def RekallAction(self, rekall_request):
if rekall_request.device.path != "/proc/kcore":
return [
rdfvalue.GrrStatus(
status=rdfvalue.GrrStatus.ReturnedStatus.GENERIC_ERROR,
error_message="Should use kcore device when present.")
]
response = rdfvalue.RekallResponse(json_messages="{}")
return [response, rdfvalue.Iterator(state="FINISHED")]
def RekallAction(self, _):
# Generate this file with:
# rekall -r data -f win7_trial_64bit.raw pslist > rekall_pslist_result.dat
ps_list_file = os.path.join(config_lib.CONFIG["Test.data_dir"],
self.result_filename)
result = rdfvalue.RekallResponse(
json_messages=open(ps_list_file).read(10000000),
plugin="pslist",
client_urn=self.client_id)
return [result, rdfvalue.Iterator(state="FINISHED")]
def testRenderAsText(self):
collection = aff4.FACTORY.Create("aff4:/rekall_response_test",
"RekallResponseCollection",
token=self.token,
mode="rw")
response = rdfvalue.RekallResponse()
response.json_messages = self.JSON_MESSAGE
collection.Add(response)
text = collection.RenderAsText()
self.assertTrue("svchost.exe" in text)
self.assertTrue("** Plugin dlllist **" in text)
def write_data_stream(self):
"""Prepares a RekallResponse and send to the server."""
if self.data:
response_msg = rdfvalue.RekallResponse(
json_messages=json.dumps(self.data, separators=(",", ":")),
json_context_messages=json.dumps(self.context_messages.items(),
separators=(",", ":")),
plugin=self.plugin)
self.context_messages = self.new_context_messages
self.new_context_messages = {}
# Queue the response to the server.
self.action.SendReply(response_msg)
def write_data_stream(self):
"""Prepares a RekallResponse and send to the server."""
if self.data:
response_msg = rdfvalue.RekallResponse(
json_messages=self.robust_encoder.encode(self.data),
json_context_messages=self.robust_encoder.encode(
self.context_messages.items()),
plugin=self.plugin)
self.context_messages = self.new_context_messages
self.new_context_messages = {}
# Queue the response to the server.
self.action.SendReply(response_msg)
def testBasicParsing(self):
ps_list_file = os.path.join(config_lib.CONFIG["Test.data_dir"],
"rekall_vad_result.dat")
result = rdfvalue.RekallResponse(
json_messages=open(ps_list_file).read(10000000),
plugin="pslist",
)
knowledge_base = rdfvalue.KnowledgeBase()
knowledge_base.environ_systemdrive = "C:"
parser = rekall_artifact_parser.RekallVADParser()
parsed_pathspecs = list(parser.Parse(result, knowledge_base))
paths = [p.path for p in parsed_pathspecs]
self.assertIn(u"C:\\Windows\\System32\\spoolsv.exe", paths)
def LoadProfile(self, name):
"""Wraps the Rekall profile's LoadProfile to fetch profiles from GRR."""
# If the user specified a special profile path we use their choice.
profile = super(GrrRekallSession, self).LoadProfile(name)
if profile:
return profile
# Cant load the profile, we need to ask the server for it.
logging.debug("Asking server for profile %s", name)
self.action.SendReply(
rdfvalue.RekallResponse(
missing_profile=name,
repository_version=constants.PROFILE_REPOSITORY_VERSION,
))
# Wait for the server to wake us up. When we wake up the server should
# have sent the profile over by calling the WriteRekallProfile.
self.action.Suspend()
# Now the server should have sent the data already. We try to load the
# profile one more time.
return super(GrrRekallSession, self).LoadProfile(name, use_cache=False)
def RekallAction(self, _):
ps_list_file = os.path.join(config_lib.CONFIG["Test.data_dir"],
"rekall_vad_result.dat")
response = rdfvalue.RekallResponse(
json_messages=open(ps_list_file, "rb").read(),
plugin="pslist")
# If we are given process names here we need to craft a Rekall result
# containing them. This is so they point to valid files in the fixture.
if self.process_list:
json_data = json.loads(response.json_messages)
template = json_data[11]
if template[1]["filename"] != ur"\Windows\System32\ntdll.dll":
raise RuntimeError("Test data invalid.")
json_data = []
for process in self.process_list:
new_entry = copy.deepcopy(template)
new_entry[1]["filename"] = process
json_data.append(new_entry)
response.json_messages = json.dumps(json_data)
return [response, rdfvalue.Iterator(state="FINISHED")]