def testRekallModules(self):
"""Tests the end to end Rekall memory analysis."""
request = rdfvalue.RekallRequest()
request.plugins = [
# Only use these methods for listing processes.
rdfvalue.PluginRequest(
plugin="pslist",
args=dict(method=["PsActiveProcessHead", "CSRSS"])),
rdfvalue.PluginRequest(plugin="modules")
]
self.LaunchRekallPlugin(request)
# Get the result collection - it should be a RekallResponseCollection.
fd = aff4.FACTORY.Open(self.client_id.Add("analysis/memory"),
token=self.token)
# Ensure that the client_id is set on each message. This helps us demux
# messages from different clients, when analyzing the collection from a
# hunt.
json_blobs = []
for x in fd:
self.assertEqual(x.client_urn, self.client_id)
json_blobs.append(x.json_messages)
json_blobs = "".join(json_blobs)
for knownresult in ["DumpIt.exe", "DumpIt.sys"]:
self.assertTrue(knownresult in json_blobs)
def setUpRequest(self):
windows_binary_name = config_lib.CONFIG.Get(
"Client.binary_name", context=["Client context", "Platform:Windows"])
self.args["request"].plugins = [
rdfvalue.PluginRequest(plugin="pslist"),
rdfvalue.PluginRequest(plugin="dlllist",
args=dict(
proc_regex=windows_binary_name,
method="PsActiveProcessHead"
)),
rdfvalue.PluginRequest(plugin="modules"),
]
def setUp(self):
super(TestRekallViewer, self).setUp()
self.UninstallACLChecks()
request = rdfvalue.RekallRequest()
request.plugins = [
# Only use these methods for listing processes.
rdfvalue.PluginRequest(
plugin="pslist",
args=dict(method=["PsActiveProcessHead", "CSRSS"])),
rdfvalue.PluginRequest(plugin="modules")
]
self.LaunchRekallPlugin(request)
def testDLLList(self):
"""Tests that we can run a simple DLLList Action."""
request = rdfvalue.RekallRequest()
request.plugins = [
# Only use these methods for listing processes.
rdfvalue.PluginRequest(
plugin="dlllist", args=dict(
proc_regex="dumpit",
method="PsActiveProcessHead"
)),
]
self.LaunchRekallPlugin(request)
# Get the result collection - it should be a RekallResponseCollection.
fd = aff4.FACTORY.Open(self.client_id.Add("analysis/memory"),
token=self.token)
# Get the result but drop the column headers.
result = [x for x in fd.RenderAsText().splitlines() if x.startswith("0x")]
# There should be 5 results back.
self.assertEqual(len(result), 5)
for item, line in zip(
["DumpIt", "wow64win", "wow64", "wow64cpu", "ntdll"],
sorted(result)):
self.assertTrue(item in line)
def setUpRequest(self):
self.binaryname = "svchost.exe"
self.args["request"].plugins = [
rdfvalue.PluginRequest(plugin="dlllist",
args=dict(proc_regex=self.binaryname,
method="PsActiveProcessHead"))
]
def testRekallModules(self):
"""Tests the end to end Rekall memory analysis."""
request = rdfvalue.RekallRequest()
request.plugins = [
# Only use these methods for listing processes.
rdfvalue.PluginRequest(
plugin="pslist", args=dict(
method=["PsActiveProcessHead", "CSRSS"]
)),
rdfvalue.PluginRequest(plugin="modules")]
self.LaunchRekallPlugin(request)
# Get the result collection - it should be a RekallResponseCollection.
fd = aff4.FACTORY.Open(self.client_id.Add("analysis/memory"),
token=self.token)
# Ensure that the client_id is set on each message. This helps us demux
# messages from different clients, when analyzing the collection from a
# hunt.
for x in fd:
self.assertEqual(x.client_urn, self.client_id)
# The output is merged and separated by ***.
module_output = re.split("^[*]{5}.+$", fd.RenderAsText(), flags=re.M)
# First output pslist.
output = module_output[1].strip()
# 34 processes and headers.
self.assertEqual(len(output.splitlines()), 34)
# And should include the DumpIt binary.
self.assertTrue("DumpIt.exe" in output)
# Next output modules plugin.
output = module_output[2].strip()
# 105 modules and headers.
self.assertEqual(len(output.splitlines()), 105)
# And should include the DumpIt kernel driver.
self.assertTrue("DumpIt.sys" in output)
def DisabledTestAllPlugins(self):
"""Tests that we can run a wide variety of plugins.
Some of those plugins are very expensive to run so this test is disabled by
default.
