def RekallAction(self, rekall_request): if rekall_request.device.path != "/proc/kcore": return [rdf_flows.GrrStatus( status=rdf_flows.GrrStatus.ReturnedStatus.GENERIC_ERROR, error_message="Should use kcore device when present.")] response = rdf_rekall_types.RekallResponse(json_messages="{}") return [response, rdf_client.Iterator(state="FINISHED")]
def LoadProfile(self, name, **kw): """Wraps the Rekall profile's LoadProfile to fetch profiles from GRR.""" profile = None # If the user specified a special profile path we use their choice. try: profile = super(GrrRekallSession, self).LoadProfile(name, **kw) except io_manager.IOManagerError as e: # Currently, Rekall will raise when the repository directory is not # created. This is fine, because we'll create the directory after # WriteRekallProfile runs a few lines later. self.logging.warning(e) if profile: return profile # Cant load the profile, we need to ask the server for it. self.logging.info("Asking server for profile %s", name) self.action.SendReply( rekall_types.RekallResponse( missing_profile=name, repository_version=constants.PROFILE_REPOSITORY_VERSION, )) # Wait for the server to wake us up. When we wake up the server should # have sent the profile over by calling the WriteRekallProfile. self.action.Suspend() # Now the server should have sent the data already. We try to load the # profile one more time. return super(GrrRekallSession, self).LoadProfile(name, use_cache=False)
def RekallAction(self, request): self.rekall_request = request # Pretend Rekall returned the memory file. return [ rdf_rekall_types.RekallResponse(json_messages=""" [["file",{"path": "%s", "pathtype": "TMPFILE"}]] """ % self.memory_file, plugin="aff4acquire"), rdf_client.Iterator(state="FINISHED") ]
def RekallAction(self, _): # Generate this file with: # rekall -r data -f win7_trial_64bit.raw pslist > rekall_pslist_result.dat ps_list_file = os.path.join(config_lib.CONFIG["Test.data_dir"], self.result_filename) result = rdf_rekall_types.RekallResponse( json_messages=open(ps_list_file).read(10000000), plugin="pslist", client_urn=self.client_id) return [result, rdf_client.Iterator(state="FINISHED")]
def DeleteFiles(self, responses): # Check that the MultiGetFile flow worked. if not responses.success: raise flow.FlowError("Could not get files: %s" % responses.status) for output_file in self.state.output_files: self.CallClient(server_stubs.DeleteGRRTempFiles, output_file, next_state="LogDeleteFiles") # Let calling flows know where files ended up in AFF4 space. self.SendReply( rekall_types.RekallResponse(downloaded_files=[ x.AFF4Path(self.client_id) for x in responses ]))
def write_data_stream(self): """Prepares a RekallResponse and send to the server.""" if self.data: response_msg = rekall_types.RekallResponse( json_messages=self.robust_encoder.encode(self.data), json_context_messages=self.robust_encoder.encode( self.context_messages.items()), plugin=self.plugin) self.context_messages = self.new_context_messages self.new_context_messages = {} # Queue the response to the server. self.action.SendReply(response_msg)
def testBasicParsing(self): ps_list_file = os.path.join(config.CONFIG["Test.data_dir"], "rekall_vad_result.dat.gz") result = rdf_rekall_types.RekallResponse(json_messages=gzip.open( ps_list_file, "rb").read(), plugin="pslist") knowledge_base = rdf_client.KnowledgeBase() knowledge_base.environ_systemdrive = "C:" parser = rekall_artifact_parser.RekallVADParser() parsed_pathspecs = list(parser.Parse(result, knowledge_base)) paths = [p.path for p in parsed_pathspecs] self.assertIn(u"C:\\Windows\\System32\\spoolsv.exe", paths)
def LoadProfile(self, name): """Wraps the Rekall profile's LoadProfile to fetch profiles from GRR.""" # If the user specified a special profile path we use their choice. profile = super(GrrRekallSession, self).LoadProfile(name) if profile: return profile # Cant load the profile, we need to ask the server for it. logging.debug("Asking server for profile %s", name) self.action.SendReply( rekall_types.RekallResponse( missing_profile=name, repository_version=constants.PROFILE_REPOSITORY_VERSION, )) # Wait for the server to wake us up. When we wake up the server should # have sent the profile over by calling the WriteRekallProfile. self.action.Suspend() # Now the server should have sent the data already. We try to load the # profile one more time. return super(GrrRekallSession, self).LoadProfile(name, use_cache=False)
def RekallAction(self, _): ps_list_file = os.path.join(config.CONFIG["Test.data_dir"], "rekall_vad_result.dat.gz") response = rdf_rekall_types.RekallResponse( json_messages=gzip.open(ps_list_file, "rb").read(), plugin="pslist") # If we are given process names here we need to craft a Rekall result # containing them. This is so they point to valid files in the fixture. if self.process_list: json_data = json.loads(response.json_messages) template = json_data[7] if template[1]["filename"] != ur"\Windows\System32\ntdll.dll": raise RuntimeError("Test data invalid.") json_data = [] for process in self.process_list: new_entry = copy.deepcopy(template) new_entry[1]["filename"] = process json_data.append(new_entry) response.json_messages = json.dumps(json_data) return [response, rdf_client.Iterator(state="FINISHED")]