def execute(self, input_data):
''' Execute method '''
# Spin up the rekall adapter
adapter = RekallAdapter()
adapter.set_plugin_name(self.plugin_name)
rekall_output = adapter.execute(input_data)
# Process the output data
for line in rekall_output:
if line['type'] == 'm': # Meta
self.output['meta'] = line['data']
elif line['type'] == 's': # New Session (Table)
self.current_table_name = line['data']['name'][1]
elif line['type'] == 't': # New Table Headers (column names)
self.column_map = {item['cname']: item['name'] if 'name' in item else item['cname'] for item in line['data']}
elif line['type'] == 'r': # Row
# Standard processing on the rekall row data
row = RekallAdapter.process_row(line['data'], self.column_map)
# Process _EPROCESS entries
if '_EPROCESS' in row:
eprocess_info = self.parse_eprocess(row)
row.update(eprocess_info)
del row['_EPROCESS']
# Add the row to our current table
self.output['tables'][self.current_table_name].append(row)
# All done
return self.output
def execute(self, input_data):
''' Execute method '''
# Spin up the rekall adapter
adapter = RekallAdapter()
adapter.set_plugin_name(self.plugin_name)
rekall_output = adapter.execute(input_data)
# Process the output data
for line in rekall_output:
if line['type'] == 'm': # Meta
self.output['meta'] = line['data']
elif line['type'] == 's': # New Session (Table)
self.current_table_name = line['data']['name'][1]
elif line['type'] == 't': # New Table Headers (column names)
self.column_map = {item['cname']: item['name'] if 'name' in item else item['cname'] for item in line['data']}
elif line['type'] == 'r': # Row
# Add the row to our current table
row = RekallAdapter.process_row(line['data'], self.column_map)
self.output['tables'][self.current_table_name].append(row)
else:
print 'Note: Ignoring rekall message of type %s: %s' % (line['type'], line['data'])
# All done
return self.output
def execute(self, input_data):
''' Execute method '''
# Spin up the rekall adapter
adapter = RekallAdapter()
adapter.set_plugin_name(self.plugin_name)
# Create a temporary directory and run this plugin from there
with self.goto_temp_directory():
# Run the procdump plugin
rekall_output = adapter.execute(input_data)
# Process the output data
for line in rekall_output:
if line['type'] == 'm': # Meta
self.output['meta'] = line['data']
elif line['type'] == 't': # New Table Headers (column names)
self.column_map = {item['cname']: item['name'] if 'name' in item else item['cname'] for item in line['data']}
elif line['type'] == 'r': # Row
# Add the row to our current table
row = RekallAdapter.process_row(line['data'], self.column_map)
self.output['tables'][self.current_table_name].append(row)
# Scrape any extracted files
print 'mem_procdump: Scraping dumped files...'
