def testRekallVadArtifact(self): """Check we can run Rekall based artifacts.""" test_lib.WriteComponent( token=self.token, version=memory.AnalyzeClientMemoryArgs().component_version) # The client should now be populated with the data we care about. with aff4.FACTORY.Open(self.client_id, mode="rw", token=self.token) as fd: fd.Set( fd.Schema.KNOWLEDGE_BASE(os="Windows", environ_systemdrive=r"c:")) fd = self.RunCollectorAndGetCollection(["FullVADBinaryList"], RekallMock( self.client_id, "rekall_vad_result.dat.gz")) self.assertEqual(len(fd), 1705) self.assertEqual(fd[0].path, u"c:\\Windows\\System32\\ntdll.dll") for x in fd: self.assertEqual(x.pathtype, "OS") extension = x.path.lower().split(".")[-1] self.assertIn(extension, ["exe", "dll", "pyd", "drv", "mui", "cpl"])
def setUp(self): super(RekallTestSuite, self).setUp() self.client_id = self.SetupClients(1)[0] test_lib.WriteComponent( token=self.token, version=memory.AnalyzeClientMemoryArgs().component_version) self.get_rekall_profile_stubber = utils.Stubber( comms.GRRClientWorker, "GetRekallProfile", self.GetRekallProfile) self.get_rekall_profile_stubber.Start()
def testRekallPsListArtifact(self): """Check we can run Rekall based artifacts.""" test_lib.WriteComponent( token=self.token, version=memory.AnalyzeClientMemoryArgs().component_version) fd = self.RunCollectorAndGetCollection(["RekallPsList"], RekallMock( self.client_id, "rekall_pslist_result.dat.gz")) self.assertEqual(len(fd), 35) self.assertEqual(fd[0].exe, "System") self.assertEqual(fd[0].pid, 4) self.assertIn("DumpIt.exe", [x.exe for x in fd])
def setUp(self): super(MemoryTest, self).setUp() test_lib.WriteComponent( token=self.token, version=memory.AnalyzeClientMemoryArgs().component_version)
def setUp(self): super(RekallTestSuite, self).setUp() self.client_id = self.SetupClients(1)[0] test_lib.WriteComponent( token=self.token, version=memory.AnalyzeClientMemoryArgs().component_version)