def testRekallModules(self): """Tests the end to end Rekall memory analysis.""" request = rdfvalue.RekallRequest() request.plugins = [ # Only use these methods for listing processes. rdfvalue.PluginRequest( plugin="pslist", args=dict(method=["PsActiveProcessHead", "CSRSS"])), rdfvalue.PluginRequest(plugin="modules") ] self.LaunchRekallPlugin(request) # Get the result collection - it should be a RekallResponseCollection. fd = aff4.FACTORY.Open(self.client_id.Add("analysis/memory"), token=self.token) # Ensure that the client_id is set on each message. This helps us demux # messages from different clients, when analyzing the collection from a # hunt. json_blobs = [] for x in fd: self.assertEqual(x.client_urn, self.client_id) json_blobs.append(x.json_messages) json_blobs = "".join(json_blobs) for knownresult in ["DumpIt.exe", "DumpIt.sys"]: self.assertTrue(knownresult in json_blobs)
def setUpRequest(self): windows_binary_name = config_lib.CONFIG.Get( "Client.binary_name", context=["Client context", "Platform:Windows"]) self.args["request"].plugins = [ rdfvalue.PluginRequest(plugin="pslist"), rdfvalue.PluginRequest(plugin="dlllist", args=dict( proc_regex=windows_binary_name, method="PsActiveProcessHead" )), rdfvalue.PluginRequest(plugin="modules"), ]
def setUp(self): super(TestRekallViewer, self).setUp() self.UninstallACLChecks() request = rdfvalue.RekallRequest() request.plugins = [ # Only use these methods for listing processes. rdfvalue.PluginRequest( plugin="pslist", args=dict(method=["PsActiveProcessHead", "CSRSS"])), rdfvalue.PluginRequest(plugin="modules") ] self.LaunchRekallPlugin(request)
def testDLLList(self): """Tests that we can run a simple DLLList Action.""" request = rdfvalue.RekallRequest() request.plugins = [ # Only use these methods for listing processes. rdfvalue.PluginRequest( plugin="dlllist", args=dict( proc_regex="dumpit", method="PsActiveProcessHead" )), ] self.LaunchRekallPlugin(request) # Get the result collection - it should be a RekallResponseCollection. fd = aff4.FACTORY.Open(self.client_id.Add("analysis/memory"), token=self.token) # Get the result but drop the column headers. result = [x for x in fd.RenderAsText().splitlines() if x.startswith("0x")] # There should be 5 results back. self.assertEqual(len(result), 5) for item, line in zip( ["DumpIt", "wow64win", "wow64", "wow64cpu", "ntdll"], sorted(result)): self.assertTrue(item in line)
def setUpRequest(self): self.binaryname = "svchost.exe" self.args["request"].plugins = [ rdfvalue.PluginRequest(plugin="dlllist", args=dict(proc_regex=self.binaryname, method="PsActiveProcessHead")) ]
def testRekallModules(self): """Tests the end to end Rekall memory analysis.""" request = rdfvalue.RekallRequest() request.plugins = [ # Only use these methods for listing processes. rdfvalue.PluginRequest( plugin="pslist", args=dict( method=["PsActiveProcessHead", "CSRSS"] )), rdfvalue.PluginRequest(plugin="modules")] self.LaunchRekallPlugin(request) # Get the result collection - it should be a RekallResponseCollection. fd = aff4.FACTORY.Open(self.client_id.Add("analysis/memory"), token=self.token) # Ensure that the client_id is set on each message. This helps us demux # messages from different clients, when analyzing the collection from a # hunt. for x in fd: self.assertEqual(x.client_urn, self.client_id) # The output is merged and separated by ***. module_output = re.split("^[*]{5}.+$", fd.RenderAsText(), flags=re.M) # First output pslist. output = module_output[1].strip() # 34 processes and headers. self.assertEqual(len(output.splitlines()), 34) # And should include the DumpIt binary. self.assertTrue("DumpIt.exe" in output) # Next output modules plugin. output = module_output[2].strip() # 105 modules and headers. self.assertEqual(len(output.splitlines()), 105) # And should include the DumpIt kernel driver. self.assertTrue("DumpIt.sys" in output)
