def testRekallModules(self): """Tests the end to end Rekall memory analysis.""" request = rdf_rekall_types.RekallRequest() request.plugins = [ # Only use these methods for listing processes. rdf_rekall_types.PluginRequest( plugin="pslist", args=dict(method=["PsActiveProcessHead", "CSRSS"])), rdf_rekall_types.PluginRequest(plugin="modules") ] session_id = self.LaunchRekallPlugin(request) # Get the result collection. fd = flow.GRRFlow.ResultCollectionForFID(session_id) # Ensure that the client_id is set on each message. This helps us demux # messages from different clients, when analyzing the collection from a # hunt. json_blobs = [] for x in fd: self.assertEqual(x.client_urn, self.client_id) json_blobs.append(x.json_messages) json_blobs = "".join(json_blobs) for knownresult in ["DumpIt.exe", "DumpIt.sys"]: self.assertTrue(knownresult in json_blobs)
def RunRekallPlugin(self): plugin = rdf_rekall_types.PluginRequest(plugin="aff4acquire") plugin.args["destination"] = "GRR" request = rdf_rekall_types.RekallRequest(plugins=[plugin]) # Note that this will actually also retrieve the memory image. self.CallFlow(AnalyzeClientMemory.__name__, request=request, max_file_size_download=self.args.max_file_size, next_state="CheckAnalyzeClientMemory")
def testFileOutput(self): """Tests that a file can be written by a plugin and retrieved.""" request = rdf_rekall_types.RekallRequest() request.plugins = [ # Run procdump to create one file. rdf_rekall_types.PluginRequest(plugin="procdump", args=dict(pids=[2860])) ] with test_lib.Instrument(transfer.MultiGetFileMixin, "StoreStat") as storestat_instrument: self.LaunchRekallPlugin(request) # Expect one file to be downloaded. self.assertEqual(storestat_instrument.call_count, 1)
def RekallPlugin(self, source): request = rdf_rekall_types.RekallRequest() request.plugins = [ # Only use these methods for listing processes. rdf_rekall_types.PluginRequest(plugin=source.attributes["plugin"], args=source.attributes.get( "args", {})) ] self.CallFlow(memory.AnalyzeClientMemory.__name__, request=request, request_data={ "artifact_name": self.current_artifact_name, "rekall_plugin": source.attributes["plugin"], "source": source.ToPrimitiveDict() }, next_state="ProcessCollected")
def testParameters(self): request = rdf_rekall_types.RekallRequest() request.plugins = [ # Only use these methods for listing processes. rdf_rekall_types.PluginRequest( plugin="pslist", args=dict(pids=[4, 2860], method="PsActiveProcessHead")), ] session_id = self.LaunchRekallPlugin(request) # Get the result collection. fd = flow.GRRFlow.ResultCollectionForFID(session_id) json_blobs = [x.json_messages for x in fd] json_blobs = "".join(json_blobs) for knownresult in ["System", "DumpIt.exe"]: self.assertTrue(knownresult in json_blobs)
def testDLLList(self): """Tests that we can run a simple DLLList Action.""" request = rdf_rekall_types.RekallRequest() request.plugins = [ # Only use these methods for listing processes. rdf_rekall_types.PluginRequest( plugin="dlllist", args=dict(proc_regex="dumpit", method="PsActiveProcessHead")), ] session_id = self.LaunchRekallPlugin(request) # Get the result collection. fd = flow.GRRFlow.ResultCollectionForFID(session_id) json_blobs = [x.json_messages for x in fd] json_blobs = "".join(json_blobs) for knownresult in ["DumpIt", "wow64win", "wow64", "wow64cpu", "ntdll"]: self.assertTrue(knownresult in json_blobs)