def testRekallModules(self): """Tests the end to end Rekall memory analysis.""" request = rdf_rekall_types.RekallRequest() request.plugins = [ # Only use these methods for listing processes. rdf_rekall_types.PluginRequest( plugin="pslist", args=dict(method=["PsActiveProcessHead", "CSRSS"])), rdf_rekall_types.PluginRequest(plugin="modules") ] session_id = self.LaunchRekallPlugin(request) # Get the result collection. fd = flow.GRRFlow.ResultCollectionForFID(session_id) # Ensure that the client_id is set on each message. This helps us demux # messages from different clients, when analyzing the collection from a # hunt. json_blobs = [] for x in fd: self.assertEqual(x.client_urn, self.client_id) json_blobs.append(x.json_messages) json_blobs = "".join(json_blobs) for knownresult in ["DumpIt.exe", "DumpIt.sys"]: self.assertTrue(knownresult in json_blobs)
def setUp(self): super(TestRekallViewer, self).setUp() self.UninstallACLChecks() request = rdf_rekall_types.RekallRequest() request.plugins = [ # Only use these methods for listing processes. rdf_rekall_types.PluginRequest( plugin="pslist", args=dict(method=["PsActiveProcessHead", "CSRSS"])), rdf_rekall_types.PluginRequest(plugin="modules") ] self.LaunchRekallPlugin(request)
def Start(self): self.state.Register("memory_information", None) self.state.Register( "destdir", self.args.action.download.dump_option.with_local_copy.destdir) # If it is a Linux client, use Rekall instead to grab memory. # Unlike AnalyzeClientMemory, we skip manually checking for kcore's # existence since Rekall does it for us and runs additionally checks (like # the actual usability of kcore). client = aff4.FACTORY.Open(self.client_id, token=self.token) system = client.Get(client.Schema.SYSTEM) if system == "Linux": if (self.args.action.action_type != MemoryCollectorAction.Action.DOWNLOAD): raise ValueError("Linux only supports downloading memory.") plugin = rekall_types.PluginRequest(plugin="ewfacquire") request = rekall_types.RekallRequest(plugins=[plugin]) self.CallFlow( "AnalyzeClientMemory", request=request, max_file_size_download=self.action_options.max_file_size, next_state="CheckAnalyzeClientMemory") else: self.CallFlow("LoadMemoryDriver", driver_installer=self.args.driver_installer, next_state="StoreMemoryInformation")
def setUpRequest(self): self.binaryname = "svchost.exe" self.args["request"].plugins = [ rdf_rekall_types.PluginRequest(plugin="dlllist", args=dict( proc_regex=self.binaryname, method="PsActiveProcessHead")) ]
def RunRekallPlugin(self): plugin = rekall_types.PluginRequest(plugin="aff4acquire") plugin.args["destination"] = "GRR" request = rekall_types.RekallRequest(plugins=[plugin]) # Note that this will actually also retrieve the memory image. self.CallFlow(AnalyzeClientMemory.__name__, request=request, max_file_size_download=self.args.max_file_size, next_state="CheckAnalyzeClientMemory")
def DisabledTestAllPlugins(self): """Tests that we can run a wide variety of plugins. Some of those plugins are very expensive to run so this test is disabled by default. """ plugins = [ "atoms", "atomscan", "build_index", "callbacks", "cc", "cert_vad_scan", "certscan", "cmdscan", "consoles", "convert_profile", "desktops", "devicetree", "dis", "dlldump", "dlllist", "driverirp", "driverscan", "dt", "dtbscan", "dtbscan2", "dump", "dwarfparser", "eifconfig", "enetstat", "eventhooks", "fetch_pdb", "filescan", "find_dtb", "gahti", "getservicesids", "grep", "guess_guid", "handles", "hivedump", "hives", "imagecopy", "imageinfo", "impscan", "info", "json_render", "kdbgscan", "kpcr", "l", "ldrmodules", "load_as", "load_plugin", "malfind", "memdump", "memmap", "messagehooks", "moddump", "modscan", "modules", "mutantscan", "netscan", "netstat", "notebook", "null", "object_tree", "object_types", "p", "parse_pdb", "pas2vas", "pedump", "peinfo", "pfn", "phys_map", "pool_tracker", "pools", "printkey", "procdump", "procinfo", "pslist", "psscan", "pstree", "psxview", "pte", "ptov", "raw2dmp", "regdump", "rekal", "sessions", "ssdt", "svcscan", "symlinkscan", "thrdscan", "threads", "timers", "tokens", "unloaded_modules", "userassist", "userhandles", "users", "vad", "vaddump", "vadinfo", "vadtree", "vadwalk", "version_modules", "version_scan", "vmscan", "vtop", "windows_stations" ] output_urn = self.client_id.Add("analysis/memory") failed_plugins = [] for plugin in plugins: logging.info("Running plugin: %s", plugin) try: aff4.FACTORY.Delete(output_urn, token=self.token) request = rdf_rekall_types.RekallRequest() request.plugins = [ rdf_rekall_types.PluginRequest(plugin=plugin) ] self.LaunchRekallPlugin(request) # Get the result collection - it should be a RekallResponseCollection. fd = aff4.FACTORY.Open(output_urn, token=self.token) # Try to render the result. fd.RenderAsText() except Exception: # pylint: disable=broad-except failed_plugins.append(plugin) logging.error("Plugin %s failed.", plugin) if failed_plugins: self.fail("Some plugins failed: %s" % failed_plugins)
