def setUp(self):
super(RekallTestSuite, self).setUp()
self.client_id = self.SetupClients(1)[0]
maintenance_utils.SignComponent(
os.path.join(self.base_path,
"grr-rekall_0.1_glibc_2.4_amd64_Ubuntu_Linux.bin"),
token=self.token)
def testRekallVadArtifact(self):
"""Check we can run Rekall based artifacts."""
maintenance_utils.SignComponent(os.path.join(
self.base_path, "grr-rekall_0.1_glibc_2.4_amd64_Ubuntu_Linux.bin"),
token=self.token)
# The client should now be populated with the data we care about.
with aff4.FACTORY.Open(self.client_id, mode="rw",
token=self.token) as fd:
fd.Set(
fd.Schema.KNOWLEDGE_BASE(os="Windows",
environ_systemdrive=r"c:"))
self.CreateSignedDriver()
fd = self.RunCollectorAndGetCollection(["FullVADBinaryList"],
RekallMock(
self.client_id,
"rekall_vad_result.dat.gz"))
self.assertEqual(len(fd), 1705)
self.assertEqual(fd[0].path, u"c:\\Windows\\System32\\ntdll.dll")
for x in fd:
self.assertEqual(x.pathtype, "OS")
extension = x.path.lower().split(".")[-1]
self.assertIn(extension,
["exe", "dll", "pyd", "drv", "mui", "cpl"])
def testRekallPsListArtifact(self):
"""Check we can run Rekall based artifacts."""
maintenance_utils.SignComponent(os.path.join(
self.base_path, "grr-rekall_0.1_glibc_2.4_amd64_Ubuntu_Linux.bin"),
token=self.token)
self.CreateSignedDriver()
fd = self.RunCollectorAndGetCollection(
["RekallPsList"],
RekallMock(self.client_id, "rekall_pslist_result.dat.gz"))
self.assertEqual(len(fd), 35)
self.assertEqual(fd[0].exe, "System")
self.assertEqual(fd[0].pid, 4)
self.assertIn("DumpIt.exe", [x.exe for x in fd])
def setUp(self):
super(TestComponents, self).setUp()
self.component = maintenance_utils.SignComponent(os.path.join(
self.base_path, "grr-rekall_0.1_glibc_2.4_amd64_Ubuntu_Linux.bin"),
token=self.token)
# The Rekall component will bring in all these new objects. Since the rekall
# component code is already loaded when the component is re-imported, Rekall
# will complain about duplicate definitions. We cheat by clearing the Rekall
# registry first.
# Note that the new component should re-register its own handlers for these
# objects which is how we verify the component has been properly installed.
grr_rekall.GRRObjectRenderer.classes.clear()
grr_rekall.RekallCachingIOManager.classes.clear()
grr_rekall.GrrRekallSession.classes.clear()
grr_rekall.GRRRekallRenderer.classes.clear()
# Now upload to the destination.
maintenance_utils.UploadSignedConfigBlob(content,
aff4_path=dest_path,
client_context=context,
token=token)
print "Uploaded to %s" % dest_path
elif flags.FLAGS.subparser_name == "sign_component":
maintenance_utils.SignComponentContent(flags.FLAGS.component_filename,
flags.FLAGS.output_filename)
elif flags.FLAGS.subparser_name == "upload_component":
maintenance_utils.SignComponent(
flags.FLAGS.component_filename,
overwrite=flags.FLAGS.overwrite_component,
token=token)
elif flags.FLAGS.subparser_name == "upload_components":
maintenance_utils.SignAllComponents(
overwrite=flags.FLAGS.overwrite_component, token=token)
elif flags.FLAGS.subparser_name == "list_components":
maintenance_utils.ListComponents(token=token)
elif flags.FLAGS.subparser_name == "set_var":
config = config_lib.CONFIG
print "Setting %s to %s" % (flags.FLAGS.var, flags.FLAGS.val)
if flags.FLAGS.val.startswith("["): # Allow setting of basic lists.
flags.FLAGS.val = flags.FLAGS.val[1:-1].split(",")
config.Set(flags.FLAGS.var, flags.FLAGS.val)
def setUp(self):
super(MemoryTest, self).setUp()
maintenance_utils.SignComponent(os.path.join(
self.base_path, "grr-rekall_0.1_glibc_2.4_amd64_Ubuntu_Linux.bin"),
token=self.token)
