def testRekallModules(self):
"""Tests the end to end Rekall memory analysis."""
request = rdf_rekall_types.RekallRequest()
request.plugins = [
# Only use these methods for listing processes.
rdf_rekall_types.PluginRequest(
plugin="pslist",
args=dict(method=["PsActiveProcessHead", "CSRSS"])),
rdf_rekall_types.PluginRequest(plugin="modules")
]
session_id = self.LaunchRekallPlugin(request)
# Get the result collection.
fd = flow.GRRFlow.ResultCollectionForFID(session_id)
# Ensure that the client_id is set on each message. This helps us demux
# messages from different clients, when analyzing the collection from a
# hunt.
json_blobs = []
for x in fd:
self.assertEqual(x.client_urn, self.client_id)
json_blobs.append(x.json_messages)
json_blobs = "".join(json_blobs)
for knownresult in ["DumpIt.exe", "DumpIt.sys"]:
self.assertTrue(knownresult in json_blobs)
def setUp(self):
super(TestRekallViewer, self).setUp()
self.UninstallACLChecks()
request = rdf_rekall_types.RekallRequest()
request.plugins = [
# Only use these methods for listing processes.
rdf_rekall_types.PluginRequest(
plugin="pslist",
args=dict(method=["PsActiveProcessHead", "CSRSS"])),
rdf_rekall_types.PluginRequest(plugin="modules")
]
self.LaunchRekallPlugin(request)
def Start(self):
self.state.Register("memory_information", None)
self.state.Register(
"destdir",
self.args.action.download.dump_option.with_local_copy.destdir)
# If it is a Linux client, use Rekall instead to grab memory.
# Unlike AnalyzeClientMemory, we skip manually checking for kcore's
# existence since Rekall does it for us and runs additionally checks (like
# the actual usability of kcore).
client = aff4.FACTORY.Open(self.client_id, token=self.token)
system = client.Get(client.Schema.SYSTEM)
if system == "Linux":
if (self.args.action.action_type !=
MemoryCollectorAction.Action.DOWNLOAD):
raise ValueError("Linux only supports downloading memory.")
plugin = rekall_types.PluginRequest(plugin="ewfacquire")
request = rekall_types.RekallRequest(plugins=[plugin])
self.CallFlow(
"AnalyzeClientMemory",
request=request,
max_file_size_download=self.action_options.max_file_size,
next_state="CheckAnalyzeClientMemory")
else:
self.CallFlow("LoadMemoryDriver",
driver_installer=self.args.driver_installer,
next_state="StoreMemoryInformation")
def setUpRequest(self):
self.binaryname = "svchost.exe"
self.args["request"].plugins = [
rdf_rekall_types.PluginRequest(plugin="dlllist",
args=dict(
proc_regex=self.binaryname,
method="PsActiveProcessHead"))
]
def RunRekallPlugin(self):
plugin = rekall_types.PluginRequest(plugin="aff4acquire")
plugin.args["destination"] = "GRR"
request = rekall_types.RekallRequest(plugins=[plugin])
# Note that this will actually also retrieve the memory image.
self.CallFlow(AnalyzeClientMemory.__name__,
request=request,
max_file_size_download=self.args.max_file_size,
next_state="CheckAnalyzeClientMemory")
def DisabledTestAllPlugins(self):
"""Tests that we can run a wide variety of plugins.
Some of those plugins are very expensive to run so this test is disabled by
default.
"""
plugins = [
"atoms", "atomscan", "build_index", "callbacks", "cc",
"cert_vad_scan", "certscan", "cmdscan", "consoles",
"convert_profile", "desktops", "devicetree", "dis", "dlldump",
"dlllist", "driverirp", "driverscan", "dt", "dtbscan", "dtbscan2",
"dump", "dwarfparser", "eifconfig", "enetstat", "eventhooks",
"fetch_pdb", "filescan", "find_dtb", "gahti", "getservicesids",
"grep", "guess_guid", "handles", "hivedump", "hives", "imagecopy",
"imageinfo", "impscan", "info", "json_render", "kdbgscan", "kpcr",
"l", "ldrmodules", "load_as", "load_plugin", "malfind", "memdump",
"memmap", "messagehooks", "moddump", "modscan", "modules",
"mutantscan", "netscan", "netstat", "notebook", "null",
"object_tree", "object_types", "p", "parse_pdb", "pas2vas",
"pedump", "peinfo", "pfn", "phys_map", "pool_tracker", "pools",
"printkey", "procdump", "procinfo", "pslist", "psscan", "pstree",
"psxview", "pte", "ptov", "raw2dmp", "regdump", "rekal",
"sessions", "ssdt", "svcscan", "symlinkscan", "thrdscan",
"threads", "timers", "tokens", "unloaded_modules", "userassist",
"userhandles", "users", "vad", "vaddump", "vadinfo", "vadtree",
"vadwalk", "version_modules", "version_scan", "vmscan", "vtop",
"windows_stations"
]
output_urn = self.client_id.Add("analysis/memory")
failed_plugins = []
for plugin in plugins:
logging.info("Running plugin: %s", plugin)
try:
aff4.FACTORY.Delete(output_urn, token=self.token)
request = rdf_rekall_types.RekallRequest()
request.plugins = [
rdf_rekall_types.PluginRequest(plugin=plugin)
]
self.LaunchRekallPlugin(request)
