def testNestedProtobufAssignment(self):
"""Check that we can assign a nested protobuf."""
container = rdf_rekall_types.RekallRequest()
pathspec = rdf_paths.PathSpec(path=r"\\.\pmem", pathtype=1)
# Should raise - incompatible RDFType.
self.assertRaises(ValueError, setattr, container, "device",
rdfvalue.RDFString("hello"))
# Should raise - incompatible RDFProto type.
self.assertRaises(
ValueError,
setattr,
container,
"device",
rdf_client_fs.StatEntry(st_size=5))
# Assign directly.
container.device = pathspec
self.assertEqual(container.device.path, r"\\.\pmem")
# Clear the field.
container.device = None
# Check the protobuf does not have the field set at all.
self.assertFalse(container.HasField("device"))
def testRekallModules(self):
"""Tests the end to end Rekall memory analysis."""
request = rdf_rekall_types.RekallRequest()
request.plugins = [
# Only use these methods for listing processes.
rdf_rekall_types.PluginRequest(
plugin="pslist",
args=dict(method=["PsActiveProcessHead", "CSRSS"])),
rdf_rekall_types.PluginRequest(plugin="modules")
]
session_id = self.LaunchRekallPlugin(request)
# Get the result collection.
fd = flow.GRRFlow.ResultCollectionForFID(session_id)
# Ensure that the client_id is set on each message. This helps us demux
# messages from different clients, when analyzing the collection from a
# hunt.
json_blobs = []
for x in fd:
self.assertEqual(x.client_urn, self.client_id)
json_blobs.append(x.json_messages)
json_blobs = "".join(json_blobs)
for knownresult in ["DumpIt.exe", "DumpIt.sys"]:
self.assertTrue(knownresult in json_blobs)
def RunRekallPlugin(self):
plugin = rdf_rekall_types.PluginRequest(plugin="aff4acquire")
plugin.args["destination"] = "GRR"
request = rdf_rekall_types.RekallRequest(plugins=[plugin])
# Note that this will actually also retrieve the memory image.
self.CallFlow(AnalyzeClientMemory.__name__,
request=request,
max_file_size_download=self.args.max_file_size,
next_state="CheckAnalyzeClientMemory")
def testFileOutput(self):
"""Tests that a file can be written by a plugin and retrieved."""
request = rdf_rekall_types.RekallRequest()
request.plugins = [
# Run procdump to create one file.
rdf_rekall_types.PluginRequest(plugin="procdump",
args=dict(pids=[2860]))
]
with test_lib.Instrument(transfer.MultiGetFileMixin,
"StoreStat") as storestat_instrument:
self.LaunchRekallPlugin(request)
# Expect one file to be downloaded.
self.assertEqual(storestat_instrument.call_count, 1)
def RekallPlugin(self, source):
request = rdf_rekall_types.RekallRequest()
request.plugins = [
# Only use these methods for listing processes.
rdf_rekall_types.PluginRequest(plugin=source.attributes["plugin"],
args=source.attributes.get(
"args", {}))
]
self.CallFlow(memory.AnalyzeClientMemory.__name__,
request=request,
request_data={
"artifact_name": self.current_artifact_name,
"rekall_plugin": source.attributes["plugin"],
"source": source.ToPrimitiveDict()
},
next_state="ProcessCollected")
def testParameters(self):
request = rdf_rekall_types.RekallRequest()
request.plugins = [
# Only use these methods for listing processes.
rdf_rekall_types.PluginRequest(
plugin="pslist",
args=dict(pids=[4, 2860], method="PsActiveProcessHead")),
]
session_id = self.LaunchRekallPlugin(request)
# Get the result collection.
fd = flow.GRRFlow.ResultCollectionForFID(session_id)
json_blobs = [x.json_messages for x in fd]
json_blobs = "".join(json_blobs)
for knownresult in ["System", "DumpIt.exe"]:
self.assertTrue(knownresult in json_blobs)
def testDLLList(self):
"""Tests that we can run a simple DLLList Action."""
request = rdf_rekall_types.RekallRequest()
request.plugins = [
# Only use these methods for listing processes.
rdf_rekall_types.PluginRequest(
plugin="dlllist",
args=dict(proc_regex="dumpit", method="PsActiveProcessHead")),
]
session_id = self.LaunchRekallPlugin(request)
# Get the result collection.
fd = flow.GRRFlow.ResultCollectionForFID(session_id)
json_blobs = [x.json_messages for x in fd]
json_blobs = "".join(json_blobs)
for knownresult in ["DumpIt", "wow64win", "wow64", "wow64cpu", "ntdll"]:
self.assertTrue(knownresult in json_blobs)
