def testLiteralMatchConditionWithDifferentActions(self): expected_files = ["auth.log"] non_expected_files = ["dpkg.log", "dpkg_false.log"] match = rdf_file_finder.FileFinderContentsLiteralMatchCondition( mode=rdf_file_finder.FileFinderContentsLiteralMatchCondition.Mode. ALL_HITS, bytes_before=10, bytes_after=10, literal="session opened for user dearjohn") literal_condition = rdf_file_finder.FileFinderCondition( condition_type=rdf_file_finder.FileFinderCondition.Type. CONTENTS_LITERAL_MATCH, contents_literal_match=match) for action in self.CONDITION_TESTS_ACTIONS: results = self.RunFlowAndCheckResults( action=action, conditions=[literal_condition], expected_files=expected_files, non_expected_files=non_expected_files) # Check that the results' matches fields are correctly filled. self.assertEqual(len(results), 1) self.assertEqual(len(results[0].matches), 1) self.assertEqual(results[0].matches[0].offset, 350) self.assertEqual( results[0].matches[0].data, "session): session opened for user dearjohn by (uid=0")
def testFindsKeyWithLiteralAndModificationTimeConditions(self): modification_time = rdf_file_finder.FileFinderModificationTimeCondition( min_last_modified_time=rdfvalue.RDFDatetime.FromSecondsSinceEpoch( 1247546054 - 1), max_last_modified_time=rdfvalue.RDFDatetime.FromSecondsSinceEpoch( 1247546054 + 1)) vlm = rdf_file_finder.FileFinderContentsLiteralMatchCondition( bytes_before=10, bytes_after=10, literal="Windows Sidebar\\Sidebar.exe") client_id = self.SetupClient(0) session_id = self.RunFlow(client_id, [self.runkey], [ registry.RegistryFinderCondition( condition_type=registry.RegistryFinderCondition.Type. MODIFICATION_TIME, modification_time=modification_time), registry.RegistryFinderCondition( condition_type=registry.RegistryFinderCondition.Type. VALUE_LITERAL_MATCH, value_literal_match=vlm) ]) results = self.GetResults(session_id) self.assertEqual(len(results), 1) # We expect Sidebar and MctAdmin keys here (see # test_data/client_fixture.py). self.assertEqual( results[0].stat_entry.AFF4Path(client_id), "aff4:/C.1000000000000000/registry/HKEY_USERS/S-1-5-20/" "Software/Microsoft/Windows/CurrentVersion/Run/Sidebar")
def testLiteralMatchConditionWithHexEncodedValue(self): match = rdf_file_finder.FileFinderContentsLiteralMatchCondition( mode=rdf_file_finder.FileFinderContentsLiteralMatchCondition.Mode. FIRST_HIT, bytes_before=10, bytes_after=10, literal=b"\x4D\x5A\x90") literal_condition = rdf_file_finder.FileFinderCondition( condition_type=rdf_file_finder.FileFinderCondition.Type. CONTENTS_LITERAL_MATCH, contents_literal_match=match) paths = [ os.path.join(os.path.dirname(self.fixture_path), "win_hello.exe") ] results = self.RunFlow(paths=paths, conditions=[literal_condition]) # Check that the results' matches fields are correctly filled. Expecting a # match from win_hello.exe self.assertLen(results, 1) self.assertLen(results[0].matches, 1) self.assertEqual(results[0].matches[0].offset, 0) self.assertEqual(results[0].matches[0].data, b"MZ\x90\x00\x03\x00\x00\x00\x04\x00\x00\x00\xff")
def testFindsKeyIfItMatchesLiteralMatchCondition(self): vlm = rdf_file_finder.FileFinderContentsLiteralMatchCondition( bytes_before=10, bytes_after=10, literal="Windows Sidebar\\Sidebar.exe") client_id = self.SetupClient(0) session_id = self.RunFlow(client_id, [self.runkey], [ registry.RegistryFinderCondition( condition_type=registry.RegistryFinderCondition.Type. VALUE_LITERAL_MATCH, value_literal_match=vlm) ]) results = self.GetResults(session_id) self.assertEqual(len(results), 1) self.assertEqual(len(results[0].matches), 1) self.assertEqual(results[0].matches[0].offset, 15) self.assertEqual(results[0].matches[0].data, "ramFiles%\\Windows Sidebar\\Sidebar.exe /autoRun") self.assertEqual( results[0].stat_entry.AFF4Path(client_id), "aff4:/C.1000000000000000/registry/HKEY_USERS/S-1-5-20/" "Software/Microsoft/Windows/CurrentVersion/Run/Sidebar") self.assertEqual( results[0].stat_entry.pathspec.path, "/HKEY_USERS/S-1-5-20/Software/Microsoft/Windows/" "CurrentVersion/Run/Sidebar") self.assertEqual(results[0].stat_entry.pathspec.pathtype, rdf_paths.PathSpec.PathType.REGISTRY)
