def testMultipleClientsWithIdenticalPathsYieldDifferentPMIs(self): client1 = self.SetupClient(1) client2 = self.SetupClient(2) yara_dump1 = rdf_memory.YaraProcessDumpResponse(dumped_processes=[ rdf_memory.YaraProcessDumpInformation(dump_files=[ rdf_paths.PathSpec(path="my_proc_123_f0_fa.tmp", pathtype=TMPFILE), ]) ]) yara_dump2 = rdf_memory.YaraProcessDumpResponse(dumped_processes=[ rdf_memory.YaraProcessDumpInformation(dump_files=[ rdf_paths.PathSpec(path="my_proc_123_f0_fa.tmp", pathtype=TMPFILE), ]) ]) stat_entry1 = rdf_client_fs.StatEntry( pathspec=rdf_paths.PathSpec( path="my_proc_123_f0_fa.tmp", pathtype=TMPFILE)) stat_entry2 = rdf_client_fs.StatEntry( pathspec=rdf_paths.PathSpec( path="my_proc_123_f0_fa.tmp", pathtype=TMPFILE)) m0 = rdf_flows.GrrMessage(source=client1, payload=yara_dump1) m1 = rdf_flows.GrrMessage(source=client2, payload=yara_dump2) m2 = rdf_flows.GrrMessage(source=client1, payload=stat_entry1) m3 = rdf_flows.GrrMessage(source=client2, payload=stat_entry2) self._ProcessValuesWithPlugin([m0, m1, m2, m3]) self.assertEqual(self.plugin.OutputMemoryDump.call_count, 2) self.plugin.OutputMemoryDump.assert_any_call( rdf_memory.YaraProcessDumpInformation(dump_files=[ rdf_paths.PathSpec(path="my_proc_123_f0_fa.tmp", pathtype=TMPFILE), ]), client1) self.plugin.OutputMemoryDump.assert_any_call( rdf_memory.YaraProcessDumpInformation(dump_files=[ rdf_paths.PathSpec(path="my_proc_123_f0_fa.tmp", pathtype=TMPFILE), ]), client2)
def testLegacyDataMigration(self): res = rdf_memory.YaraProcessDumpResponse(dumped_processes=[ rdf_memory.YaraProcessDumpInformation(dump_files=[ rdf_paths.PathSpec(path="C:\\Foo\\Bar\\%s_%d_%x_%x.tmp" % ("my_proc", 123, 111, 222), pathtype="TMPFILE"), rdf_paths.PathSpec(path="/foo/bar/%s_%d_%x_%x.tmp" % ("my_proc", 123, 456, 789), pathtype="TMPFILE") ]) ]) memory._MigrateLegacyDumpFilesToMemoryAreas(res) self.assertEqual( res, rdf_memory.YaraProcessDumpResponse(dumped_processes=[ rdf_memory.YaraProcessDumpInformation(memory_regions=[ rdf_memory.ProcessMemoryRegion( start=111, size=111, file=rdf_paths.PathSpec( path="/C:/Foo/Bar/%s_%d_%x_%x.tmp" % ("my_proc", 123, 111, 222), pathtype="TMPFILE")), rdf_memory.ProcessMemoryRegion( start=456, size=333, file=rdf_paths.PathSpec( path="/foo/bar/%s_%d_%x_%x.tmp" % ("my_proc", 123, 456, 789), pathtype="TMPFILE")) ]) ]))
def testPathSpecCasingIsCorrected(self): flow = memory.DumpProcessMemory(rdf_flow_objects.Flow()) flow.SendReply = mock.Mock(spec=flow.SendReply) request = rdf_flow_objects.FlowRequest( request_data={ "YaraProcessDumpResponse": rdf_memory.YaraProcessDumpResponse(dumped_processes=[ rdf_memory.YaraProcessDumpInformation(memory_regions=[ rdf_memory.ProcessMemoryRegion( start=1, size=1, file=rdf_paths.PathSpec.Temp( path="/C:/grr/x_1_0_1.tmp")), rdf_memory.ProcessMemoryRegion( start=1, size=1, file=rdf_paths.PathSpec.Temp( path="/C:/GRR/x_1_1_2.tmp")) ]) ]) }) pathspecs = [ rdf_paths.PathSpec.Temp(path="/C:/Grr/x_1_0_1.tmp"), rdf_paths.PathSpec.Temp(path="/C:/Grr/x_1_1_2.tmp") ] responses = flow_responses.Responses.FromResponses( request, [ rdf_flow_objects.FlowResponse(payload=rdf_client_fs.StatEntry( pathspec=pathspec)) for pathspec in pathspecs ]) flow.ProcessMemoryRegions(responses) flow.SendReply.assert_any_call( rdf_memory.YaraProcessDumpResponse(dumped_processes=[ rdf_memory.YaraProcessDumpInformation(memory_regions=[ rdf_memory.ProcessMemoryRegion( start=1, size=1, file=rdf_paths.PathSpec.Temp( path="/C:/Grr/x_1_0_1.tmp")), rdf_memory.ProcessMemoryRegion( start=1, size=1, file=rdf_paths.PathSpec.Temp( path="/C:/Grr/x_1_1_2.tmp")) ]) ]))