# Get the result collection - it should be a RekallResponseCollection.
fd = aff4.FACTORY.Open(output_urn, token=self.token)
# Try to render the result.
fd.RenderAsText()
except Exception: # pylint: disable=broad-except
failed_plugins.append(plugin)
logging.error("Plugin %s failed.", plugin)
if failed_plugins:
self.fail("Some plugins failed: %s" % failed_plugins)
def setUpRequest(self):
# This is a signature for the tcpip.sys driver on Windows 7. If you are
# running a different version, a hit is not guaranteed.
sig_path = os.path.join(config_lib.CONFIG["Test.end_to_end_data_dir"],
"tcpip.sig")
signature = open(sig_path, "rb").read().strip()
args = {"scan_kernel": True, "signature": [signature]}
self.args["request"].plugins = [
rdf_rekall_types.PluginRequest(plugin="sigscan", args=args)
]
def testFileOutput(self):
"""Tests that a file can be written by a plugin and retrieved."""
request = rdf_rekall_types.RekallRequest()
request.plugins = [
# Run procdump to create one file.
rdf_rekall_types.PluginRequest(plugin="procdump",
args=dict(pids=[2860]))
]
with test_lib.Instrument(transfer.MultiGetFile,
"StoreStat") as storestat_instrument:
self.LaunchRekallPlugin(request)
# Expect one file to be downloaded.
self.assertEqual(storestat_instrument.call_count, 1)
def RekallPlugin(self, source):
request = rdf_rekall_types.RekallRequest()
request.plugins = [
# Only use these methods for listing processes.
rdf_rekall_types.PluginRequest(
plugin=source.attributes["plugin"],
args=source.attributes.get("args", {}))]
self.CallFlow(
"AnalyzeClientMemory", request=request,
request_data={"artifact_name": self.current_artifact_name,
"rekall_plugin": source.attributes["plugin"],
"source": source.ToPrimitiveDict()},
next_state="ProcessCollected"
)
def testParameters(self):
request = rdf_rekall_types.RekallRequest()
request.plugins = [
# Only use these methods for listing processes.
rdf_rekall_types.PluginRequest(
plugin="pslist",
args=dict(pids=[4, 2860], method="PsActiveProcessHead")),
]
session_id = self.LaunchRekallPlugin(request)
# Get the result collection.
fd = flow.GRRFlow.ResultCollectionForFID(session_id)
json_blobs = [x.json_messages for x in fd]
json_blobs = "".join(json_blobs)
for knownresult in ["System", "DumpIt.exe"]:
self.assertTrue(knownresult in json_blobs)
def testDLLList(self):
"""Tests that we can run a simple DLLList Action."""
request = rdf_rekall_types.RekallRequest()
request.plugins = [
# Only use these methods for listing processes.
rdf_rekall_types.PluginRequest(
plugin="dlllist",
args=dict(proc_regex="dumpit", method="PsActiveProcessHead")),
]
session_id = self.LaunchRekallPlugin(request)
# Get the result collection.
fd = flow.GRRFlow.ResultCollectionForFID(session_id)
json_blobs = [x.json_messages for x in fd]
json_blobs = "".join(json_blobs)
for knownresult in ["DumpIt", "wow64win", "wow64", "wow64cpu", "ntdll"]:
self.assertTrue(knownresult in json_blobs)
def testParameters(self):
request = rdf_rekall_types.RekallRequest()
request.plugins = [
# Only use these methods for listing processes.
rdf_rekall_types.PluginRequest(plugin="pslist",
args=dict(
pid=[4, 2860],
method="PsActiveProcessHead")),
]
self.LaunchRekallPlugin(request)
# Get the result collection - it should be a RekallResponseCollection.
fd = aff4.FACTORY.Open(self.client_id.Add("analysis/memory"),
token=self.token)
json_blobs = [x.json_messages for x in fd]
json_blobs = "".join(json_blobs)
for knownresult in ["System", "DumpIt.exe"]:
self.assertTrue(knownresult in json_blobs)
def testDLLList(self):
"""Tests that we can run a simple DLLList Action."""
request = rdf_rekall_types.RekallRequest()
request.plugins = [
# Only use these methods for listing processes.
rdf_rekall_types.PluginRequest(plugin="dlllist",
args=dict(
proc_regex="dumpit",
method="PsActiveProcessHead")),
]
self.LaunchRekallPlugin(request)
# Get the result collection - it should be a RekallResponseCollection.
fd = aff4.FACTORY.Open(self.client_id.Add("analysis/memory"),
token=self.token)
json_blobs = [x.json_messages for x in fd]
json_blobs = "".join(json_blobs)
for knownresult in [
"DumpIt", "wow64win", "wow64", "wow64cpu", "ntdll"
]:
self.assertTrue(knownresult in json_blobs)
def setUpRequest(self):
self.args["request"].plugins = [
rdf_rekall_types.PluginRequest(plugin="pslist")
]
def setUpRequest(self):
self.args["request"].plugins = [
rdf_rekall_types.PluginRequest(plugin="pslist",
args=dict(abcdefg=12345))]
def setUpRequest(self):
self.args["request"].plugins = [
rdf_rekall_types.PluginRequest(plugin="pslist")]
self.args["request"].session["logging_level"] = "DEBUG"