"""
plugins = [
"atoms", "atomscan", "build_index", "callbacks", "cc",
"cert_vad_scan", "certscan", "cmdscan", "consoles",
"convert_profile", "desktops", "devicetree", "dis", "dlldump",
"dlllist", "driverirp", "driverscan", "dt", "dtbscan", "dtbscan2",
"dump", "dwarfparser", "eifconfig", "enetstat", "eventhooks",
"fetch_pdb", "filescan", "find_dtb", "gahti", "getservicesids",
"grep", "guess_guid", "handles", "hivedump", "hives", "imagecopy",
"imageinfo", "impscan", "info", "json_render", "kdbgscan", "kpcr",
"l", "ldrmodules", "load_as", "load_plugin", "malfind", "memdump",
"memmap", "messagehooks", "moddump", "modscan", "modules",
"mutantscan", "netscan", "netstat", "notebook", "null",
"object_tree", "object_types", "p", "parse_pdb", "pas2vas",
"pedump", "peinfo", "pfn", "phys_map", "pool_tracker", "pools",
"printkey", "procdump", "procinfo", "pslist", "psscan", "pstree",
"psxview", "pte", "ptov", "raw2dmp", "regdump", "rekal",
"sessions", "ssdt", "svcscan", "symlinkscan", "thrdscan",
"threads", "timers", "tokens", "unloaded_modules", "userassist",
"userhandles", "users", "vad", "vaddump", "vadinfo", "vadtree",
"vadwalk", "version_modules", "version_scan", "vmscan", "vtop",
"windows_stations"
]
output_urn = self.client_id.Add("analysis/memory")
failed_plugins = []
for plugin in plugins:
logging.info("Running plugin: %s", plugin)
try:
aff4.FACTORY.Delete(output_urn, token=self.token)
request = rdfvalue.RekallRequest()
request.plugins = [rdfvalue.PluginRequest(plugin=plugin)]
self.LaunchRekallPlugin(request)
# Get the result collection - it should be a RekallResponseCollection.
fd = aff4.FACTORY.Open(output_urn, token=self.token)
# Try to render the result.
fd.RenderAsText()
except Exception: # pylint: disable=broad-except
failed_plugins.append(plugin)
logging.error("Plugin %s failed.", plugin)
if failed_plugins:
self.fail("Some plugins failed: %s" % failed_plugins)
def testFileOutput(self):
"""Tests that a file can be written by a plugin and retrieved."""
request = rdfvalue.RekallRequest()
request.plugins = [
# Run procdump to create one file.
rdfvalue.PluginRequest(plugin="procdump", args=dict(pid=2860))
]
with test_lib.Instrument(transfer.MultiGetFile,
"StoreStat") as storestat_instrument:
self.LaunchRekallPlugin(request)
# Expect one file to be downloaded.
self.assertEqual(storestat_instrument.call_count, 1)
def RekallPlugin(self, collector):
request = rdfvalue.RekallRequest()
request.plugins = [
# Only use these methods for listing processes.
rdfvalue.PluginRequest(
plugin=collector.args["plugin"],
args=collector.args.get("args", {}))]
self.CallFlow(
"AnalyzeClientMemory", request=request,
request_data={"artifact_name": self.current_artifact_name,
"rekall_plugin": collector.args["plugin"],
"collector": collector.ToPrimitiveDict()},
next_state="ProcessCollected"
)
def testParameters(self):
request = rdfvalue.RekallRequest()
request.plugins = [
# Only use these methods for listing processes.
rdfvalue.PluginRequest(plugin="pslist",
args=dict(pid=[4, 2860],
method="PsActiveProcessHead")),
]
self.LaunchRekallPlugin(request)
# Get the result collection - it should be a RekallResponseCollection.
fd = aff4.FACTORY.Open(self.client_id.Add("analysis/memory"),
token=self.token)
json_blobs = [x.json_messages for x in fd]
json_blobs = "".join(json_blobs)
for knownresult in ["System", "DumpIt.exe"]:
self.assertTrue(knownresult in json_blobs)
def testDLLList(self):
"""Tests that we can run a simple DLLList Action."""
request = rdfvalue.RekallRequest()
request.plugins = [
# Only use these methods for listing processes.
rdfvalue.PluginRequest(plugin="dlllist",
args=dict(proc_regex="dumpit",
method="PsActiveProcessHead")),
]
self.LaunchRekallPlugin(request)
# Get the result collection - it should be a RekallResponseCollection.
fd = aff4.FACTORY.Open(self.client_id.Add("analysis/memory"),
token=self.token)
json_blobs = [x.json_messages for x in fd]
json_blobs = "".join(json_blobs)
for knownresult in [
"DumpIt", "wow64win", "wow64", "wow64cpu", "ntdll"
]:
self.assertTrue(knownresult in json_blobs)
def testParameters(self):
request = rdfvalue.RekallRequest()
request.plugins = [
# Only use these methods for listing processes.
rdfvalue.PluginRequest(
plugin="pslist", args=dict(
pid=[4, 2860],
method="PsActiveProcessHead"
)),
]
self.LaunchRekallPlugin(request)
# Get the result collection - it should be a RekallResponseCollection.
fd = aff4.FACTORY.Open(self.client_id.Add("analysis/memory"),
token=self.token)
result = fd.RenderAsText().splitlines()[4:] # Drop the column headers.
# There should be 2 results back.
self.assertEqual(len(result), 2)
self.assertTrue("System" in result[0])
self.assertTrue("DumpIt.exe" in result[1])
def setUpRequest(self):
self.args["request"].plugins = [
rdfvalue.PluginRequest(plugin="modules")
]
def setUpRequest(self):
self.args["request"].plugins = [
rdfvalue.PluginRequest(plugin="pslist")
]
