Example #1
0
    def testRekallModules(self):
        """Tests the end to end Rekall memory analysis."""
        request = rdf_rekall_types.RekallRequest()
        request.plugins = [
            # Only use these methods for listing processes.
            rdf_rekall_types.PluginRequest(
                plugin="pslist",
                args=dict(method=["PsActiveProcessHead", "CSRSS"])),
            rdf_rekall_types.PluginRequest(plugin="modules")
        ]
        session_id = self.LaunchRekallPlugin(request)

        # Get the result collection.
        fd = flow.GRRFlow.ResultCollectionForFID(session_id)

        # Ensure that the client_id is set on each message. This helps us demux
        # messages from different clients, when analyzing the collection from a
        # hunt.
        json_blobs = []
        for x in fd:
            self.assertEqual(x.client_urn, self.client_id)
            json_blobs.append(x.json_messages)

        json_blobs = "".join(json_blobs)

        for knownresult in ["DumpIt.exe", "DumpIt.sys"]:
            self.assertTrue(knownresult in json_blobs)
Example #2
0
    def setUp(self):
        super(TestRekallViewer, self).setUp()

        self.UninstallACLChecks()

        request = rdf_rekall_types.RekallRequest()
        request.plugins = [
            # Only use these methods for listing processes.
            rdf_rekall_types.PluginRequest(
                plugin="pslist",
                args=dict(method=["PsActiveProcessHead", "CSRSS"])),
            rdf_rekall_types.PluginRequest(plugin="modules")
        ]

        self.LaunchRekallPlugin(request)
Example #3
0
    def Start(self):
        self.state.Register("memory_information", None)
        self.state.Register(
            "destdir",
            self.args.action.download.dump_option.with_local_copy.destdir)

        # If it is a Linux client, use Rekall instead to grab memory.
        # Unlike AnalyzeClientMemory, we skip manually checking for kcore's
        # existence since Rekall does it for us and runs additionally checks (like
        # the actual usability of kcore).
        client = aff4.FACTORY.Open(self.client_id, token=self.token)
        system = client.Get(client.Schema.SYSTEM)
        if system == "Linux":
            if (self.args.action.action_type !=
                    MemoryCollectorAction.Action.DOWNLOAD):
                raise ValueError("Linux only supports downloading memory.")
            plugin = rekall_types.PluginRequest(plugin="ewfacquire")
            request = rekall_types.RekallRequest(plugins=[plugin])
            self.CallFlow(
                "AnalyzeClientMemory",
                request=request,
                max_file_size_download=self.action_options.max_file_size,
                next_state="CheckAnalyzeClientMemory")
        else:
            self.CallFlow("LoadMemoryDriver",
                          driver_installer=self.args.driver_installer,
                          next_state="StoreMemoryInformation")
Example #4
0
    def setUpRequest(self):
        self.binaryname = "svchost.exe"

        self.args["request"].plugins = [
            rdf_rekall_types.PluginRequest(plugin="dlllist",
                                           args=dict(
                                               proc_regex=self.binaryname,
                                               method="PsActiveProcessHead"))
        ]
Example #5
0
    def RunRekallPlugin(self):
        plugin = rekall_types.PluginRequest(plugin="aff4acquire")
        plugin.args["destination"] = "GRR"
        request = rekall_types.RekallRequest(plugins=[plugin])

        # Note that this will actually also retrieve the memory image.
        self.CallFlow(AnalyzeClientMemory.__name__,
                      request=request,
                      max_file_size_download=self.args.max_file_size,
                      next_state="CheckAnalyzeClientMemory")
Example #6
0
    def DisabledTestAllPlugins(self):
        """Tests that we can run a wide variety of plugins.

