def __init__(self,
driver_path=None,
device=r"/dev/pmem",
unload=None,
load=None,
mode=None,
**kw):
super(Live, self).__init__(**kw)
# It is OK for non privileged sessions to use the default drivers.
if not self.session.privileged and driver_path:
raise plugin.PluginError(
"Installing arbitrary drivers is only available for "
"interactive or privileged sessions.")
self.driver_path = (driver_path
or resources.get_resource("MacPmem.kext.tgz"))
if self.driver_path is None:
raise IOError("Driver resource not found.")
self.device = device
self.unload = unload
self.load = load
# Did we load the driver? If so we need to clean up.
self.we_started_driver = False
def assert_baseline(self, name, data):
try:
baseline_data = self.encode_baseline(data)
with open(os.path.join(resources.get_resource(
name, package="rekall_agent",
prefix="test_data/baselines"))) as fd:
self.assertMultiLineEqual(self._normalize_json(fd.read()),
self._normalize_json(baseline_data))
except Exception:
print("Unable to verify baseline %s: \n%s" % (name, baseline_data))
raise
def setUp(self):
super(TestTSK, self).setUp()
# Add a fake mount point to the image.
mount_tree_hook = files.MountPointHook(session=self.session)
mount_tree = {}
mount_tree_hook._add_to_tree(
mount_tree, "/mnt/",
resources.get_resource("winexec_img.dd",
package="rekall_agent",
prefix="test_data"), "ext2")
self.session.SetParameter("mount_points", mount_tree)
def setUp(self):
super(TestTSK, self).setUp()
# Add a fake mount point to the image.
mount_tree_hook = files.MountPointHook(session=self.session)
mount_tree = {}
mount_tree_hook._add_to_tree(
mount_tree, "/mnt/",
resources.get_resource("winexec_img.dd",
package="rekall_agent",
prefix="test_data"),
"ext2")
self.session.SetParameter("mount_points", mount_tree)
def assert_baseline(self, name, data):
try:
baseline_data = self.encode_baseline(data)
with open(
os.path.join(
resources.get_resource(
name,
package="rekall_agent",
prefix="test_data/baselines"))) as fd:
self.assertMultiLineEqual(self._normalize_json(fd.read()),
self._normalize_json(baseline_data))
except Exception:
print "Unable to verify baseline %s: \n%s" % (name, baseline_data)
raise
def __init__(self, *args, **kw):
super(Live, self).__init__(*args, **kw)
# It is OK for non privileged sessions to use the default drivers.
if not self.session.privileged and self.plugin_args.driver:
raise plugin.PluginError(
"Installing arbitrary drivers is only available for "
"interactive or privileged sessions.")
self.driver_path = (self.plugin_args.driver_path
or resources.get_resource("MacPmem.kext.tgz"))
if self.driver_path is None:
raise IOError("Driver resource not found.")
# Did we load the driver? If so we need to clean up.
self.we_started_driver = False
def __init__(self, *args, **kw):
super(Live, self).__init__(*args, **kw)
# It is OK for non privileged sessions to use the default drivers.
if not self.session.privileged and self.plugin_args.driver:
raise plugin.PluginError(
"Installing arbitrary drivers is only available for "
"interactive or privileged sessions.")
self.driver_path = (self.plugin_args.driver_path or
resources.get_resource("MacPmem.kext.tgz"))
if self.driver_path is None:
raise IOError("Driver resource not found.")
# Did we load the driver? If so we need to clean up.
self.we_started_driver = False
def try_to_find_osquery(self):
extention = ""
if platform.system() == "Windows":
extention = ".exe"
try:
return resources.get_resource("osqueryi" + extention)
except IOError as e:
# Maybe it is installed on the system.
if platform.system() == "Windows":
result = r"c:\ProgramData\osquery\osqueryi.exe"
if os.access(result, os.R_OK):
return result
else:
# Try to find it somewhere on the system.
return spawn.find_executable("osqueryi")
raise e
def __init__(self, driver_path=None, device=r"/dev/pmem", unload=None,
load=None, mode=None, **kw):
super(Live, self).__init__(**kw)
# It is OK for non privileged sessions to use the default drivers.
if not self.session.privileged and driver_path:
raise plugin.PluginError(
"Installing arbitrary drivers is only available for "
"interactive or privileged sessions.")
self.driver_path = (driver_path or
resources.get_resource("MacPmem.kext.tgz"))
if self.driver_path is None:
raise IOError("Driver resource not found.")
self.device = device
self.unload = unload
self.load = load
# Did we load the driver? If so we need to clean up.
self.we_started_driver = False
"""This file defines some common messages in a central place.