def Run(self, args): if args.prioritize_offsets and len(args.pids) != 1: raise ValueError( "Supplied prioritize_offsets {} for PIDs {} in YaraProcessDump. " "Required exactly one PID.".format(args.prioritize_offsets, args.pids)) result = rdf_memory.YaraProcessDumpResponse() for p in ProcessIterator(args.pids, args.process_regex, None, args.ignore_grr_process, result.errors): self.Progress() start = rdfvalue.RDFDatetime.Now() try: response = self.DumpProcess(p, args) now = rdfvalue.RDFDatetime.Now() response.dump_time_us = (now - start).ToInt( rdfvalue.MICROSECONDS) result.dumped_processes.Append(response) if response.error: # Limit exceeded, we bail out early. break except Exception as e: # pylint: disable=broad-except result.errors.Append( rdf_memory.ProcessMemoryError( process=rdf_client.Process.FromPsutilProcess(p), error=str(e))) continue self.SendReply(result)
def Run(self, args): result = rdf_memory.YaraProcessDumpResponse() self.bytes_written = 0 for p in ProcessIterator(args.pids, args.process_regex, args.ignore_grr_process, result.errors): self.Progress() start_time = time.time() try: response = self.DumpProcess(p, args) response.dump_time_us = int((time.time() - start_time) * 1e6) result.dumped_processes.Append(response) if response.error: # Limit exceeded, we bail out early. break except Exception as e: # pylint: disable=broad-except result.errors.Append( rdf_memory.ProcessMemoryError( process=rdf_client.Process.FromPsutilProcess(p), error=str(e))) continue self.SendReply(result)
def testOutputPluginPersistsStateCorrectly(self): yara_dump_0 = rdf_memory.YaraProcessDumpResponse(dumped_processes=[ rdf_memory.YaraProcessDumpInformation(dump_files=[ rdf_paths.PathSpec(path="my_proc_123_f0_fa.tmp", pathtype=TMPFILE), rdf_paths.PathSpec(path="my_proc_123_fa_104.tmp", pathtype=TMPFILE) ]) ]) yara_dump_1 = rdf_memory.YaraProcessDumpResponse(dumped_processes=[ rdf_memory.YaraProcessDumpInformation(dump_files=[ rdf_paths.PathSpec(path="foobar_456_f0_fa.tmp", pathtype=TMPFILE), ]) ]) stat_entry_00 = rdf_client_fs.StatEntry( pathspec=rdf_paths.PathSpec( path="my_proc_123_f0_fa.tmp", pathtype=TMPFILE)) stat_entry_01 = rdf_client_fs.StatEntry( pathspec=rdf_paths.PathSpec( path="my_proc_123_fa_104.tmp", pathtype=TMPFILE)) stat_entry_10 = rdf_client_fs.StatEntry( pathspec=rdf_paths.PathSpec( path="foobar_456_f0_fa.tmp", pathtype=TMPFILE)) self._ProcessValuesWithPlugin( [rdf_flows.GrrMessage(source=self.client_id, payload=yara_dump_0)]) self.plugin = None self._ProcessValuesWithPlugin( [rdf_flows.GrrMessage(source=self.client_id, payload=yara_dump_1)]) self.plugin = None self._ProcessValuesWithPlugin( [rdf_flows.GrrMessage(source=self.client_id, payload=stat_entry_00)]) self.plugin = None self._ProcessValuesWithPlugin( [rdf_flows.GrrMessage(source=self.client_id, payload=stat_entry_01)]) self.plugin.OutputMemoryDump.assert_called_once_with( rdf_memory.YaraProcessDumpInformation(dump_files=[ rdf_paths.PathSpec(path="my_proc_123_f0_fa.tmp", pathtype=TMPFILE), rdf_paths.PathSpec(path="my_proc_123_fa_104.tmp", pathtype=TMPFILE) ]), self.client_id) self.plugin = None self._ProcessValuesWithPlugin( [rdf_flows.GrrMessage(source=self.client_id, payload=stat_entry_10)]) self.plugin.OutputMemoryDump.assert_called_once_with( rdf_memory.YaraProcessDumpInformation(dump_files=[ rdf_paths.PathSpec(path="foobar_456_f0_fa.tmp", pathtype=TMPFILE), ]), self.client_id)
