def execute(self, input_data): ''' Execute method ''' # Spin up the rekall adapter adapter = RekallAdapter() adapter.set_plugin_name(self.plugin_name) rekall_output = adapter.execute(input_data) # Process the output data for line in rekall_output: if line['type'] == 'm': # Meta self.output['meta'] = line['data'] elif line['type'] == 's': # New Session (Table) self.current_table_name = line['data']['name'][1] elif line['type'] == 't': # New Table Headers (column names) self.column_map = {item['cname']: item['name'] if 'name' in item else item['cname'] for item in line['data']} elif line['type'] == 'r': # Row # Standard processing on the rekall row data row = RekallAdapter.process_row(line['data'], self.column_map) # Process _EPROCESS entries if '_EPROCESS' in row: eprocess_info = self.parse_eprocess(row) row.update(eprocess_info) del row['_EPROCESS'] # Add the row to our current table self.output['tables'][self.current_table_name].append(row) # All done return self.output
def execute(self, input_data): ''' Execute method ''' # Spin up the rekall adapter adapter = RekallAdapter() adapter.set_plugin_name(self.plugin_name) rekall_output = adapter.execute(input_data) # Process the output data for line in rekall_output: if line['type'] == 'm': # Meta self.output['meta'] = line['data'] elif line['type'] == 's': # New Session (Table) self.current_table_name = line['data']['name'][1] elif line['type'] == 't': # New Table Headers (column names) self.column_map = {item['cname']: item['name'] if 'name' in item else item['cname'] for item in line['data']} elif line['type'] == 'r': # Row # Add the row to our current table row = RekallAdapter.process_row(line['data'], self.column_map) self.output['tables'][self.current_table_name].append(row) else: print 'Note: Ignoring rekall message of type %s: %s' % (line['type'], line['data']) # All done return self.output
def execute(self, input_data): ''' Execute method ''' # Spin up the rekall adapter adapter = RekallAdapter() adapter.set_plugin_name(self.plugin_name) # Create a temporary directory and run this plugin from there with self.goto_temp_directory(): # Run the procdump plugin rekall_output = adapter.execute(input_data) # Process the output data for line in rekall_output: if line['type'] == 'm': # Meta self.output['meta'] = line['data'] elif line['type'] == 't': # New Table Headers (column names) self.column_map = {item['cname']: item['name'] if 'name' in item else item['cname'] for item in line['data']} elif line['type'] == 'r': # Row # Add the row to our current table row = RekallAdapter.process_row(line['data'], self.column_map) self.output['tables'][self.current_table_name].append(row) # Scrape any extracted files print 'mem_procdump: Scraping dumped files...' for output_file in glob.glob('*'): # Store the output into workbench, put md5s in the 'dumped_files' field output_name = os.path.basename(output_file) output_name = output_name.replace('executable.', '') with open(output_file, 'rb') as dumped_file: raw_bytes = dumped_file.read() md5 = self.c.store_sample(raw_bytes, output_name, 'exe') # Remove some columns from meta data meta = self.c.work_request('meta', md5)['meta'] del meta['customer'] del meta['encoding'] del meta['import_time'] del meta['mime_type'] self.output['tables'][self.current_table_name].append(meta) # All done return self.output
def execute(self, input_data): ''' Execute method ''' # Spin up the rekall adapter adapter = RekallAdapter() adapter.set_plugin_name(self.plugin_name) rekall_output = adapter.execute(input_data) # Process the output data for line in rekall_output: if line['type'] == 'm': # Meta self.output['meta'] = line['data'] elif line['type'] == 's': # New Session (Table) self.current_table_name = line['data']['name'][1] elif line['type'] == 't': # New Table Headers (column names) self.column_map = { item['cname']: item['name'] if 'name' in item else item['cname'] for item in line['data'] } elif line['type'] == 'r': # Row # Add the row to our current table row = RekallAdapter.process_row(line['data'], self.column_map) self.output['tables'][self.current_table_name].append(row) else: print 'Note: Ignoring rekall message of type %s: %s' % ( line['type'], line['data']) # All done return self.output
def execute(self, input_data): ''' Execute method ''' # Spin up the rekall adapter adapter = RekallAdapter() adapter.set_plugin_name(self.plugin_name) # Create a temporary directory and run this plugin from there with self.goto_temp_directory(): # Run the procdump plugin rekall_output = adapter.execute(input_data) # Process the output data for line in rekall_output: if line['type'] == 'm': # Meta self.output['meta'] = line['data'] elif line['type'] == 't': # New Table Headers (column names) self.column_map = { item['cname']: item['name'] if 'name' in item else item['cname'] for item in line['data'] } elif line['type'] == 'r': # Row # Add the row to our current table row = RekallAdapter.process_row(line['data'], self.column_map) self.output['tables'][self.current_table_name].append(row) # Scrape any extracted files print 'mem_procdump: Scraping dumped files...' for output_file in glob.glob('*'): # Store the output into workbench, put md5s in the 'dumped_files' field output_name = os.path.basename(output_file) output_name = output_name.replace('executable.', '') with open(output_file, 'rb') as dumped_file: raw_bytes = dumped_file.read() md5 = self.c.store_sample(raw_bytes, output_name, 'exe') # Remove some columns from meta data meta = self.c.work_request('meta', md5)['meta'] del meta['customer'] del meta['encoding'] del meta['import_time'] del meta['mime_type'] self.output['tables'][self.current_table_name].append(meta) # All done return self.output
def execute(self, input_data): ''' Execute method ''' # Spin up the rekall adapter adapter = RekallAdapter() adapter.set_plugin_name(self.plugin_name) rekall_output = adapter.execute(input_data) # Process the output data for line in rekall_output: if line['type'] == 'm': # Meta self.output['meta'] = line['data'] elif line['type'] == 's': # New Session (Table) if line['data']['name']: self.current_table_name = str(line['data']['name'][1].v()) elif line['type'] == 't': # New Table Headers (column names) self.column_map = { item['cname']: item['name'] if 'name' in item else item['cname'] for item in line['data'] } elif line['type'] == 'r': # Row # Add the row to our current table row = RekallAdapter.process_row(line['data'], self.column_map) self.output['tables'][self.current_table_name].append(row) # Process Base entries if 'Base' in row: base_info = self.parse_base(row) row.update(base_info) else: print 'Got unknown line %s: %s' % (line['type'], line['data']) # All done return self.output
def execute(self, input_data): ''' Execute method ''' # Spin up the rekall adapter adapter = RekallAdapter() adapter.set_plugin_name(self.plugin_name) rekall_output = adapter.execute(input_data) # Process the output data for line in rekall_output: if line['type'] == 'm': # Meta self.output['meta'] = line['data'] elif line['type'] == 's': # New Session (Table) self.current_table_name = line['data']['name'][1] elif line['type'] == 't': # New Table Headers (column names) self.column_map = { item['cname']: item['name'] if 'name' in item else item['cname'] for item in line['data'] } elif line['type'] == 'r': # Row # Standard processing on the rekall row data row = RekallAdapter.process_row(line['data'], self.column_map) # Process _EPROCESS entries if '_EPROCESS' in row: eprocess_info = self.parse_eprocess(row) row.update(eprocess_info) del row['_EPROCESS'] # Add the row to our current table self.output['tables'][self.current_table_name].append(row) # All done return self.output