def testRekallModules(self):
"""Tests the end to end Rekall memory analysis."""
request = rdf_rekall_types.RekallRequest()
request.plugins = [
# Only use these methods for listing processes.
rdf_rekall_types.PluginRequest(
plugin="pslist",
args=dict(method=["PsActiveProcessHead", "CSRSS"])),
rdf_rekall_types.PluginRequest(plugin="modules")
]
session_id = self.LaunchRekallPlugin(request)
# Get the result collection.
fd = flow.GRRFlow.ResultCollectionForFID(session_id)
# Ensure that the client_id is set on each message. This helps us demux
# messages from different clients, when analyzing the collection from a
# hunt.
json_blobs = []
for x in fd:
self.assertEqual(x.client_urn, self.client_id)
json_blobs.append(x.json_messages)
json_blobs = "".join(json_blobs)
for knownresult in ["DumpIt.exe", "DumpIt.sys"]:
self.assertTrue(knownresult in json_blobs)
def testNestedProtobufAssignment(self):
"""Check that we can assign a nested protobuf."""
container = rdf_rekall_types.RekallRequest()
pathspec = rdf_paths.PathSpec(path=r"\\.\pmem", pathtype=1)
# Should raise - incompatible RDFType.
self.assertRaises(ValueError, setattr, container, "device",
rdfvalue.RDFString("hello"))
# Should raise - incompatible RDFProto type.
self.assertRaises(
ValueError,
setattr,
container,
"device",
rdf_client.StatEntry(st_size=5))
# Assign directly.
container.device = pathspec
self.assertEqual(container.device.path, r"\\.\pmem")
# Clear the field.
container.device = None
# Check the protobuf does not have the field set at all.
self.assertFalse(container.HasField("device"))
def Start(self):
self.state.Register("memory_information", None)
self.state.Register(
"destdir",
self.args.action.download.dump_option.with_local_copy.destdir)
# If it is a Linux client, use Rekall instead to grab memory.
# Unlike AnalyzeClientMemory, we skip manually checking for kcore's
# existence since Rekall does it for us and runs additionally checks (like
# the actual usability of kcore).
client = aff4.FACTORY.Open(self.client_id, token=self.token)
system = client.Get(client.Schema.SYSTEM)
if system == "Linux":
if (self.args.action.action_type !=
MemoryCollectorAction.Action.DOWNLOAD):
raise ValueError("Linux only supports downloading memory.")
plugin = rekall_types.PluginRequest(plugin="ewfacquire")
request = rekall_types.RekallRequest(plugins=[plugin])
self.CallFlow(
"AnalyzeClientMemory",
request=request,
max_file_size_download=self.action_options.max_file_size,
next_state="CheckAnalyzeClientMemory")
else:
self.CallFlow("LoadMemoryDriver",
driver_installer=self.args.driver_installer,
next_state="StoreMemoryInformation")
def RunRekallPlugin(self):
plugin = rekall_types.PluginRequest(plugin="aff4acquire")
plugin.args["destination"] = "GRR"
request = rekall_types.RekallRequest(plugins=[plugin])
# Note that this will actually also retrieve the memory image.
self.CallFlow(AnalyzeClientMemory.__name__,
request=request,
max_file_size_download=self.args.max_file_size,
next_state="CheckAnalyzeClientMemory")
def DisabledTestAllPlugins(self):
"""Tests that we can run a wide variety of plugins.
Some of those plugins are very expensive to run so this test is disabled by
default.