def testProcessesMultipleYaraProcessDumpResponsesCorrectly(self): yara_dump_0 = rdf_memory.YaraProcessDumpResponse(dumped_processes=[ rdf_memory.YaraProcessDumpInformation(dump_files=[ rdf_paths.PathSpec(path="my_proc_123_f0_fa.tmp", pathtype=TMPFILE), rdf_paths.PathSpec(path="my_proc_123_fa_104.tmp", pathtype=TMPFILE) ]) ]) yara_dump_1 = rdf_memory.YaraProcessDumpResponse(dumped_processes=[ rdf_memory.YaraProcessDumpInformation(dump_files=[ rdf_paths.PathSpec(path="foobar_456_f0_fa.tmp", pathtype=TMPFILE), ]) ]) stat_entry_00 = rdf_client_fs.StatEntry( pathspec=rdf_paths.PathSpec( path="my_proc_123_f0_fa.tmp", pathtype=TMPFILE)) stat_entry_01 = rdf_client_fs.StatEntry( pathspec=rdf_paths.PathSpec( path="my_proc_123_fa_104.tmp", pathtype=TMPFILE)) stat_entry_10 = rdf_client_fs.StatEntry( pathspec=rdf_paths.PathSpec( path="foobar_456_f0_fa.tmp", pathtype=TMPFILE)) m0 = rdf_flows.GrrMessage(source=self.client_id, payload=yara_dump_0) m1 = rdf_flows.GrrMessage(source=self.client_id, payload=yara_dump_1) m2 = rdf_flows.GrrMessage(source=self.client_id, payload=stat_entry_00) m3 = rdf_flows.GrrMessage(source=self.client_id, payload=stat_entry_01) m4 = rdf_flows.GrrMessage(source=self.client_id, payload=stat_entry_10) self._ProcessValuesWithPlugin([m0, m1, m2, m3, m4]) self.assertEqual(self.plugin.OutputMemoryDump.call_count, 2) self.plugin.OutputMemoryDump.assert_any_call( rdf_memory.YaraProcessDumpInformation(dump_files=[ rdf_paths.PathSpec(path="my_proc_123_f0_fa.tmp", pathtype=TMPFILE), rdf_paths.PathSpec(path="my_proc_123_fa_104.tmp", pathtype=TMPFILE) ]), self.client_id) self.plugin.OutputMemoryDump.assert_any_call( rdf_memory.YaraProcessDumpInformation(dump_files=[ rdf_paths.PathSpec(path="foobar_456_f0_fa.tmp", pathtype=TMPFILE), ]), self.client_id)
def testCallsOutputMemoryDumpWithSingleBlob(self): yara_dump = rdf_memory.YaraProcessDumpResponse(dumped_processes=[ rdf_memory.YaraProcessDumpInformation(dump_files=[ rdf_paths.PathSpec(path="my_proc_123_f0_fa.tmp", pathtype=TMPFILE), ]) ]) stat_entry = rdf_client_fs.StatEntry( pathspec=rdf_paths.PathSpec( path="my_proc_123_f0_fa.tmp", pathtype=TMPFILE)) m0 = rdf_flows.GrrMessage(source=self.client_id, payload=yara_dump) m1 = rdf_flows.GrrMessage(source=self.client_id, payload=stat_entry) self._ProcessValuesWithPlugin([m0, m1]) self.plugin.OutputMemoryDump.assert_called_once_with( rdf_memory.YaraProcessDumpInformation(dump_files=[ rdf_paths.PathSpec(path="my_proc_123_f0_fa.tmp", pathtype=TMPFILE), ]), self.client_id)
def testIsResilientToTemporaryPathSpecRegression(self): yara_dump = rdf_memory.YaraProcessDumpResponse(dumped_processes=[ rdf_memory.YaraProcessDumpInformation(dump_files=[ rdf_paths.PathSpec( path="C:\\Foo\\my_proc_123_f0_fa.tmp", pathtype=TMPFILE), ]) ]) stat_entry = rdf_client_fs.StatEntry( pathspec=rdf_paths.PathSpec( path="/C:/Foo/my_proc_123_f0_fa.tmp", pathtype=TMPFILE, path_options=rdf_paths.PathSpec.Options.CASE_LITERAL)) m0 = rdf_flows.GrrMessage(source=self.client_id, payload=yara_dump) m1 = rdf_flows.GrrMessage(source=self.client_id, payload=stat_entry) self._ProcessValuesWithPlugin([m0, m1]) self.plugin.OutputMemoryDump.assert_called_once_with( rdf_memory.YaraProcessDumpInformation(dump_files=[ rdf_paths.PathSpec( path="/C:/Foo/my_proc_123_f0_fa.tmp", pathtype=TMPFILE, path_options=rdf_paths.PathSpec.Options.CASE_LITERAL), ]), self.client_id)
def testDoesNotFailForEmptyProcessDump(self): yara_dump = rdf_memory.YaraProcessDumpResponse() message = rdf_flows.GrrMessage(source=self.client_id, payload=yara_dump) self._ProcessValuesWithPlugin([message]) self.plugin.OutputMemoryDump.assert_not_called()