    Some of those plugins are very expensive to run so this test is disabled by
    default.
    """

        plugins = [
            "atoms", "atomscan", "build_index", "callbacks", "cc",
            "cert_vad_scan", "certscan", "cmdscan", "consoles",
            "convert_profile", "desktops", "devicetree", "dis", "dlldump",
            "dlllist", "driverirp", "driverscan", "dt", "dtbscan", "dtbscan2",
            "dump", "dwarfparser", "eifconfig", "enetstat", "eventhooks",
            "fetch_pdb", "filescan", "find_dtb", "gahti", "getservicesids",
            "grep", "guess_guid", "handles", "hivedump", "hives", "imagecopy",
            "imageinfo", "impscan", "info", "json_render", "kdbgscan", "kpcr",
            "l", "ldrmodules", "load_as", "load_plugin", "malfind", "memdump",
            "memmap", "messagehooks", "moddump", "modscan", "modules",
            "mutantscan", "netscan", "netstat", "notebook", "null",
            "object_tree", "object_types", "p", "parse_pdb", "pas2vas",
            "pedump", "peinfo", "pfn", "phys_map", "pool_tracker", "pools",
            "printkey", "procdump", "procinfo", "pslist", "psscan", "pstree",
            "psxview", "pte", "ptov", "raw2dmp", "regdump", "rekal",
            "sessions", "ssdt", "svcscan", "symlinkscan", "thrdscan",
            "threads", "timers", "tokens", "unloaded_modules", "userassist",
            "userhandles", "users", "vad", "vaddump", "vadinfo", "vadtree",
            "vadwalk", "version_modules", "version_scan", "vmscan", "vtop",
            "windows_stations"
        ]

        output_urn = self.client_id.Add("analysis/memory")
        failed_plugins = []

        for plugin in plugins:
            logging.info("Running plugin: %s", plugin)
            try:
                aff4.FACTORY.Delete(output_urn, token=self.token)

                request = rdf_rekall_types.RekallRequest()
                request.plugins = [
                    rdf_rekall_types.PluginRequest(plugin=plugin)
                ]

                self.LaunchRekallPlugin(request)

                # Get the result collection - it should be a RekallResponseCollection.
                fd = aff4.FACTORY.Open(output_urn, token=self.token)
                # Try to render the result.
                fd.RenderAsText()
            except Exception:  # pylint: disable=broad-except
                failed_plugins.append(plugin)
                logging.error("Plugin %s failed.", plugin)
        if failed_plugins:
            self.fail("Some plugins failed: %s" % failed_plugins)
Example #7
0
    def setUpRequest(self):
        # This is a signature for the tcpip.sys driver on Windows 7. If you are
        # running a different version, a hit is not guaranteed.
        sig_path = os.path.join(config_lib.CONFIG["Test.end_to_end_data_dir"],
                                "tcpip.sig")

        signature = open(sig_path, "rb").read().strip()
        args = {"scan_kernel": True, "signature": [signature]}
        self.args["request"].plugins = [
            rdf_rekall_types.PluginRequest(plugin="sigscan", args=args)
        ]
Example #8
0
    def testFileOutput(self):
        """Tests that a file can be written by a plugin and retrieved."""
        request = rdf_rekall_types.RekallRequest()
        request.plugins = [
            # Run procdump to create one file.
            rdf_rekall_types.PluginRequest(plugin="procdump",
                                           args=dict(pids=[2860]))
        ]

        with test_lib.Instrument(transfer.MultiGetFile,
                                 "StoreStat") as storestat_instrument:
            self.LaunchRekallPlugin(request)
            # Expect one file to be downloaded.
            self.assertEqual(storestat_instrument.call_count, 1)
Example #9
0
  def RekallPlugin(self, source):
    request = rdf_rekall_types.RekallRequest()
    request.plugins = [
        # Only use these methods for listing processes.
        rdf_rekall_types.PluginRequest(
            plugin=source.attributes["plugin"],
            args=source.attributes.get("args", {}))]

    self.CallFlow(
        "AnalyzeClientMemory", request=request,
        request_data={"artifact_name": self.current_artifact_name,
                      "rekall_plugin": source.attributes["plugin"],
                      "source": source.ToPrimitiveDict()},
        next_state="ProcessCollected"
    )
Example #10
0
  def testParameters(self):
    request = rdf_rekall_types.RekallRequest()
    request.plugins = [
        # Only use these methods for listing processes.
        rdf_rekall_types.PluginRequest(
            plugin="pslist",
            args=dict(pids=[4, 2860], method="PsActiveProcessHead")),
    ]

    session_id = self.LaunchRekallPlugin(request)