"""
plugins = [
"atoms", "atomscan", "build_index", "callbacks", "cc",
"cert_vad_scan", "certscan", "cmdscan", "consoles",
"convert_profile", "desktops", "devicetree", "dis", "dlldump",
"dlllist", "driverirp", "driverscan", "dt", "dtbscan", "dtbscan2",
"dump", "dwarfparser", "eifconfig", "enetstat", "eventhooks",
"fetch_pdb", "filescan", "find_dtb", "gahti", "getservicesids",
"grep", "guess_guid", "handles", "hivedump", "hives", "imagecopy",
"imageinfo", "impscan", "info", "json_render", "kdbgscan", "kpcr",
"l", "ldrmodules", "load_as", "load_plugin", "malfind", "memdump",
"memmap", "messagehooks", "moddump", "modscan", "modules",
"mutantscan", "netscan", "netstat", "notebook", "null",
"object_tree", "object_types", "p", "parse_pdb", "pas2vas",
"pedump", "peinfo", "pfn", "phys_map", "pool_tracker", "pools",
"printkey", "procdump", "procinfo", "pslist", "psscan", "pstree",
"psxview", "pte", "ptov", "raw2dmp", "regdump", "rekal",
"sessions", "ssdt", "svcscan", "symlinkscan", "thrdscan",
"threads", "timers", "tokens", "unloaded_modules", "userassist",
"userhandles", "users", "vad", "vaddump", "vadinfo", "vadtree",
"vadwalk", "version_modules", "version_scan", "vmscan", "vtop",
"windows_stations"
]
output_urn = self.client_id.Add("analysis/memory")
failed_plugins = []
for plugin in plugins:
logging.info("Running plugin: %s", plugin)
try:
aff4.FACTORY.Delete(output_urn, token=self.token)
request = rdf_rekall_types.RekallRequest()
request.plugins = [
rdf_rekall_types.PluginRequest(plugin=plugin)
]
self.LaunchRekallPlugin(request)
# Get the result collection - it should be a RekallResponseCollection.
fd = aff4.FACTORY.Open(output_urn, token=self.token)
# Try to render the result.
fd.RenderAsText()
except Exception: # pylint: disable=broad-except
failed_plugins.append(plugin)
logging.error("Plugin %s failed.", plugin)
if failed_plugins:
self.fail("Some plugins failed: %s" % failed_plugins)
class AbstractTestAnalyzeClientMemory(base.ClientTestBase):
"""Test AnalyzeClientMemory (Rekall).
We use the rekall caching profile server for these tests, since we may not
have direct internet access. It may be necessary to manually populate the
cache with lib.rekall_profile_server.GRRRekallProfileServer.GetMissingProfiles
on the console to make these tests pass.
"""
flow = "AnalyzeClientMemory"
test_output_path = "analysis/memory"
args = {
"request": rdf_rekall_types.RekallRequest(),
"output": test_output_path
}
def setUpRequest(self):
raise NotImplementedError("Implemented by subclasses")
def setUp(self):
self.setUpRequest()
self.old_config = config_lib.CONFIG.Get("Rekall.profile_server")
if "Test Context" in config_lib.CONFIG.context:
# We're running in a test context, where the rekall repository server is
# set to TestRekallRepositoryProfileServer, which won't actually work for
# an end to end test. We change it temporarily to allow the test to pass.
config_lib.CONFIG.Set("Rekall.profile_server",
"GRRRekallProfileServer")
# RDFValueCollections need to be deleted recursively.
aff4.FACTORY.Delete(self.client_id.Add(self.test_output_path),
token=self.token)
super(AbstractTestAnalyzeClientMemory, self).setUp()
def tearDown(self):
# RDFValueCollections need to be deleted recursively.
aff4.FACTORY.Delete(self.client_id.Add(self.test_output_path),
token=self.token)
config_lib.CONFIG.Set("Rekall.profile_server", self.old_config)
super(AbstractTestAnalyzeClientMemory, self).tearDown()
def CheckFlow(self):
self.response = aff4.FACTORY.Open(self.client_id.Add(
self.test_output_path),
token=self.token)
self.assertIsInstance(self.response, aff4.RDFValueCollection)
self.assertTrue(len(self.response) >= 1)
def OpenFlow(self):
"""Returns the flow used on this test."""
return aff4.FACTORY.Open(str(self.session_id), token=self.token)
def testFileOutput(self):
"""Tests that a file can be written by a plugin and retrieved."""
