def Run(self, args): if args.yara_signature or not args.signature_shard.payload: raise ValueError( "A Yara signature shard is required, and not the full signature.") if args.num_signature_shards == 1: # Skip saving to disk if there is just one shard. yara_signature = args.signature_shard.payload.decode("utf-8") else: yara_signature = self._SaveSignatureShard(args) if yara_signature is None: # We haven't received the whole signature yet. return scan_request = args.Copy() scan_request.yara_signature = yara_signature scan_response = rdf_memory.YaraProcessScanResponse() processes = ProcessIterator(scan_request.pids, scan_request.process_regex, scan_request.ignore_grr_process, scan_response.errors) for process in processes: self.Progress() num_results = ( len(scan_response.errors) + len(scan_response.matches) + len(scan_response.misses)) if num_results >= self._RESULTS_PER_RESPONSE: self.SendReply(scan_response) scan_response = rdf_memory.YaraProcessScanResponse() self._ScanProcess(process, scan_request, scan_response) self.SendReply(scan_response)
def Run(self, args): result = rdf_memory.YaraProcessScanResponse() for p in ProcessIterator(args.pids, args.process_regex, args.ignore_grr_process, result.errors): self.Progress() n_results = len(result.errors) + len(result.matches) + len( result.misses) if n_results >= self._RESULTS_PER_RESPONSE: self.SendReply(result) result = rdf_memory.YaraProcessScanResponse() rdf_process = rdf_client.Process.FromPsutilProcess(p) start_time = time.time() try: matches = self._ScanProcess(p, args) scan_time = time.time() - start_time scan_time_us = int(scan_time * 1e6) except yara.TimeoutError: result.errors.Append( rdf_memory.ProcessMemoryError( process=rdf_process, error="Scanning timed out (%s seconds)." % (time.time() - start_time))) continue except Exception as e: # pylint: disable=broad-except result.errors.Append( rdf_memory.ProcessMemoryError(process=rdf_process, error=str(e))) continue if matches: result.matches.Append( rdf_memory.YaraProcessScanMatch(process=rdf_process, match=matches, scan_time_us=scan_time_us)) else: result.misses.Append( rdf_memory.YaraProcessScanMiss(process=rdf_process, scan_time_us=scan_time_us)) self.SendReply(result)
def Run(self, args): if args.yara_signature or not args.signature_shard.payload: raise ValueError( "A Yara signature shard is required, and not the full signature.") if args.num_signature_shards == 1: # Skip saving to disk if there is just one shard. yara_signature = args.signature_shard.payload.decode("utf-8") else: yara_signature = self._SaveSignatureShard(args) if yara_signature is None: # We haven't received the whole signature yet. return scan_request = args.Copy() scan_request.yara_signature = yara_signature scan_response = rdf_memory.YaraProcessScanResponse() processes = list( ProcessIterator(scan_request.pids, scan_request.process_regex, scan_request.cmdline_regex, scan_request.ignore_grr_process, scan_response.errors)) if config.CONFIG["Client.use_memory_sandboxing"]: self._yara_wrapper: YaraWrapper = UnprivilegedYaraWrapper( str(scan_request.yara_signature), processes) else: self._yara_wrapper: YaraWrapper = DirectYaraWrapper( str(scan_request.yara_signature)) with self._yara_wrapper: for process in processes: self.Progress() num_results = ( len(scan_response.errors) + len(scan_response.matches) + len(scan_response.misses)) if num_results >= self._RESULTS_PER_RESPONSE: self.SendReply(scan_response) scan_response = rdf_memory.YaraProcessScanResponse() self._ScanProcess(process, scan_request, scan_response) self.SendReply(scan_response)
def testDoesNotFailForYaraProcessScanResponse(self): yara_dump = rdf_memory.YaraProcessScanResponse() message = rdf_flows.GrrMessage(source=self.client_id, payload=yara_dump) self._ProcessValuesWithPlugin([message]) self.plugin.OutputMemoryDump.assert_not_called()