def ParseRunKeys(self, responses): """Get filenames from the RunKeys and download the files.""" filenames = [] client = data_store.REL_DB.ReadClientSnapshot(self.client_id) kb = client.knowledge_base for response in responses: runkey = response.registry_data.string environ_vars = artifact_utils.GetWindowsEnvironmentVariablesMap(kb) path_guesses = path_detection_windows.DetectExecutablePaths( [runkey], environ_vars) if not path_guesses: self.Log("Couldn't guess path for %s", runkey) for path in path_guesses: filenames.append( rdf_paths.PathSpec( path=path, pathtype=config. CONFIG["Server.raw_filesystem_access_pathtype"])) if filenames: self.CallFlow(transfer.MultiGetFile.__name__, pathspecs=filenames, next_state=compatibility.GetName(self.Done))
def testReplacesEnvironmentVariablesWithMultipleMappings(self): """Test it replaces environment variables with multiple mappings.""" # TODO: Raw unicode literals in Python 2 are broken since they # do not consider "\u" to be two characters ("\" and "u") but treat it is as # a unicode escape sequence. This behaviour is fixed in Python 3 so once the # codebase does not have to support Python 2 anymore, these escaped literals # can be rewritten with raw ones. mapping = { "appdata": [ "C:\\Users\\foo\\Application Data", "C:\\Users\\bar\\Application Data", ] } fixture = [ (r"%AppData%\Realtek\Audio\blah.exe -s", [ "C:\\Users\\foo\\Application Data\\Realtek\\Audio\\blah.exe", "C:\\Users\\bar\\Application Data\\Realtek\\Audio\\blah.exe" ]), (r"'%AppData%\Realtek\Audio\blah.exe' -s", [ "C:\\Users\\foo\\Application Data\\Realtek\\Audio\\blah.exe", "C:\\Users\\bar\\Application Data\\Realtek\\Audio\\blah.exe" ]) ] for in_str, result in fixture: self.assertEqual( set(windows.DetectExecutablePaths([in_str], mapping)), set(result))
def ParseRunKeys(self, responses): """Get filenames from the RunKeys and download the files.""" filenames = [] client = aff4.FACTORY.Open(self.client_id, mode="r", token=self.token) kb = artifact.GetArtifactKnowledgeBase(client) for response in responses: runkey = response.registry_data.string environ_vars = artifact_utils.GetWindowsEnvironmentVariablesMap(kb) path_guesses = path_detection_windows.DetectExecutablePaths( [runkey], environ_vars) if not path_guesses: self.Log("Couldn't guess path for %s", runkey) for path in path_guesses: filenames.append( rdf_paths.PathSpec( path=path, pathtype=rdf_paths.PathSpec.PathType.TSK)) if filenames: self.CallFlow(transfer.MultiGetFile.__name__, pathspecs=filenames, next_state="Done")
def testExtractsPathsFromNonRunDllStrings(self): """Test it extracts paths from non-rundll strings.""" fixture = [(r"C:\Program Files\Realtek\Audio\blah.exe -s", r"C:\Program Files\Realtek\Audio\blah.exe"), (r"'C:\Program Files\Realtek\Audio\blah.exe' -s", r"C:\Program Files\Realtek\Audio\blah.exe"), (r"C:\Program Files\NVIDIA Corporation\nwiz.exe /quiet /blah", r"C:\Program Files\NVIDIA Corporation\nwiz.exe")] for in_str, result in fixture: self.assertEqual(list(windows.DetectExecutablePaths([in_str])), [result])
def testReplacesEnvironmentVariable(self): """Test it replaces environment variables.""" mapping = { "programfiles": r"C:\Program Files", } fixture = [(r"%ProgramFiles%\Realtek\Audio\blah.exe -s", r"C:\Program Files\Realtek\Audio\blah.exe"), (r"'%ProgramFiles%\Realtek\Audio\blah.exe' -s", r"C:\Program Files\Realtek\Audio\blah.exe")] for in_str, result in fixture: self.assertEqual( list(windows.DetectExecutablePaths([in_str], mapping)), [result])
def testExctactsPathsFromRunDllStrings(self): """Test it extracts paths from rundll strings.""" fixture = [ (r"rundll32.exe C:\Windows\system32\advpack.dll,DelNodeRunDLL32", r"C:\Windows\system32\advpack.dll"), (r"rundll32.exe 'C:\Program Files\Realtek\Audio\blah.exe',blah", r"C:\Program Files\Realtek\Audio\blah.exe"), (r"'rundll32.exe' 'C:\Program Files\Realtek\Audio\blah.exe',blah", r"C:\Program Files\Realtek\Audio\blah.exe") ] for in_str, result in fixture: self.assertEqual(set(windows.DetectExecutablePaths([in_str])), set([result, "rundll32.exe"]))
def _GetFilePaths(self, path, pathtype, kb): """Guess windows filenames from a commandline string.""" environ_vars = artifact_utils.GetWindowsEnvironmentVariablesMap(kb) path_guesses = path_detection_windows.DetectExecutablePaths( [path], environ_vars) if not path_guesses: # TODO(user): yield a ParserAnomaly object return [] return [ rdf_paths.PathSpec(path=path, pathtype=pathtype) for path in path_guesses ]
def testReplacesEnvironmentVariablesWithMultipleMappings(self): """Test it replaces environment variables with multiple mappings.""" mapping = { "appdata": [ r"C:\Users\foo\Application Data", r"C:\Users\bar\Application Data" ] } fixture = [(r"%AppData%\Realtek\Audio\blah.exe -s", [ r"C:\Users\foo\Application Data\Realtek\Audio\blah.exe", r"C:\Users\bar\Application Data\Realtek\Audio\blah.exe" ]), (r"'%AppData%\Realtek\Audio\blah.exe' -s", [ r"C:\Users\foo\Application Data\Realtek\Audio\blah.exe", r"C:\Users\bar\Application Data\Realtek\Audio\blah.exe" ])] for in_str, result in fixture: self.assertEqual( set(windows.DetectExecutablePaths([in_str], mapping)), set(result))