Adds ELF parsing (#1576)

google · Dec 6, 2024 · cedf5c6 · cedf5c6
1 parent 2ae3c93
commit cedf5c6
Show file tree

Hide file tree

Showing 8 changed files with 514 additions and 0 deletions.
diff --git a/test_data/elf-3.tgz b/test_data/elf-3.tgz
diff --git a/turbinia/config/turbinia_config_tmpl.py b/turbinia/config/turbinia_config_tmpl.py
@@ -184,6 +184,11 @@
     'programs': ['de.py'],
     'docker_image': None,
     'timeout': 1200
+}, {
+    'job': 'ElfAnalysisJob',
+    'programs': ['grep'],
+    'docker_image': None,
+    'timeout': 3600
 }, {
     'job': 'FileArtifactExtractionJob',
     'programs': ['image_export'],

diff --git a/turbinia/evidence.py b/turbinia/evidence.py
@@ -1201,6 +1201,11 @@ class BinaryExtraction(CompressedDirectory):
   pass
 
 
+class ElfExtraction(CompressedDirectory):
+  """ELF details extracted from evidence."""
+  pass
+
+
 class MachoExtraction(CompressedDirectory):
   """Mach-O details extracted from evidence."""
   pass

diff --git a/turbinia/jobs/__init__.py b/turbinia/jobs/__init__.py
@@ -19,6 +19,7 @@
 from turbinia.jobs import containerd
 from turbinia.jobs import dfdewey
 from turbinia.jobs import docker
+from turbinia.jobs import elf
 from turbinia.jobs import file_system_timeline
 from turbinia.jobs import finalize_request
 from turbinia.jobs import fsstat

diff --git a/turbinia/jobs/elf.py b/turbinia/jobs/elf.py
@@ -0,0 +1,31 @@
+"""Job to execute elf analysis task."""
+
+from turbinia.evidence import ElfExtraction
+from turbinia.evidence import Directory
+from turbinia.evidence import RawDisk
+from turbinia.evidence import ReportText
+from turbinia.jobs import interface
+from turbinia.jobs import manager
+from turbinia.workers.analysis import elf
+
+
+class ElfAnalysisJob(interface.TurbiniaJob):
+  """ELF analysis job."""
+
+  evidence_input = [ElfExtraction]
+  evidence_output = [ReportText]
+
+  NAME = 'ElfAnalysisJob'
+
+  def create_tasks(self, evidence):
+    """Create task.
+    Args:
+      evidence: List of evidence objects to process
+    Returns:
+        A list of tasks to schedule.
+    """
+    tasks = [elf.ElfAnalysisTask() for _ in evidence]
+    return tasks
+
+
+manager.JobsManager.RegisterJob(ElfAnalysisJob)
diff --git a/turbinia/task_utils.py b/turbinia/task_utils.py
@@ -43,6 +43,7 @@ class TaskLoader():
       'ChromeCredsAnalysisTask',
       'DfdeweyTask',
       'DockerContainersEnumerationTask',
+      'ElfAnalysisTask',
       'FileArtifactExtractionTask',
       'FileSystemTimelineTask',
       'FinalizeRequestTask',
@@ -103,6 +104,7 @@ def get_task(self, task_name):
     # Late imports to minimize what loads all Tasks
     from turbinia.workers.abort import AbortTask
     from turbinia.workers.analysis.chromecreds import ChromeCredsAnalysisTask
+    from turbinia.workers.analysis.elf import ElfAnalysisTask
     from turbinia.workers.analysis.jenkins import JenkinsAnalysisTask
     from turbinia.workers.analysis.jupyter import JupyterAnalysisTask
     from turbinia.workers.analysis.linux_acct import LinuxAccountAnalysisTask