for output_file in glob.glob('*'):
# Store the output into workbench, put md5s in the 'dumped_files' field
output_name = os.path.basename(output_file)
output_name = output_name.replace('executable.', '')
with open(output_file, 'rb') as dumped_file:
raw_bytes = dumped_file.read()
md5 = self.c.store_sample(raw_bytes, output_name, 'exe')
# Remove some columns from meta data
meta = self.c.work_request('meta', md5)['meta']
del meta['customer']
del meta['encoding']
del meta['import_time']
del meta['mime_type']
self.output['tables'][self.current_table_name].append(meta)
# All done
return self.output
def execute(self, input_data):
''' Execute method '''
# Spin up the rekall adapter
adapter = RekallAdapter()
adapter.set_plugin_name(self.plugin_name)
rekall_output = adapter.execute(input_data)
# Process the output data
for line in rekall_output:
if line['type'] == 'm': # Meta
self.output['meta'] = line['data']
elif line['type'] == 's': # New Session (Table)
self.current_table_name = line['data']['name'][1]
elif line['type'] == 't': # New Table Headers (column names)
self.column_map = {
item['cname']:
item['name'] if 'name' in item else item['cname']
for item in line['data']
}
elif line['type'] == 'r': # Row
# Add the row to our current table
row = RekallAdapter.process_row(line['data'], self.column_map)
self.output['tables'][self.current_table_name].append(row)
else:
print 'Note: Ignoring rekall message of type %s: %s' % (
line['type'], line['data'])
# All done
return self.output
def execute(self, input_data):
''' Execute method '''
# Spin up the rekall adapter
adapter = RekallAdapter()
adapter.set_plugin_name(self.plugin_name)
# Create a temporary directory and run this plugin from there
with self.goto_temp_directory():
# Run the procdump plugin
rekall_output = adapter.execute(input_data)
# Process the output data
for line in rekall_output:
if line['type'] == 'm': # Meta
self.output['meta'] = line['data']
elif line['type'] == 't': # New Table Headers (column names)
self.column_map = {
item['cname']:
item['name'] if 'name' in item else item['cname']
for item in line['data']
}
elif line['type'] == 'r': # Row
# Add the row to our current table
row = RekallAdapter.process_row(line['data'],
self.column_map)
self.output['tables'][self.current_table_name].append(row)
# Scrape any extracted files
print 'mem_procdump: Scraping dumped files...'
for output_file in glob.glob('*'):
# Store the output into workbench, put md5s in the 'dumped_files' field
output_name = os.path.basename(output_file)
output_name = output_name.replace('executable.', '')
with open(output_file, 'rb') as dumped_file:
raw_bytes = dumped_file.read()
md5 = self.c.store_sample(raw_bytes, output_name, 'exe')
# Remove some columns from meta data
meta = self.c.work_request('meta', md5)['meta']
del meta['customer']
del meta['encoding']
del meta['import_time']
del meta['mime_type']
self.output['tables'][self.current_table_name].append(meta)
# All done
return self.output
def execute(self, input_data):
''' Execute method '''
# Spin up the rekall adapter
adapter = RekallAdapter()
adapter.set_plugin_name(self.plugin_name)
rekall_output = adapter.execute(input_data)
# Process the output data
for line in rekall_output:
if line['type'] == 'm': # Meta
self.output['meta'] = line['data']
elif line['type'] == 's': # New Session (Table)
if line['data']['name']:
self.current_table_name = str(line['data']['name'][1].v())
elif line['type'] == 't': # New Table Headers (column names)
self.column_map = {
item['cname']:
item['name'] if 'name' in item else item['cname']
for item in line['data']
}
elif line['type'] == 'r': # Row
# Add the row to our current table
row = RekallAdapter.process_row(line['data'], self.column_map)
self.output['tables'][self.current_table_name].append(row)
# Process Base entries
if 'Base' in row:
base_info = self.parse_base(row)
row.update(base_info)
else:
print 'Got unknown line %s: %s' % (line['type'], line['data'])
# All done
return self.output
def execute(self, input_data):
''' Execute method '''
# Spin up the rekall adapter
adapter = RekallAdapter()
adapter.set_plugin_name(self.plugin_name)
rekall_output = adapter.execute(input_data)
# Process the output data
for line in rekall_output:
if line['type'] == 'm': # Meta
self.output['meta'] = line['data']
elif line['type'] == 's': # New Session (Table)
self.current_table_name = line['data']['name'][1]
elif line['type'] == 't': # New Table Headers (column names)
self.column_map = {
item['cname']:
item['name'] if 'name' in item else item['cname']
for item in line['data']
}
elif line['type'] == 'r': # Row
# Standard processing on the rekall row data
row = RekallAdapter.process_row(line['data'], self.column_map)
# Process _EPROCESS entries
if '_EPROCESS' in row:
eprocess_info = self.parse_eprocess(row)
row.update(eprocess_info)
del row['_EPROCESS']
# Add the row to our current table
self.output['tables'][self.current_table_name].append(row)
# All done
return self.output