def setUpRequest(self): # This is a signature for the tcpip.sys driver on Windows 7. If you are # running a different version, a hit is not guaranteed. sig_path = os.path.join(config_lib.CONFIG["Test.end_to_end_data_dir"], "tcpip.sig") signature = open(sig_path, "rb").read().strip() args = {"scan_kernel": True, "signature": [signature]} self.args["request"].plugins = [ rdf_rekall_types.PluginRequest(plugin="sigscan", args=args) ]
def testFileOutput(self): """Tests that a file can be written by a plugin and retrieved.""" request = rdf_rekall_types.RekallRequest() request.plugins = [ # Run procdump to create one file. rdf_rekall_types.PluginRequest(plugin="procdump", args=dict(pids=[2860])) ] with test_lib.Instrument(transfer.MultiGetFile, "StoreStat") as storestat_instrument: self.LaunchRekallPlugin(request) # Expect one file to be downloaded. self.assertEqual(storestat_instrument.call_count, 1)
def RekallPlugin(self, source): request = rdf_rekall_types.RekallRequest() request.plugins = [ # Only use these methods for listing processes. rdf_rekall_types.PluginRequest( plugin=source.attributes["plugin"], args=source.attributes.get("args", {}))] self.CallFlow( "AnalyzeClientMemory", request=request, request_data={"artifact_name": self.current_artifact_name, "rekall_plugin": source.attributes["plugin"], "source": source.ToPrimitiveDict()}, next_state="ProcessCollected" )
def testParameters(self): request = rdf_rekall_types.RekallRequest() request.plugins = [ # Only use these methods for listing processes. rdf_rekall_types.PluginRequest( plugin="pslist", args=dict(pids=[4, 2860], method="PsActiveProcessHead")), ] session_id = self.LaunchRekallPlugin(request) # Get the result collection. fd = flow.GRRFlow.ResultCollectionForFID(session_id) json_blobs = [x.json_messages for x in fd] json_blobs = "".join(json_blobs) for knownresult in ["System", "DumpIt.exe"]: self.assertTrue(knownresult in json_blobs)
def testDLLList(self): """Tests that we can run a simple DLLList Action.""" request = rdf_rekall_types.RekallRequest() request.plugins = [ # Only use these methods for listing processes. rdf_rekall_types.PluginRequest( plugin="dlllist", args=dict(proc_regex="dumpit", method="PsActiveProcessHead")), ] session_id = self.LaunchRekallPlugin(request) # Get the result collection. fd = flow.GRRFlow.ResultCollectionForFID(session_id) json_blobs = [x.json_messages for x in fd] json_blobs = "".join(json_blobs) for knownresult in ["DumpIt", "wow64win", "wow64", "wow64cpu", "ntdll"]: self.assertTrue(knownresult in json_blobs)
def testParameters(self): request = rdf_rekall_types.RekallRequest() request.plugins = [ # Only use these methods for listing processes. rdf_rekall_types.PluginRequest(plugin="pslist", args=dict( pid=[4, 2860], method="PsActiveProcessHead")), ] self.LaunchRekallPlugin(request) # Get the result collection - it should be a RekallResponseCollection. fd = aff4.FACTORY.Open(self.client_id.Add("analysis/memory"), token=self.token) json_blobs = [x.json_messages for x in fd] json_blobs = "".join(json_blobs) for knownresult in ["System", "DumpIt.exe"]: self.assertTrue(knownresult in json_blobs)
def testDLLList(self): """Tests that we can run a simple DLLList Action.""" request = rdf_rekall_types.RekallRequest() request.plugins = [ # Only use these methods for listing processes. rdf_rekall_types.PluginRequest(plugin="dlllist", args=dict( proc_regex="dumpit", method="PsActiveProcessHead")), ] self.LaunchRekallPlugin(request) # Get the result collection - it should be a RekallResponseCollection. fd = aff4.FACTORY.Open(self.client_id.Add("analysis/memory"), token=self.token) json_blobs = [x.json_messages for x in fd] json_blobs = "".join(json_blobs) for knownresult in [ "DumpIt", "wow64win", "wow64", "wow64cpu", "ntdll" ]: self.assertTrue(knownresult in json_blobs)
def setUpRequest(self): self.args["request"].plugins = [ rdf_rekall_types.PluginRequest(plugin="pslist") ]
def setUpRequest(self): self.args["request"].plugins = [ rdf_rekall_types.PluginRequest(plugin="pslist", args=dict(abcdefg=12345))]
def setUpRequest(self): self.args["request"].plugins = [ rdf_rekall_types.PluginRequest(plugin="pslist")] self.args["request"].session["logging_level"] = "DEBUG"