def testRekallVadArtifact(self):
"""Check we can run Rekall based artifacts."""
test_lib.WriteComponent(
token=self.token,
version=memory.AnalyzeClientMemoryArgs().component_version)
# The client should now be populated with the data we care about.
with aff4.FACTORY.Open(self.client_id, mode="rw",
token=self.token) as fd:
fd.Set(
fd.Schema.KNOWLEDGE_BASE(os="Windows",
environ_systemdrive=r"c:"))
fd = self.RunCollectorAndGetCollection(["FullVADBinaryList"],
RekallMock(
self.client_id,
"rekall_vad_result.dat.gz"))
self.assertEqual(len(fd), 1705)
self.assertEqual(fd[0].path, u"c:\\Windows\\System32\\ntdll.dll")
for x in fd:
self.assertEqual(x.pathtype, "OS")
extension = x.path.lower().split(".")[-1]
self.assertIn(extension,
["exe", "dll", "pyd", "drv", "mui", "cpl"])
def setUp(self):
super(RekallTestSuite, self).setUp()
self.client_id = self.SetupClients(1)[0]
test_lib.WriteComponent(
token=self.token,
version=memory.AnalyzeClientMemoryArgs().component_version)
self.get_rekall_profile_stubber = utils.Stubber(
comms.GRRClientWorker, "GetRekallProfile", self.GetRekallProfile)
self.get_rekall_profile_stubber.Start()
def testRekallPsListArtifact(self):
"""Check we can run Rekall based artifacts."""
test_lib.WriteComponent(
token=self.token,
version=memory.AnalyzeClientMemoryArgs().component_version)
fd = self.RunCollectorAndGetCollection(["RekallPsList"], RekallMock(
self.client_id, "rekall_pslist_result.dat.gz"))
self.assertEqual(len(fd), 35)
self.assertEqual(fd[0].exe, "System")
self.assertEqual(fd[0].pid, 4)
self.assertIn("DumpIt.exe", [x.exe for x in fd])
def setUp(self):
super(MemoryTest, self).setUp()
test_lib.WriteComponent(
token=self.token,
version=memory.AnalyzeClientMemoryArgs().component_version)
def setUp(self):
super(RekallTestSuite, self).setUp()
self.client_id = self.SetupClients(1)[0]
test_lib.WriteComponent(
token=self.token,
version=memory.AnalyzeClientMemoryArgs().component_version)
