def RekallAction(self, rekall_request): if rekall_request.device.path != "/proc/kcore": return [ rdfvalue.GrrStatus( status=rdfvalue.GrrStatus.ReturnedStatus.GENERIC_ERROR, error_message="Should use kcore device when present.") ] response = rdfvalue.RekallResponse(json_messages="{}") return [response, rdfvalue.Iterator(state="FINISHED")]
def RekallAction(self, _): # Generate this file with: # rekall -r data -f win7_trial_64bit.raw pslist > rekall_pslist_result.dat ps_list_file = os.path.join(config_lib.CONFIG["Test.data_dir"], self.result_filename) result = rdfvalue.RekallResponse( json_messages=open(ps_list_file).read(10000000), plugin="pslist", client_urn=self.client_id) return [result, rdfvalue.Iterator(state="FINISHED")]
def testRenderAsText(self): collection = aff4.FACTORY.Create("aff4:/rekall_response_test", "RekallResponseCollection", token=self.token, mode="rw") response = rdfvalue.RekallResponse() response.json_messages = self.JSON_MESSAGE collection.Add(response) text = collection.RenderAsText() self.assertTrue("svchost.exe" in text) self.assertTrue("** Plugin dlllist **" in text)
def write_data_stream(self): """Prepares a RekallResponse and send to the server.""" if self.data: response_msg = rdfvalue.RekallResponse( json_messages=json.dumps(self.data, separators=(",", ":")), json_context_messages=json.dumps(self.context_messages.items(), separators=(",", ":")), plugin=self.plugin) self.context_messages = self.new_context_messages self.new_context_messages = {} # Queue the response to the server. self.action.SendReply(response_msg)
def write_data_stream(self): """Prepares a RekallResponse and send to the server.""" if self.data: response_msg = rdfvalue.RekallResponse( json_messages=self.robust_encoder.encode(self.data), json_context_messages=self.robust_encoder.encode( self.context_messages.items()), plugin=self.plugin) self.context_messages = self.new_context_messages self.new_context_messages = {} # Queue the response to the server. self.action.SendReply(response_msg)
def testBasicParsing(self): ps_list_file = os.path.join(config_lib.CONFIG["Test.data_dir"], "rekall_vad_result.dat") result = rdfvalue.RekallResponse( json_messages=open(ps_list_file).read(10000000), plugin="pslist", ) knowledge_base = rdfvalue.KnowledgeBase() knowledge_base.environ_systemdrive = "C:" parser = rekall_artifact_parser.RekallVADParser() parsed_pathspecs = list(parser.Parse(result, knowledge_base)) paths = [p.path for p in parsed_pathspecs] self.assertIn(u"C:\\Windows\\System32\\spoolsv.exe", paths)
def LoadProfile(self, name): """Wraps the Rekall profile's LoadProfile to fetch profiles from GRR.""" # If the user specified a special profile path we use their choice. profile = super(GrrRekallSession, self).LoadProfile(name) if profile: return profile # Cant load the profile, we need to ask the server for it. logging.debug("Asking server for profile %s", name) self.action.SendReply( rdfvalue.RekallResponse( missing_profile=name, repository_version=constants.PROFILE_REPOSITORY_VERSION, )) # Wait for the server to wake us up. When we wake up the server should # have sent the profile over by calling the WriteRekallProfile. self.action.Suspend() # Now the server should have sent the data already. We try to load the # profile one more time. return super(GrrRekallSession, self).LoadProfile(name, use_cache=False)
def RekallAction(self, _): ps_list_file = os.path.join(config_lib.CONFIG["Test.data_dir"], "rekall_vad_result.dat") response = rdfvalue.RekallResponse( json_messages=open(ps_list_file, "rb").read(), plugin="pslist") # If we are given process names here we need to craft a Rekall result # containing them. This is so they point to valid files in the fixture. if self.process_list: json_data = json.loads(response.json_messages) template = json_data[11] if template[1]["filename"] != ur"\Windows\System32\ntdll.dll": raise RuntimeError("Test data invalid.") json_data = [] for process in self.process_list: new_entry = copy.deepcopy(template) new_entry[1]["filename"] = process json_data.append(new_entry) response.json_messages = json.dumps(json_data) return [response, rdfvalue.Iterator(state="FINISHED")]