def DisabledTestAllPlugins(self): """Tests that we can run a wide variety of plugins. Some of those plugins are very expensive to run so this test is disabled by default. """ plugins = [ "atoms", "atomscan", "build_index", "callbacks", "cc", "cert_vad_scan", "certscan", "cmdscan", "consoles", "convert_profile", "desktops", "devicetree", "dis", "dlldump", "dlllist", "driverirp", "driverscan", "dt", "dtbscan", "dtbscan2", "dump", "dwarfparser", "eifconfig", "enetstat", "eventhooks", "fetch_pdb", "filescan", "find_dtb", "gahti", "getservicesids", "grep", "guess_guid", "handles", "hivedump", "hives", "imagecopy", "imageinfo", "impscan", "info", "json_render", "kdbgscan", "kpcr", "l", "ldrmodules", "load_as", "load_plugin", "malfind", "memdump", "memmap", "messagehooks", "moddump", "modscan", "modules", "mutantscan", "netscan", "netstat", "notebook", "null", "object_tree", "object_types", "p", "parse_pdb", "pas2vas", "pedump", "peinfo", "pfn", "phys_map", "pool_tracker", "pools", "printkey", "procdump", "procinfo", "pslist", "psscan", "pstree", "psxview", "pte", "ptov", "raw2dmp", "regdump", "rekal", "sessions", "ssdt", "svcscan", "symlinkscan", "thrdscan", "threads", "timers", "tokens", "unloaded_modules", "userassist", "userhandles", "users", "vad", "vaddump", "vadinfo", "vadtree", "vadwalk", "version_modules", "version_scan", "vmscan", "vtop", "windows_stations" ] output_urn = self.client_id.Add("analysis/memory") failed_plugins = [] for plugin in plugins: logging.info("Running plugin: %s", plugin) try: aff4.FACTORY.Delete(output_urn, token=self.token) request = rdfvalue.RekallRequest() request.plugins = [rdfvalue.PluginRequest(plugin=plugin)] self.LaunchRekallPlugin(request) # Get the result collection - it should be a RekallResponseCollection. fd = aff4.FACTORY.Open(output_urn, token=self.token) # Try to render the result. fd.RenderAsText() except Exception: # pylint: disable=broad-except failed_plugins.append(plugin) logging.error("Plugin %s failed.", plugin) if failed_plugins: self.fail("Some plugins failed: %s" % failed_plugins)
def testFileOutput(self): """Tests that a file can be written by a plugin and retrieved.""" request = rdfvalue.RekallRequest() request.plugins = [ # Run procdump to create one file. rdfvalue.PluginRequest(plugin="procdump", args=dict(pid=2860)) ] with test_lib.Instrument(transfer.MultiGetFile, "StoreStat") as storestat_instrument: self.LaunchRekallPlugin(request) # Expect one file to be downloaded. self.assertEqual(storestat_instrument.call_count, 1)
def RekallPlugin(self, collector): request = rdfvalue.RekallRequest() request.plugins = [ # Only use these methods for listing processes. rdfvalue.PluginRequest( plugin=collector.args["plugin"], args=collector.args.get("args", {}))] self.CallFlow( "AnalyzeClientMemory", request=request, request_data={"artifact_name": self.current_artifact_name, "rekall_plugin": collector.args["plugin"], "collector": collector.ToPrimitiveDict()}, next_state="ProcessCollected" )
def testParameters(self): request = rdfvalue.RekallRequest() request.plugins = [ # Only use these methods for listing processes. rdfvalue.PluginRequest(plugin="pslist", args=dict(pid=[4, 2860], method="PsActiveProcessHead")), ] self.LaunchRekallPlugin(request) # Get the result collection - it should be a RekallResponseCollection. fd = aff4.FACTORY.Open(self.client_id.Add("analysis/memory"), token=self.token) json_blobs = [x.json_messages for x in fd] json_blobs = "".join(json_blobs) for knownresult in ["System", "DumpIt.exe"]: self.assertTrue(knownresult in json_blobs)
def testDLLList(self): """Tests that we can run a simple DLLList Action.""" request = rdfvalue.RekallRequest() request.plugins = [ # Only use these methods for listing processes. rdfvalue.PluginRequest(plugin="dlllist", args=dict(proc_regex="dumpit", method="PsActiveProcessHead")), ] self.LaunchRekallPlugin(request) # Get the result collection - it should be a RekallResponseCollection. fd = aff4.FACTORY.Open(self.client_id.Add("analysis/memory"), token=self.token) json_blobs = [x.json_messages for x in fd] json_blobs = "".join(json_blobs) for knownresult in [ "DumpIt", "wow64win", "wow64", "wow64cpu", "ntdll" ]: self.assertTrue(knownresult in json_blobs)
def testParameters(self): request = rdfvalue.RekallRequest() request.plugins = [ # Only use these methods for listing processes. rdfvalue.PluginRequest( plugin="pslist", args=dict( pid=[4, 2860], method="PsActiveProcessHead" )), ] self.LaunchRekallPlugin(request) # Get the result collection - it should be a RekallResponseCollection. fd = aff4.FACTORY.Open(self.client_id.Add("analysis/memory"), token=self.token) result = fd.RenderAsText().splitlines()[4:] # Drop the column headers. # There should be 2 results back. self.assertEqual(len(result), 2) self.assertTrue("System" in result[0]) self.assertTrue("DumpIt.exe" in result[1])
def setUpRequest(self): self.args["request"].plugins = [ rdfvalue.PluginRequest(plugin="modules") ]
def setUpRequest(self): self.args["request"].plugins = [ rdfvalue.PluginRequest(plugin="pslist") ]