edit_file.md

TTPForge Actions: edit_file

The edit_file action is useful for automating malicious modifications to files (for example, adding yourself to /etc/sudoers or commenting out important logging code). edit_file can append, delete, or replace lines in the target file - check out the examples below to learn more.

Appending and Deleting Lines

This example shows how to use the append and delete functionality of the edit_file action:

TTPForge/example-ttps/actions/edit-file/append-delete.yaml

Lines 1 to 35 in 7634dc6

	---
	name: edit_file_append_delete
	description: |
	Learn how to append and delete lines
	with the edit_file action.
	args:
	- name: test_file_path
	type: path
	description: The path at which the temporary test file should be created
	default: /tmp/ttpforge_edit_file_append_delete
	steps:
	- name: create-tmp-file
	create_file: {{.Args.test_file_path}}
	contents: |
	this_will_be_deleted
	and also this_will_be_deleted
	this will survive
	// all of these
	// lines will be
	// deleted by a regexp
	and this will also survive
	overwrite: true
	- name: edit_test_file
	edit_file: {{.Args.test_file_path}}
	edits:
	- description: |
	Delete all occurrences of a string literal
	delete: this_will_be_deleted
	- description: You can also delete regular expressions matches
	delete: (?m://.*$)
	regexp: true
	- description: Append a line to the file
	append: this will be appended to the end of the file
	- name: display_result
	inline: cat {{.Args.test_file_path}}

You can experiment with the above TTP by installing the examples TTP repository (skip this if ttpforge list repos shows that the examples repo is already installed):

ttpforge install repo https://github.com/facebookincubator/TTPForge --name examples

and then running the below command:

ttpforge run examples//actions/edit-file/append-delete.yaml

Replacing Lines

You can also use edit_file to replace lines in a file and optionally use powerful regular expressions to perform complex transformations. The next example shows this functionality in action:

TTPForge/example-ttps/actions/edit-file/replace.yaml

Lines 1 to 47 in 7634dc6

	---
	name: edit_file_replace
	description: |
	This TTP shows you how to use the edit_file action type
	to modify files and replace string literals
	or regexp matches with new strings
	args:
	- name: test_file_path
	type: path
	description: The path at which the temporary test file should be created
	default: /tmp/ttpforge_edit_file_replace
	steps:
	- name: create-tmp-file
	create_file: {{.Args.test_file_path}}
	contents: |
	this_will_be_replaced
	and another this_will_be_replaced
	multi-line strings can
	also be replaced
	you can comment out entire sections using capture groups
	entire_function_call(
	'this function call will be commented out'
	);
	overwrite: true
	- name: edit_test_file
	edit_file: {{.Args.test_file_path}}
	edits:
	- description: |
	Replace all occurrences of a string literal
	with another string literal.
	old: this_will_be_replaced
	new: single_line_literal_replacement
	- description: Same as above, but with multiple lines.
	old: |
	multi-line strings can
	also be replaced
	new: |
	isn't that
	cool
	- description: |
	You can do fancy edits with regular expressions,
	like commenting out entire function calls in code.
	old: (?P<fn_call>(?ms:^entire_function_call\(.*?\);$))
	new: "/*${fn_call}*/"
	regexp: true
	- name: display_result
	inline: cat {{.Args.test_file_path}}

Try out the above TTP by running this command:

ttpforge run examples//actions/edit-file/replace.yaml

Fields

You can specify the following YAML fields for the edit_file action:

• edit_file: (type: string) the path to the file you want to edit (must exist).
• backup_file: (type: string) the backup path to which the original file should be copied.
• edits: (type: list) a list of edits to make. Each entry can contain the following fields:
  • delete: (type: string) string/pattern to delete - pair with regexp: true to treat as a Golang regular expression and delete all matches thereof.
  • append: (type string) line(s) to append to the end of the file.
  • old: (type: string) string/pattern to replace - pair with regexp: true to treat as a Golang regular expression and replace all matches thereof. Must always be paired with new:
  • new: (type: string) string with which to replace the string/pattern specified by old: - must always be paired with old:
• cleanup: you can set this to default in order to automatically restore the original file once the TTP completes. Note: this only works when backup_file is set. You can also define a custom cleanup action.

Notes

• edit_file will read the entire file into memory, perform all specified edits, and then write out the results. Be careful when using it against very large files.
• edit_file does not support editing binary files.
• The edits list is looped through from top to bottom and all edits are applied sequentially to the copy of the file contents residing in memory. This means, for example, that if you append and then later delete that same line, the resulting final file won't contain that line.