Many of these have been directly converted from GRR.
"""
import platform
import socket
import yaml
from wheel import pep425tags
from rekall import resources
from rekall_agent import serializer
# Get field definitions from messages.yaml.
path = resources.get_resource("messages.yaml",
"rekall-agent",
prefix="messages")
DEFINITIONS = yaml.safe_load(open(path, "rb").read())
class Uname(serializer.SerializedObject):
"""Stores information about the system."""
schema = DEFINITIONS["Uname"]
@classmethod
def from_current_system(cls, session=None):
"""Gets a Uname object populated from the current system"""
uname = platform.uname()
fqdn = socket.getfqdn()
system = uname[0]
def load_driver(self):
"""Load the driver if possible."""
# Check the driver is somewhere accessible.
if self.plugin_args.driver is None:
# Valid values
# http://superuser.com/questions/305901/possible-values-of-processor-architecture
machine = platform.machine()
if machine == "AMD64":
driver = "winpmem_x64.sys"
elif machine == "x86":
driver = "winpmem_x86.sys"
else:
raise plugin.PluginError("Unsupported architecture")
self.plugin_args.driver = resources.get_resource("WinPmem/%s" %
driver)
# Try the local directory
if self.plugin_args.driver is None:
self.plugin_args.driver = os.path.join(os.getcwd(), "WinPmem",
driver)
self.session.logging.debug("Loading driver from %s",
self.plugin_args.driver)
if not os.access(self.plugin_args.driver, os.R_OK):
raise plugin.PluginError("Driver file %s is not accessible." %
self.plugin_args.driver)
self.hScm = win32service.OpenSCManager(
None, None, win32service.SC_MANAGER_CREATE_SERVICE)
# First uninstall the driver
self.remove_service(also_close_as=False)
try:
self.hSvc = win32service.CreateService(
self.hScm, self.plugin_args.service_name,
self.plugin_args.service_name, win32service.SERVICE_ALL_ACCESS,
win32service.SERVICE_KERNEL_DRIVER,
win32service.SERVICE_DEMAND_START,
win32service.SERVICE_ERROR_IGNORE, self.plugin_args.driver,
None, 0, None, None, None)
self.session.logging.debug("Created service %s",
self.plugin_args.service_name)
# Remember to cleanup afterwards.
self.we_started_service = True
except win32service.error as e:
# Service is already there, try to open it instead.
self.hSvc = win32service.OpenService(
self.hScm, self.plugin_args.service_name,
win32service.SERVICE_ALL_ACCESS)
# Make sure the service is stopped.
try:
win32service.ControlService(self.hSvc,
win32service.SERVICE_CONTROL_STOP)
except win32service.error:
pass
try:
win32service.StartService(self.hSvc, [])
except win32service.error, e:
self.session.logging.debug("%s: will try to continue", e)
import os
import StringIO
from flask import Flask
from flask import helpers
from manuskript import plugins as manuskript_plugins
from werkzeug import serving
from rekall import resources
# If the binary is frozen it has an empty __file__ path, then use the main
# executable path instead.
STATIC_PATH = resources.get_resource("static",
package="rekall-gui",
prefix="manuskript")
DEFAULT_PLUGINS = [
manuskript_plugins.PlainText, manuskript_plugins.Markdown,
manuskript_plugins.PythonCall
]
class WebconsoleWSGIServer(serving.BaseWSGIServer):
"""Custom WSGI server that supports post-activate hook."""
def __init__(self, host, port, app, post_activate_callback=None):
self.post_activate_callback = post_activate_callback
super(WebconsoleWSGIServer, self).__init__(host, port, app)
def server_activate(self):
def load_driver(self):
"""Load the driver if possible."""