    # Get the result collection.
    fd = flow.GRRFlow.ResultCollectionForFID(session_id)

    json_blobs = [x.json_messages for x in fd]
    json_blobs = "".join(json_blobs)

    for knownresult in ["System", "DumpIt.exe"]:
      self.assertTrue(knownresult in json_blobs)
Example #11
0
  def testDLLList(self):
    """Tests that we can run a simple DLLList Action."""
    request = rdf_rekall_types.RekallRequest()
    request.plugins = [
        # Only use these methods for listing processes.
        rdf_rekall_types.PluginRequest(
            plugin="dlllist",
            args=dict(proc_regex="dumpit", method="PsActiveProcessHead")),
    ]

    session_id = self.LaunchRekallPlugin(request)

    # Get the result collection.
    fd = flow.GRRFlow.ResultCollectionForFID(session_id)

    json_blobs = [x.json_messages for x in fd]
    json_blobs = "".join(json_blobs)

    for knownresult in ["DumpIt", "wow64win", "wow64", "wow64cpu", "ntdll"]:
      self.assertTrue(knownresult in json_blobs)
Example #12
0
    def testParameters(self):
        request = rdf_rekall_types.RekallRequest()
        request.plugins = [
            # Only use these methods for listing processes.
            rdf_rekall_types.PluginRequest(plugin="pslist",
                                           args=dict(
                                               pid=[4, 2860],
                                               method="PsActiveProcessHead")),
        ]

        self.LaunchRekallPlugin(request)

        # Get the result collection - it should be a RekallResponseCollection.
        fd = aff4.FACTORY.Open(self.client_id.Add("analysis/memory"),
                               token=self.token)

        json_blobs = [x.json_messages for x in fd]
        json_blobs = "".join(json_blobs)

        for knownresult in ["System", "DumpIt.exe"]:
            self.assertTrue(knownresult in json_blobs)
Example #13
0
    def testDLLList(self):
        """Tests that we can run a simple DLLList Action."""
        request = rdf_rekall_types.RekallRequest()
        request.plugins = [
            # Only use these methods for listing processes.
            rdf_rekall_types.PluginRequest(plugin="dlllist",
                                           args=dict(
                                               proc_regex="dumpit",
                                               method="PsActiveProcessHead")),
        ]

        self.LaunchRekallPlugin(request)

        # Get the result collection - it should be a RekallResponseCollection.
        fd = aff4.FACTORY.Open(self.client_id.Add("analysis/memory"),
                               token=self.token)

        json_blobs = [x.json_messages for x in fd]
        json_blobs = "".join(json_blobs)

        for knownresult in [
                "DumpIt", "wow64win", "wow64", "wow64cpu", "ntdll"
        ]:
            self.assertTrue(knownresult in json_blobs)
Example #14
0
 def setUpRequest(self):
   self.args["request"].plugins = [
       rdf_rekall_types.PluginRequest(plugin="pslist")
   ]
Example #15
0
 def setUpRequest(self):
   self.args["request"].plugins = [
       rdf_rekall_types.PluginRequest(plugin="pslist",
                                      args=dict(abcdefg=12345))]
Example #16
0
 def setUpRequest(self):
   self.args["request"].plugins = [
       rdf_rekall_types.PluginRequest(plugin="pslist")]
   self.args["request"].session["logging_level"] = "DEBUG"