def __init__(self, driver_path=None, device=r"/dev/pmem", unload=None, load=None, mode=None, **kw): super(Live, self).__init__(**kw) # It is OK for non privileged sessions to use the default drivers. if not self.session.privileged and driver_path: raise plugin.PluginError( "Installing arbitrary drivers is only available for " "interactive or privileged sessions.") self.driver_path = (driver_path or resources.get_resource("MacPmem.kext.tgz")) if self.driver_path is None: raise IOError("Driver resource not found.") self.device = device self.unload = unload self.load = load # Did we load the driver? If so we need to clean up. self.we_started_driver = False
def assert_baseline(self, name, data): try: baseline_data = self.encode_baseline(data) with open(os.path.join(resources.get_resource( name, package="rekall_agent", prefix="test_data/baselines"))) as fd: self.assertMultiLineEqual(self._normalize_json(fd.read()), self._normalize_json(baseline_data)) except Exception: print("Unable to verify baseline %s: \n%s" % (name, baseline_data)) raise
def setUp(self): super(TestTSK, self).setUp() # Add a fake mount point to the image. mount_tree_hook = files.MountPointHook(session=self.session) mount_tree = {} mount_tree_hook._add_to_tree( mount_tree, "/mnt/", resources.get_resource("winexec_img.dd", package="rekall_agent", prefix="test_data"), "ext2") self.session.SetParameter("mount_points", mount_tree)
def assert_baseline(self, name, data): try: baseline_data = self.encode_baseline(data) with open( os.path.join( resources.get_resource( name, package="rekall_agent", prefix="test_data/baselines"))) as fd: self.assertMultiLineEqual(self._normalize_json(fd.read()), self._normalize_json(baseline_data)) except Exception: print "Unable to verify baseline %s: \n%s" % (name, baseline_data) raise
def __init__(self, *args, **kw): super(Live, self).__init__(*args, **kw) # It is OK for non privileged sessions to use the default drivers. if not self.session.privileged and self.plugin_args.driver: raise plugin.PluginError( "Installing arbitrary drivers is only available for " "interactive or privileged sessions.") self.driver_path = (self.plugin_args.driver_path or resources.get_resource("MacPmem.kext.tgz")) if self.driver_path is None: raise IOError("Driver resource not found.") # Did we load the driver? If so we need to clean up. self.we_started_driver = False
def try_to_find_osquery(self): extention = "" if platform.system() == "Windows": extention = ".exe" try: return resources.get_resource("osqueryi" + extention) except IOError as e: # Maybe it is installed on the system. if platform.system() == "Windows": result = r"c:\ProgramData\osquery\osqueryi.exe" if os.access(result, os.R_OK): return result else: # Try to find it somewhere on the system. return spawn.find_executable("osqueryi") raise e
"""This file defines some common messages in a central place. Many of these have been directly converted from GRR. """ import platform import socket import yaml from wheel import pep425tags from rekall import resources from rekall_agent import serializer # Get field definitions from messages.yaml. path = resources.get_resource("messages.yaml", "rekall-agent", prefix="messages") DEFINITIONS = yaml.safe_load(open(path, "rb").read()) class Uname(serializer.SerializedObject): """Stores information about the system.""" schema = DEFINITIONS["Uname"] @classmethod def from_current_system(cls, session=None): """Gets a Uname object populated from the current system""" uname = platform.uname() fqdn = socket.getfqdn() system = uname[0]
def load_driver(self): """Load the driver if possible.""" # Check the driver is somewhere accessible. if self.plugin_args.driver is None: # Valid values # http://superuser.com/questions/305901/possible-values-of-processor-architecture machine = platform.machine() if machine == "AMD64": driver = "winpmem_x64.sys" elif machine == "x86": driver = "winpmem_x86.sys" else: raise plugin.PluginError("Unsupported architecture") self.plugin_args.driver = resources.get_resource("WinPmem/%s" % driver) # Try the local directory if self.plugin_args.driver is None: self.plugin_args.driver = os.path.join(os.getcwd(), "WinPmem", driver) self.session.logging.debug("Loading driver from %s", self.plugin_args.driver) if not os.access(self.plugin_args.driver, os.R_OK): raise plugin.PluginError("Driver file %s is not accessible." % self.plugin_args.driver) self.hScm = win32service.OpenSCManager( None, None, win32service.SC_MANAGER_CREATE_SERVICE) # First uninstall the driver self.remove_service(also_close_as=False) try: self.hSvc = win32service.CreateService( self.hScm, self.plugin_args.service_name, self.plugin_args.service_name, win32service.SERVICE_ALL_ACCESS, win32service.SERVICE_KERNEL_DRIVER, win32service.SERVICE_DEMAND_START, win32service.SERVICE_ERROR_IGNORE, self.plugin_args.driver, None, 0, None, None, None) self.session.logging.debug("Created service %s", self.plugin_args.service_name) # Remember to cleanup afterwards. self.we_started_service = True except win32service.error as e: # Service is already there, try to open it instead. self.hSvc = win32service.OpenService( self.hScm, self.plugin_args.service_name, win32service.SERVICE_ALL_ACCESS) # Make sure the service is stopped. try: win32service.ControlService(self.hSvc, win32service.SERVICE_CONTROL_STOP) except win32service.error: pass try: win32service.StartService(self.hSvc, []) except win32service.error, e: self.session.logging.debug("%s: will try to continue", e)