# Check the driver is somewhere accessible.
if self.driver is None:
# Valid values
# http://superuser.com/questions/305901/possible-values-of-processor-architecture
machine = platform.machine()
if machine == "AMD64":
driver = "winpmem_x64.sys"
elif machine == "x86":
driver = "winpmem_x86.sys"
else:
raise plugin.PluginError("Unsupported architecture")
self.driver = resources.get_resource("WinPmem/%s" % driver)
# Try the local directory
if self.driver is None:
self.driver = os.path.join(os.getcwd(), "WinPmem", driver)
self.session.logging.debug("Loading driver from %s", self.driver)
if not os.access(self.driver, os.R_OK):
raise plugin.PluginError(
"Driver file %s is not accessible." % self.driver)
self.hScm = win32service.OpenSCManager(
None, None, win32service.SC_MANAGER_CREATE_SERVICE)
# First uninstall the driver
self.remove_service(also_close_as=False)
try:
self.hSvc = win32service.CreateService(
self.hScm, self.name, self.name,
win32service.SERVICE_ALL_ACCESS,
win32service.SERVICE_KERNEL_DRIVER,
win32service.SERVICE_DEMAND_START,
win32service.SERVICE_ERROR_IGNORE,
self.driver,
None, 0, None, None, None)
self.session.logging.debug("Created service %s", self.name)
# Remember to cleanup afterwards.
self.we_started_service = True
except win32service.error as e:
# Service is already there, try to open it instead.
self.hSvc = win32service.OpenService(
self.hScm, self.name,
win32service.SERVICE_ALL_ACCESS)
# Make sure the service is stopped.
try:
win32service.ControlService(
self.hSvc, win32service.SERVICE_CONTROL_STOP)
except win32service.error:
pass
try:
win32service.StartService(self.hSvc, [])
except win32service.error, e:
self.session.logging.debug("%s: will try to continue", e)
import StringIO
import time
from rekall import resources
from rekall import testlib
from rekall_agent.config import server
from rekall_agent.locations import cloud
SERVICE_ACCOUNT_JSON = open(
resources.get_resource("service_account.json",
package="rekall-agent",
prefix="test_data")).read()
class TestGCS(testlib.RekallBaseUnitTestCase):
"""Test the GCS based Location objects."""
def setUp(self):
self.session = self.MakeUserSession()
# Create a new agent state.
self.config = server.ServerConfiguration(session=self.session)
# The base of the agent state is a GCS bucket.
self.config.client_config.base_location = (
cloud.GCSLocation.from_keywords(session=self.session,
bucket="rekall-temp"))
self.config.service_account = cloud.ServiceAccount.from_json(
SERVICE_ACCOUNT_JSON, session=self.session)
# Store the configuration in the session.
from rekall.ui import renderer
from rekall.plugins.renderers import data_export
from rekall_gui.plugins.webconsole import runplugin
from flask import Blueprint
from gevent import pywsgi
from geventwebsocket.handler import WebSocketHandler
from manuskript import plugins as manuskript_plugins
from manuskript import plugin as manuskript_plugin
from manuskript import server as manuskript_server
STATIC_PATH = resources.get_resource("static",
package="rekall-gui",
prefix="rekall_gui/plugins/webconsole")
class RekallWebConsole(manuskript_plugin.Plugin):
ANGULAR_MODULE = "rekall.webconsole"
JS_FILES = [
"rekall-webconsole/webconsole.js",
]
class WebConsoleDocument(io_manager.DirectoryIOManager):
"""A stable, version control friendly Document manager.
import os
import StringIO
from flask import Flask
from flask import helpers
from manuskript import plugins as manuskript_plugins
from werkzeug import serving
from rekall import resources
# If the binary is frozen it has an empty __file__ path, then use the main
# executable path instead.
STATIC_PATH = resources.get_resource(
"static", package="rekall-gui", prefix="manuskript")
DEFAULT_PLUGINS = [manuskript_plugins.PlainText,
manuskript_plugins.Markdown,
manuskript_plugins.PythonCall]
class WebconsoleWSGIServer(serving.BaseWSGIServer):
"""Custom WSGI server that supports post-activate hook."""
def __init__(self, host, port, app, post_activate_callback=None):
self.post_activate_callback = post_activate_callback
super(WebconsoleWSGIServer, self).__init__(host, port, app)
def server_activate(self):
super(WebconsoleWSGIServer, self).server_activate()
