MemoryCollectorCondition(
condition_type=memory.MemoryCollectorCondition.Type.LITERAL_MATCH,
literal_match=file_finder.FileFinderContentsLiteralMatchCondition(
mode=file_finder.FileFinderContentsLiteralMatchCondition.Mode.
ALL_HITS,
bytes_before=10,
bytes_after=10,
literal="session opened for user foobar"))
dump_option = memory.MemoryCollectorDumpOption(
option_type=memory.MemoryCollectorDumpOption.Option.
WITH_LOCAL_COPY,
with_local_copy=memory.MemoryCollectorWithLocalCopyDumpOption(
gzip=False))
flow_obj = self.RunWithDownload(dump_option,
conditions=[literal_condition])
# Check that there are no matches
with self.assertRaises(aff4.InstantiationError):
aff4.FACTORY.Open(self.client_id.Add(self.output_path),
aff4_type="RDFValueCollection",
token=self.token)
# Assert nothing got downloaded
self.assertTrue("dest_path" not in flow_obj.state)
self.assertTrue("downloaded_file" not in flow_obj.state)
def testLinuxChecksDiskSpace(self):
client = aff4.FACTORY.Create(self.client_id,
"VFSGRRClient",
token=self.token)
client.Set(client.Schema.SYSTEM("Linux"))
client.Set(client.Schema.MEMORY_SIZE(64 * 1024 * 1024 * 1024))
client.Close()
class LinuxClientMock(action_mocks.ActionMock):
"""A mock which returns low disk space."""
def CheckFreeGRRTempSpace(self, _):
"""Mock out the driver loading code to pass the memory image."""
path = tempfiles.GetDefaultGRRTempDirectory()
reply = rdf_client.DiskUsage(path=path,
total=10 * 1024 * 1024 * 1024,
used=5 * 1024 * 1024 * 1024,
free=5 * 1024 * 1024 * 1024)
return [reply]
dump_option = memory.MemoryCollectorDumpOption(
option_type=memory.MemoryCollectorDumpOption.Option.
WITH_LOCAL_COPY,
with_local_copy=memory.MemoryCollectorWithLocalCopyDumpOption(
check_disk_free_space=True))
self.client_mock = LinuxClientMock()
e = self.assertRaises(RuntimeError)
with e:
self.RunWithDownload(dump_option)
self.assertIn("Free space may be too low", str(e.exception))
def testMemoryImageWithoutLocalCopyDownload(self):
dump_option = memory.MemoryCollectorDumpOption(
option_type="WITHOUT_LOCAL_COPY")
flow_obj = self.RunWithDownload(dump_option)
self.assertEqual(flow_obj.state.memory_src_path.path, self.memory_file)
self.assertEqual(
flow_obj.state.downloaded_file,
self.client_id.Add("fs/os").Add(flow_obj.state.memory_src_path.path))
fd = aff4.FACTORY.Open(flow_obj.state.downloaded_file, token=self.token)
self.assertEqual(fd.Read(1024 * 1024), self.memory_dump)
def testMemoryImageWithoutLocalCopySendToSocket(self):
dump_option = memory.MemoryCollectorDumpOption(
option_type="WITHOUT_LOCAL_COPY")
(flow_urn, encrypted, decrypted) = self.RunWithSendToSocket(dump_option)
flow_obj = aff4.FACTORY.Open(flow_urn, token=self.token)
# There was a local file, so dest_path should not be empty
self.assertTrue(flow_obj.state.memory_src_path is not None)
# Data should be encrypted, so they're not equal
self.assertNotEqual(encrypted, self.memory_dump)
# Decrypted data should be equal to the memory dump
self.assertEqual(decrypted, self.memory_dump)
def testMemoryImageLocalCopyDownloadWithOffsetAndLength(self):
dump_option = memory.MemoryCollectorDumpOption(
option_type=memory.MemoryCollectorDumpOption.Option.WITH_LOCAL_COPY,
with_local_copy=memory.MemoryCollectorWithLocalCopyDumpOption(
offset=10, length=42, gzip=False))
flow_obj = self.RunWithDownload(dump_option)
self.assertTrue(flow_obj.state.memory_src_path is not None)
self.assertEqual(
flow_obj.state.downloaded_file,
self.client_id.Add("temp").Add(flow_obj.state.memory_src_path.path))
fd = aff4.FACTORY.Open(flow_obj.state.downloaded_file, token=self.token)
self.assertEqual(fd.Read(1024 * 1024), self.memory_dump[10:52])
def testMemoryImageLocalCopySendToSocketWithOffsetAndLength(self):
dump_option = memory.MemoryCollectorDumpOption(
option_type=memory.MemoryCollectorDumpOption.Option.WITH_LOCAL_COPY,
with_local_copy=memory.MemoryCollectorWithLocalCopyDumpOption(
offset=10, length=42, gzip=False))
flow_urn, encrypted, decrypted = self.RunWithSendToSocket(dump_option)
flow_obj = aff4.FACTORY.Open(flow_urn, token=self.token)
# There was a local file, so dest_path should not be empty
self.assertTrue(flow_obj.state.memory_src_path is not None)
# Data should be encrypted, so they're not equal
self.assertNotEqual(encrypted, self.memory_dump)
# Decrypted data should be equal to the memory dump
self.assertEqual(decrypted, self.memory_dump[10:52])
def testMemoryImageLocalCopyDownload(self):
dump_option = memory.MemoryCollectorDumpOption(
option_type=memory.MemoryCollectorDumpOption.Option.
WITH_LOCAL_COPY,
with_local_copy=memory.MemoryCollectorWithLocalCopyDumpOption(
gzip=False, check_disk_free_space=False))
flow_obj = self.RunWithDownload(dump_option)
self.assertTrue(flow_obj.state.memory_src_path is not None)
self.assertEqual(
flow_obj.state.downloaded_file,
self.client_id.Add("fs/os").Add(
flow_obj.state.memory_src_path.path))
fd = aff4.FACTORY.Open(flow_obj.state.downloaded_file,
token=self.token)
self.assertEqual(fd.Read(1024 * 1024), self.memory_dump)