import os import StringIO from flask import Flask from flask import helpers from manuskript import plugins as manuskript_plugins from werkzeug import serving from rekall import resources # If the binary is frozen it has an empty __file__ path, then use the main # executable path instead. STATIC_PATH = resources.get_resource("static", package="rekall-gui", prefix="manuskript") DEFAULT_PLUGINS = [ manuskript_plugins.PlainText, manuskript_plugins.Markdown, manuskript_plugins.PythonCall ] class WebconsoleWSGIServer(serving.BaseWSGIServer): """Custom WSGI server that supports post-activate hook.""" def __init__(self, host, port, app, post_activate_callback=None): self.post_activate_callback = post_activate_callback super(WebconsoleWSGIServer, self).__init__(host, port, app) def server_activate(self):
def load_driver(self): """Load the driver if possible.""" # Check the driver is somewhere accessible. if self.driver is None: # Valid values # http://superuser.com/questions/305901/possible-values-of-processor-architecture machine = platform.machine() if machine == "AMD64": driver = "winpmem_x64.sys" elif machine == "x86": driver = "winpmem_x86.sys" else: raise plugin.PluginError("Unsupported architecture") self.driver = resources.get_resource("WinPmem/%s" % driver) # Try the local directory if self.driver is None: self.driver = os.path.join(os.getcwd(), "WinPmem", driver) self.session.logging.debug("Loading driver from %s", self.driver) if not os.access(self.driver, os.R_OK): raise plugin.PluginError( "Driver file %s is not accessible." % self.driver) self.hScm = win32service.OpenSCManager( None, None, win32service.SC_MANAGER_CREATE_SERVICE) # First uninstall the driver self.remove_service(also_close_as=False) try: self.hSvc = win32service.CreateService( self.hScm, self.name, self.name, win32service.SERVICE_ALL_ACCESS, win32service.SERVICE_KERNEL_DRIVER, win32service.SERVICE_DEMAND_START, win32service.SERVICE_ERROR_IGNORE, self.driver, None, 0, None, None, None) self.session.logging.debug("Created service %s", self.name) # Remember to cleanup afterwards. self.we_started_service = True except win32service.error as e: # Service is already there, try to open it instead. self.hSvc = win32service.OpenService( self.hScm, self.name, win32service.SERVICE_ALL_ACCESS) # Make sure the service is stopped. try: win32service.ControlService( self.hSvc, win32service.SERVICE_CONTROL_STOP) except win32service.error: pass try: win32service.StartService(self.hSvc, []) except win32service.error, e: self.session.logging.debug("%s: will try to continue", e)
import StringIO import time from rekall import resources from rekall import testlib from rekall_agent.config import server from rekall_agent.locations import cloud SERVICE_ACCOUNT_JSON = open( resources.get_resource("service_account.json", package="rekall-agent", prefix="test_data")).read() class TestGCS(testlib.RekallBaseUnitTestCase): """Test the GCS based Location objects.""" def setUp(self): self.session = self.MakeUserSession() # Create a new agent state. self.config = server.ServerConfiguration(session=self.session) # The base of the agent state is a GCS bucket. self.config.client_config.base_location = ( cloud.GCSLocation.from_keywords(session=self.session, bucket="rekall-temp")) self.config.service_account = cloud.ServiceAccount.from_json( SERVICE_ACCOUNT_JSON, session=self.session) # Store the configuration in the session.
from rekall.ui import renderer from rekall.plugins.renderers import data_export from rekall_gui.plugins.webconsole import runplugin from flask import Blueprint from gevent import pywsgi from geventwebsocket.handler import WebSocketHandler from manuskript import plugins as manuskript_plugins from manuskript import plugin as manuskript_plugin from manuskript import server as manuskript_server STATIC_PATH = resources.get_resource("static", package="rekall-gui", prefix="rekall_gui/plugins/webconsole") class RekallWebConsole(manuskript_plugin.Plugin): ANGULAR_MODULE = "rekall.webconsole" JS_FILES = [ "rekall-webconsole/webconsole.js", ] class WebConsoleDocument(io_manager.DirectoryIOManager): """A stable, version control friendly Document manager.
import os import StringIO from flask import Flask from flask import helpers from manuskript import plugins as manuskript_plugins from werkzeug import serving from rekall import resources # If the binary is frozen it has an empty __file__ path, then use the main # executable path instead. STATIC_PATH = resources.get_resource( "static", package="rekall-gui", prefix="manuskript") DEFAULT_PLUGINS = [manuskript_plugins.PlainText, manuskript_plugins.Markdown, manuskript_plugins.PythonCall] class WebconsoleWSGIServer(serving.BaseWSGIServer): """Custom WSGI server that supports post-activate hook.""" def __init__(self, host, port, app, post_activate_callback=None): self.post_activate_callback = post_activate_callback super(WebconsoleWSGIServer, self).__init__(host, port, app) def server_activate(self): super(WebconsoleWSGIServer, self).server_activate()