def testLiteralMatchConditionWithHexEncodedValue(self): match = rdf_file_finder.FileFinderContentsLiteralMatchCondition( mode=rdf_file_finder.FileFinderContentsLiteralMatchCondition.Mode. FIRST_HIT, bytes_before=10, bytes_after=10, literal="\x4D\x5A\x90") literal_condition = rdf_file_finder.FileFinderCondition( condition_type=rdf_file_finder.FileFinderCondition.Type. CONTENTS_LITERAL_MATCH, contents_literal_match=match) paths = [os.path.join(os.path.dirname(self.fixture_path), "hello.exe")] session_id = flow_test_lib.TestFlowHelper( file_finder.FileFinder.__name__, self.client_mock, client_id=self.client_id, paths=paths, pathtype=rdf_paths.PathSpec.PathType.OS, conditions=[literal_condition], token=self.token) # Check that the results' matches fields are correctly filled. Expecting a # match from hello.exe fd = flow.GRRFlow.ResultCollectionForFID(session_id) self.assertEqual(len(fd[0].matches), 1) self.assertEqual(fd[0].matches[0].offset, 0) self.assertEqual(fd[0].matches[0].data, "MZ\x90\x00\x03\x00\x00\x00\x04\x00\x00\x00\xff")
def testFindsNothingIfNothingMatchesLiteralMatchCondition(self): vlm = rdf_file_finder.FileFinderContentsLiteralMatchCondition( bytes_before=10, bytes_after=10, literal="CanNotFindMe") client_id = self.SetupClient(0) session_id = self.RunFlow(client_id, [self.runkey], [ registry.RegistryFinderCondition( condition_type=registry.RegistryFinderCondition.Type. VALUE_LITERAL_MATCH, value_literal_match=vlm) ]) self.AssertNoResults(session_id)
def testCopyHuntHandlesLiteralExpressionCorrectly(self): """Literals are raw bytes. Testing that raw bytes are processed right.""" literal_match = rdf_file_finder.FileFinderContentsLiteralMatchCondition( literal=b"foo\x0d\xc8bar") self.StartHunt( description="model hunt", flow_runner_args=rdf_flow_runner.FlowRunnerArgs( flow_name=file_finder.FileFinder.__name__), flow_args=rdf_file_finder.FileFinderArgs( conditions=[ rdf_file_finder.FileFinderCondition( condition_type="CONTENTS_LITERAL_MATCH", contents_literal_match=literal_match) ], paths=["/tmp/evil.txt"]), token=self.token) self.Open("/#main=ManageHunts") self.Click("css=tr:contains('model hunt')") self.Click("css=button[name=CopyHunt]:not([disabled])") # Wait until dialog appears. self.WaitUntil(self.IsTextPresent, "What to run?") # Check that non-default values of sample hunt are prefilled. self.WaitUntilEqual( "foo\\x0d\\xc8bar", self.GetValue, "css=grr-new-hunt-wizard-form " "label:contains('Literal') ~ * input:text") # Click on "Next" button self.Click("css=grr-new-hunt-wizard-form button.Next") self.WaitUntil(self.IsElementPresent, "css=grr-wizard-form:contains('Hunt parameters')") # Click on "Next" button. self.Click("css=grr-new-hunt-wizard-form button.Next") self.WaitUntil(self.IsTextPresent, "How to process results") # Click on "Next" button self.Click("css=grr-new-hunt-wizard-form button.Next") self.WaitUntil(self.IsTextPresent, "Where to run?") # Click on "Next" button self.Click("css=grr-new-hunt-wizard-form button.Next") self.WaitUntil(self.IsTextPresent, "Review") # Check that the arguments summary is present. self.WaitUntil(self.IsTextPresent, file_finder.FileFinder.