Re: IR and Forensic Scripting in LEO

[Terry Brown]

On Thu, 8 Nov 2012 13:57:53 -0800 (PST)
ErikTheRed <srda...@gmail.com> wrote:

> I would like to know how to invoke a shell, pass
> it commands, and render the stnd output back into Leo as a subnode. Merging
> to two functions below for example to run pslist and then populate a
> subnode with the results. Ultimately I want to run additional scripts
> and/or CLI utilities that parse logs and or memory dump files using CLI
> tools such as grep and awk and sed, etc. while capturing the results.
> Another goal would be to to invoke other python scripts, for example the
> Pyed Piper "http://code.google.com/p/pyp/" to munge over logs using just
> python.

It seems like you'll want to run some regular python code in Leo to
invoke external programs, using python's subprocess.Popen or the pyp
thing you mention.

But you might also get some use out of the leoscreen plugin, if you're
in a Unix environment. If you have a shell running in the `screen`
shell switcher the leoscreen plugin lets you send text from Leo for
execution and pull results back in to Leo for archiving etc.

I use it all the time, with CLI driven systems like SQL, R, and for
system setup, bash.

Cheers -Terry

[ErikTheRed]

Sounds exactly what I need to master. I have found this reference example out there but is there a simpler implementation guide and/or example?

http://opensourcejavaphp.net/python/Leo/leo/plugins/leoscreen.py.html that seems to document leoscreen

[Terry Brown]

On Fri, 9 Nov 2012 12:04:40 -0800 (PST)
ErikTheRed <srda...@gmail.com> wrote:

> Sounds exactly what I need to master. I have found this reference example
> out there but is there a simpler implementation guide and/or example?

If you haven't used screen before I'd play with that a bit first just
to get the idea of what it does.

In Leo once you've enabled the leoscreen plugin you can view its docs.
from the Plugins menu. To be honest although I wrote it I only use a
couple of the features, primarily

leoscreen-run-text
Send the text selected in Leo's body text to the shell app. Selects the next line for your convenience.
leoscreen-run-all-text
Send all the text in Leo's body text to the shell app. Selects the next node for your convenience.
leoscreen-run-all-here
Like leoscreen-run-all-text without the inconvenient selection of the next node.
leoscreen-get-line
Insert a line of the last result from the shell into Leo's body text at the current insert point. Lines are pulled one at a time starting from the end of the output. Can be used repeatedly to get the output you want into Leo.

I just bind those commands to keys.

Cheers -Terry

[Edward K. Ream]

On Fri, Nov 9, 2012 at 12:47 PM, Terry Brown <terry_...@yahoo.com> wrote:

> But you might also get some use out of the leoscreen plugin, if you're
> in a Unix environment.

It doesn't work on Windows? Why not?

When I fire it up, I get this:

Traceback (most recent call last):

File "c:\leo.repo\trunk\leo\core\leoPlugins.py", line 337, in callTagHandler
result = handler(tag,keywords)

File "c:\leo.repo\trunk\leo\plugins\leoscreen.py", line 176, in onCreate
leoscreen_Controller(c)

File "c:\leo.repo\trunk\leo\plugins\leoscreen.py", line 214, in __init__
self._get_output() # prime output diffing system

File "c:\leo.repo\trunk\leo\plugins\leoscreen.py", line 284, in _get_output
self.screen_cmd(['hardcopy -h "%s"'%self.tmpfile])

File "c:\leo.repo\trunk\leo\plugins\leoscreen.py", line 242, in screen_cmd
stderr=subprocess.PIPE) # screen's behavior

File "c:\python26\lib\subprocess.py", line 621, in __init__
errread, errwrite)

File "c:\python26\lib\subprocess.py", line 830, in _execute_child
startupinfo)

WindowsError: [Error 2] The system cannot find the file specified

Also, I get this warning when showing the docstring::

<string>:114: (WARNING/2) Literal block ends without a blank line;
unexpected unindent.

Edward

[Terry Brown]

On Tue, 13 Nov 2012 05:47:35 -0600
"Edward K. Ream" <edre...@gmail.com> wrote:

> > But you might also get some use out of the leoscreen plugin, if you're
> > in a Unix environment.
>
> It doesn't work on Windows? Why not?

Because it relies on screen: http://www.gnu.org/software/screen/
so maybe it would work in Cygwin on Windows, but I guess that is a Unix
environment.

Cheers -Terry

[ErikTheRed]

This seems just like the function that I am looking for. Awesome! I am however having either an issue or I don’t understand something about its implementation.

I can successfully pass a commend from the body of a leo node that I have created, e.g. lsof | grep -i crypto, and it passes it to the active instance of screen.
It however doesn’t seem to execute however. I can see it at the command line in my instance of screen awaiting a carriage return.

If I manually execute a carriage return however I am able to return its results back into leo using the leoscreen-get-line, get-all, get-note or show-note.

Is seems like it should execute the command being passed? Please Advise.

[ErikTheRed]

Perhaps I am not using the correct version. I noticed that I do not have the plugin options for

leoscreen-run-all-text  or leoscreen-run-all-here

[Terry Brown]

On Wed, 14 Nov 2012 06:14:23 -0800 (PST)
ErikTheRed <srda...@gmail.com> wrote:

> I can successfully pass a commend from the body of a leo node that I have
> created, e.g. lsof | grep -i crypto, and it passes it to the active
> instance of screen.
> It however doesn’t seem to execute however. I can see it at the command
> line in my instance of screen awaiting a carriage return.

The selected text in the Leo body needs to include a newline. The
leoscreen-run-text line includes a newline when it selects the next
line of text. If there's no trailing newline at the end of your text,
you'll have to hit return in the shell window - usually there is at
least one trailing newline.

The command you mention that you're missing shouldn't matter,
the ...-here command was only added a few days ago, the other's older.
You can get bleeding edge Leo at http://www.greygreen.org/leo/

Cheers -Terry