def setUp(self): super(RekallTestSuite, self).setUp() self.client_id = self.SetupClients(1)[0] maintenance_utils.SignComponent( os.path.join(self.base_path, "grr-rekall_0.1_glibc_2.4_amd64_Ubuntu_Linux.bin"), token=self.token)
def testRekallVadArtifact(self): """Check we can run Rekall based artifacts.""" maintenance_utils.SignComponent(os.path.join( self.base_path, "grr-rekall_0.1_glibc_2.4_amd64_Ubuntu_Linux.bin"), token=self.token) # The client should now be populated with the data we care about. with aff4.FACTORY.Open(self.client_id, mode="rw", token=self.token) as fd: fd.Set( fd.Schema.KNOWLEDGE_BASE(os="Windows", environ_systemdrive=r"c:")) self.CreateSignedDriver() fd = self.RunCollectorAndGetCollection(["FullVADBinaryList"], RekallMock( self.client_id, "rekall_vad_result.dat.gz")) self.assertEqual(len(fd), 1705) self.assertEqual(fd[0].path, u"c:\\Windows\\System32\\ntdll.dll") for x in fd: self.assertEqual(x.pathtype, "OS") extension = x.path.lower().split(".")[-1] self.assertIn(extension, ["exe", "dll", "pyd", "drv", "mui", "cpl"])
def testRekallPsListArtifact(self): """Check we can run Rekall based artifacts.""" maintenance_utils.SignComponent(os.path.join( self.base_path, "grr-rekall_0.1_glibc_2.4_amd64_Ubuntu_Linux.bin"), token=self.token) self.CreateSignedDriver() fd = self.RunCollectorAndGetCollection( ["RekallPsList"], RekallMock(self.client_id, "rekall_pslist_result.dat.gz")) self.assertEqual(len(fd), 35) self.assertEqual(fd[0].exe, "System") self.assertEqual(fd[0].pid, 4) self.assertIn("DumpIt.exe", [x.exe for x in fd])
def setUp(self): super(TestComponents, self).setUp() self.component = maintenance_utils.SignComponent(os.path.join( self.base_path, "grr-rekall_0.1_glibc_2.4_amd64_Ubuntu_Linux.bin"), token=self.token) # The Rekall component will bring in all these new objects. Since the rekall # component code is already loaded when the component is re-imported, Rekall # will complain about duplicate definitions. We cheat by clearing the Rekall # registry first. # Note that the new component should re-register its own handlers for these # objects which is how we verify the component has been properly installed. grr_rekall.GRRObjectRenderer.classes.clear() grr_rekall.RekallCachingIOManager.classes.clear() grr_rekall.GrrRekallSession.classes.clear() grr_rekall.GRRRekallRenderer.classes.clear()
# Now upload to the destination. maintenance_utils.UploadSignedConfigBlob(content, aff4_path=dest_path, client_context=context, token=token) print "Uploaded to %s" % dest_path elif flags.FLAGS.subparser_name == "sign_component": maintenance_utils.SignComponentContent(flags.FLAGS.component_filename, flags.FLAGS.output_filename) elif flags.FLAGS.subparser_name == "upload_component": maintenance_utils.SignComponent( flags.FLAGS.component_filename, overwrite=flags.FLAGS.overwrite_component, token=token) elif flags.FLAGS.subparser_name == "upload_components": maintenance_utils.SignAllComponents( overwrite=flags.FLAGS.overwrite_component, token=token) elif flags.FLAGS.subparser_name == "list_components": maintenance_utils.ListComponents(token=token) elif flags.FLAGS.subparser_name == "set_var": config = config_lib.CONFIG print "Setting %s to %s" % (flags.FLAGS.var, flags.FLAGS.val) if flags.FLAGS.val.startswith("["): # Allow setting of basic lists. flags.FLAGS.val = flags.FLAGS.val[1:-1].split(",") config.Set(flags.FLAGS.var, flags.FLAGS.val)
def setUp(self): super(MemoryTest, self).setUp() maintenance_utils.SignComponent(os.path.join( self.base_path, "grr-rekall_0.1_glibc_2.4_amd64_Ubuntu_Linux.bin"), token=self.token)