request = rdf_rekall_types.RekallRequest()
request.plugins = [
# Run procdump to create one file.
rdf_rekall_types.PluginRequest(plugin="procdump",
args=dict(pids=[2860]))
]
with test_lib.Instrument(transfer.MultiGetFile,
"StoreStat") as storestat_instrument:
self.LaunchRekallPlugin(request)
# Expect one file to be downloaded.
self.assertEqual(storestat_instrument.call_count, 1)
def RekallPlugin(self, source):
request = rdf_rekall_types.RekallRequest()
request.plugins = [
# Only use these methods for listing processes.
rdf_rekall_types.PluginRequest(
plugin=source.attributes["plugin"],
args=source.attributes.get("args", {}))]
self.CallFlow(
"AnalyzeClientMemory", request=request,
request_data={"artifact_name": self.current_artifact_name,
"rekall_plugin": source.attributes["plugin"],
"source": source.ToPrimitiveDict()},
next_state="ProcessCollected"
)
def setUp(self):
super(TestRekallViewer, self).setUp()
self.UninstallACLChecks()
request = rdf_rekall_types.RekallRequest()
request.plugins = [
# Only use these methods for listing processes.
rdf_rekall_types.PluginRequest(
plugin="pslist",
args=dict(method=["PsActiveProcessHead", "CSRSS"])),
rdf_rekall_types.PluginRequest(plugin="modules")
]
self.LaunchRekallPlugin(request)
def testParameters(self):
request = rdf_rekall_types.RekallRequest()
request.plugins = [
# Only use these methods for listing processes.
rdf_rekall_types.PluginRequest(
plugin="pslist",
args=dict(pids=[4, 2860], method="PsActiveProcessHead")),
]
session_id = self.LaunchRekallPlugin(request)
# Get the result collection.
fd = flow.GRRFlow.ResultCollectionForFID(session_id)
json_blobs = [x.json_messages for x in fd]
json_blobs = "".join(json_blobs)
for knownresult in ["System", "DumpIt.exe"]:
self.assertTrue(knownresult in json_blobs)
def testDLLList(self):
"""Tests that we can run a simple DLLList Action."""
request = rdf_rekall_types.RekallRequest()
request.plugins = [
# Only use these methods for listing processes.
rdf_rekall_types.PluginRequest(
plugin="dlllist",
args=dict(proc_regex="dumpit", method="PsActiveProcessHead")),
]
session_id = self.LaunchRekallPlugin(request)
# Get the result collection.
fd = flow.GRRFlow.ResultCollectionForFID(session_id)
json_blobs = [x.json_messages for x in fd]
json_blobs = "".join(json_blobs)
for knownresult in ["DumpIt", "wow64win", "wow64", "wow64cpu", "ntdll"]:
self.assertTrue(knownresult in json_blobs)
def testParameters(self):
request = rdf_rekall_types.RekallRequest()
request.plugins = [
# Only use these methods for listing processes.
rdf_rekall_types.PluginRequest(plugin="pslist",
args=dict(
pid=[4, 2860],
method="PsActiveProcessHead")),
]
self.LaunchRekallPlugin(request)
# Get the result collection - it should be a RekallResponseCollection.
fd = aff4.FACTORY.Open(self.client_id.Add("analysis/memory"),
token=self.token)
json_blobs = [x.json_messages for x in fd]
json_blobs = "".join(json_blobs)
for knownresult in ["System", "DumpIt.exe"]:
self.assertTrue(knownresult in json_blobs)
def testDLLList(self):
"""Tests that we can run a simple DLLList Action."""
request = rdf_rekall_types.RekallRequest()
request.plugins = [
# Only use these methods for listing processes.
rdf_rekall_types.PluginRequest(plugin="dlllist",
args=dict(
proc_regex="dumpit",
method="PsActiveProcessHead")),
]
self.LaunchRekallPlugin(request)
# Get the result collection - it should be a RekallResponseCollection.
fd = aff4.FACTORY.Open(self.client_id.Add("analysis/memory"),
token=self.token)
json_blobs = [x.json_messages for x in fd]
json_blobs = "".join(json_blobs)
for knownresult in [
"DumpIt", "wow64win", "wow64", "wow64cpu", "ntdll"
]:
self.assertTrue(knownresult in json_blobs)