__name__) self.WaitUntil(self.IsTextPresent, "foo\\x0d\\xc8bar") # Click on "Run" button self.Click("css=grr-new-hunt-wizard-form button.Next") self.WaitUntil(self.IsTextPresent, "Created Hunt") # Close the window and check that the hunt was created. self.Click("css=button.Next") if data_store.RelationalDBReadEnabled(): hunts_list = sorted( data_store.REL_DB.ReadHuntObjects(offset=0, count=10), key=lambda x: x.create_time) self.assertLen(hunts_list, 2) last_hunt = hunts_list[-1] # Check that the hunt was created with a correct literal value. self.assertEqual(last_hunt.args.standard.flow_name, file_finder.FileFinder.__name__) self.assertEqual( last_hunt.args.standard.flow_args.conditions[0].contents_literal_match .literal, b"foo\x0d\xc8bar") else: hunts_root = aff4.FACTORY.Open("aff4:/hunts", token=self.token) hunts_list = sorted(list(hunts_root.ListChildren()), key=lambda x: x.age) self.assertLen(hunts_list, 2) last_hunt = aff4.FACTORY.Open(hunts_list[-1], token=self.token) # Check that the hunt was created with a correct literal value. self.assertEqual(last_hunt.args.flow_runner_args.flow_name, file_finder.FileFinder.__name__) self.assertEqual( last_hunt.args.flow_args.conditions[0].contents_literal_match.literal, b"foo\x0d\xc8bar")
def testPassesAllConditionsToClientFileFinderWhenAllConditionsSpecified( self): modification_time = rdf_file_finder.FileFinderModificationTimeCondition( min_last_modified_time=rdfvalue.RDFDatetime.Now(), ) access_time = rdf_file_finder.FileFinderAccessTimeCondition( min_last_access_time=rdfvalue.RDFDatetime.Now(), ) inode_change_time = rdf_file_finder.FileFinderInodeChangeTimeCondition( min_last_inode_change_time=rdfvalue.RDFDatetime.Now(), ) size = rdf_file_finder.FileFinderSizeCondition(min_file_size=42, ) ext_flags = rdf_file_finder.FileFinderExtFlagsCondition( linux_bits_set=42, ) contents_regex_match = ( rdf_file_finder.FileFinderContentsRegexMatchCondition( regex=b"foo", )) contents_literal_match = ( rdf_file_finder.FileFinderContentsLiteralMatchCondition( literal=b"bar", )) flow_id = flow_test_lib.StartFlow( file.CollectMultipleFiles, client_id=self.client_id, path_expressions=["/some/path"], modification_time=modification_time, access_time=access_time, inode_change_time=inode_change_time, size=size, ext_flags=ext_flags, contents_regex_match=contents_regex_match, contents_literal_match=contents_literal_match, ) children = data_store.REL_DB.ReadChildFlowObjects( self.client_id, flow_id) self.assertLen(children, 1) child = children[0] self.assertEqual(child.flow_class_name, file_finder.ClientFileFinder.__name__) # We expect 7 condition-attributes to be converted # to 7 FileFinderConditions. self.assertLen(child.args.conditions, 7) def _GetCondition(condition_type): for c in child.args.conditions: if c.condition_type == condition_type: return c.UnionCast() raise RuntimeError( f"Condition of type {condition_type} not found.") self.assertEqual( _GetCondition( rdf_file_finder.FileFinderCondition.Type.MODIFICATION_TIME), modification_time) self.assertEqual( _GetCondition( rdf_file_finder.FileFinderCondition.Type.ACCESS_TIME), access_time) self.assertEqual( _GetCondition( rdf_file_finder.FileFinderCondition.Type.INODE_CHANGE_TIME), inode_change_time) self.assertEqual( _GetCondition(rdf_file_finder.FileFinderCondition.Type.SIZE), size) self.assertEqual( _GetCondition(rdf_file_finder.FileFinderCondition.Type.EXT_FLAGS), ext_flags) self.assertEqual( _GetCondition( rdf_file_finder.FileFinderCondition.Type.CONTENTS_REGEX_MATCH), contents_regex_match) self.assertEqual( _GetCondition(rdf_file_finder.FileFinderCondition.Type. CONTENTS_LITERAL_MATCH), contents_literal_match)