def RekallAction(self, rekall_request):
if rekall_request.device.path != "/proc/kcore":
return [
rdfvalue.GrrStatus(
status=rdfvalue.GrrStatus.ReturnedStatus.GENERIC_ERROR,
error_message="Should use kcore device when present.")
]
response = rdfvalue.RekallResponse(json_messages="{}")
return [response, rdfvalue.Iterator(state="FINISHED")]
def RekallAction(self, _):
# Generate this file with:
# rekall -r data -f win7_trial_64bit.raw pslist > rekall_pslist_result.dat
ps_list_file = os.path.join(config_lib.CONFIG["Test.data_dir"],
self.result_filename)
result = rdfvalue.RekallResponse(
json_messages=open(ps_list_file).read(10000000),
plugin="pslist",
client_urn=self.client_id)
return [result, rdfvalue.Iterator(state="FINISHED")]
def testOverwriting(self):
req = rdfvalue.Iterator(client_state=rdfvalue.Dict({"A": 1}))
# There should be one element now.
self.assertEqual(len(list(req.client_state.items())), 1)
req.client_state = rdfvalue.Dict({"B": 2})
# Still one element.
self.assertEqual(len(list(req.client_state.items())), 1)
req.client_state = rdfvalue.Dict({})
# And now it's gone.
self.assertEqual(len(list(req.client_state.items())), 0)
def RekallAction(self, _):
ps_list_file = os.path.join(config_lib.CONFIG["Test.data_dir"],
"rekall_vad_result.dat")
response = rdfvalue.RekallResponse(
json_messages=open(ps_list_file, "rb").read(),
plugin="pslist")
# If we are given process names here we need to craft a Rekall result
# containing them. This is so they point to valid files in the fixture.
if self.process_list:
json_data = json.loads(response.json_messages)
template = json_data[11]
if template[1]["filename"] != ur"\Windows\System32\ntdll.dll":
raise RuntimeError("Test data invalid.")
json_data = []
for process in self.process_list:
new_entry = copy.deepcopy(template)
new_entry[1]["filename"] = process
json_data.append(new_entry)
response.json_messages = json.dumps(json_data)
return [response, rdfvalue.Iterator(state="FINISHED")]