def testRekallModules(self):
"""Tests the end to end Rekall memory analysis."""
request = rdfvalue.RekallRequest()
request.plugins = [
# Only use these methods for listing processes.
rdfvalue.PluginRequest(
plugin="pslist",
args=dict(method=["PsActiveProcessHead", "CSRSS"])),
rdfvalue.PluginRequest(plugin="modules")
]
self.LaunchRekallPlugin(request)
# Get the result collection - it should be a RekallResponseCollection.
fd = aff4.FACTORY.Open(self.client_id.Add("analysis/memory"),
token=self.token)
# Ensure that the client_id is set on each message. This helps us demux
# messages from different clients, when analyzing the collection from a
# hunt.
json_blobs = []
for x in fd:
self.assertEqual(x.client_urn, self.client_id)
json_blobs.append(x.json_messages)
json_blobs = "".join(json_blobs)
for knownresult in ["DumpIt.exe", "DumpIt.sys"]:
self.assertTrue(knownresult in json_blobs)
def testDLLList(self):
"""Tests that we can run a simple DLLList Action."""
request = rdfvalue.RekallRequest()
request.plugins = [
# Only use these methods for listing processes.
rdfvalue.PluginRequest(
plugin="dlllist", args=dict(
proc_regex="dumpit",
method="PsActiveProcessHead"
)),
]
self.LaunchRekallPlugin(request)
# Get the result collection - it should be a RekallResponseCollection.
fd = aff4.FACTORY.Open(self.client_id.Add("analysis/memory"),
token=self.token)
# Get the result but drop the column headers.
result = [x for x in fd.RenderAsText().splitlines() if x.startswith("0x")]
# There should be 5 results back.
self.assertEqual(len(result), 5)
for item, line in zip(
["DumpIt", "wow64win", "wow64", "wow64cpu", "ntdll"],
sorted(result)):
self.assertTrue(item in line)
def DisabledTestAllPlugins(self):
"""Tests that we can run a wide variety of plugins.
Some of those plugins are very expensive to run so this test is disabled by
default.
"""
plugins = [
"atoms", "atomscan", "build_index", "callbacks", "cc",
"cert_vad_scan", "certscan", "cmdscan", "consoles",
"convert_profile", "desktops", "devicetree", "dis", "dlldump",
"dlllist", "driverirp", "driverscan", "dt", "dtbscan", "dtbscan2",
"dump", "dwarfparser", "eifconfig", "enetstat", "eventhooks",
"fetch_pdb", "filescan", "find_dtb", "gahti", "getservicesids",
"grep", "guess_guid", "handles", "hivedump", "hives", "imagecopy",
"imageinfo", "impscan", "info", "json_render", "kdbgscan", "kpcr",
"l", "ldrmodules", "load_as", "load_plugin", "malfind", "memdump",
"memmap", "messagehooks", "moddump", "modscan", "modules",
"mutantscan", "netscan", "netstat", "notebook", "null",
"object_tree", "object_types", "p", "parse_pdb", "pas2vas",
"pedump", "peinfo", "pfn", "phys_map", "pool_tracker", "pools",
"printkey", "procdump", "procinfo", "pslist", "psscan", "pstree",
"psxview", "pte", "ptov", "raw2dmp", "regdump", "rekal",
"sessions", "ssdt", "svcscan", "symlinkscan", "thrdscan",
"threads", "timers", "tokens", "unloaded_modules", "userassist",
"userhandles", "users", "vad", "vaddump", "vadinfo", "vadtree",
"vadwalk", "version_modules", "version_scan", "vmscan", "vtop",
"windows_stations"
]
output_urn = self.client_id.Add("analysis/memory")
failed_plugins = []
for plugin in plugins:
logging.info("Running plugin: %s", plugin)
try:
aff4.FACTORY.Delete(output_urn, token=self.token)
request = rdfvalue.RekallRequest()
request.plugins = [rdfvalue.PluginRequest(plugin=plugin)]
self.LaunchRekallPlugin(request)
# Get the result collection - it should be a RekallResponseCollection.
fd = aff4.FACTORY.Open(output_urn, token=self.token)
# Try to render the result.
fd.RenderAsText()
except Exception: # pylint: disable=broad-except
failed_plugins.append(plugin)
logging.error("Plugin %s failed.", plugin)
if failed_plugins:
self.fail("Some plugins failed: %s" % failed_plugins)
def testFileOutput(self):
"""Tests that a file can be written by a plugin and retrieved."""
request = rdfvalue.RekallRequest()
request.plugins = [
# Run procdump to create one file.
rdfvalue.PluginRequest(plugin="procdump", args=dict(pid=2860))
]
with test_lib.Instrument(transfer.MultiGetFile,
"StoreStat") as storestat_instrument:
self.LaunchRekallPlugin(request)
# Expect one file to be downloaded.
self.assertEqual(storestat_instrument.call_count, 1)
def setUp(self):
super(TestRekallViewer, self).setUp()
self.UninstallACLChecks()
request = rdfvalue.RekallRequest()
request.plugins = [
# Only use these methods for listing processes.
rdfvalue.PluginRequest(
plugin="pslist",
args=dict(method=["PsActiveProcessHead", "CSRSS"])),
rdfvalue.PluginRequest(plugin="modules")
]
self.LaunchRekallPlugin(request)
def RekallPlugin(self, collector):
request = rdfvalue.RekallRequest()
request.plugins = [
# Only use these methods for listing processes.
rdfvalue.PluginRequest(
plugin=collector.args["plugin"],
args=collector.args.get("args", {}))]
self.CallFlow(
"AnalyzeClientMemory", request=request,
request_data={"artifact_name": self.current_artifact_name,
"rekall_plugin": collector.args["plugin"],
"collector": collector.ToPrimitiveDict()},
next_state="ProcessCollected"
)
class AbstractTestAnalyzeClientMemoryWindows(base.AutomatedTest):
"""Test AnalyzeClientMemory (Rekall).
We use the rekall caching profile server for these tests, since we may not
have direct internet access. It may be necessary to manually populate the
cache with lib.rekall_profile_server.GRRRekallProfileServer.GetMissingProfiles
on the console to make these tests pass.
"""
platforms = ["Windows"]
flow = "AnalyzeClientMemory"
test_output_path = "analysis/memory"
args = {"request": rdfvalue.RekallRequest(), "output": test_output_path}
def setUpRequest(self):
raise NotImplementedError("Implemented by subclasses")
def setUp(self):
self.setUpRequest()
self.old_config = config_lib.CONFIG.Get("Rekall.profile_server")
if "Test Context" in config_lib.CONFIG.context:
# We're running in a test context, where the rekall repository server is
# set to TestRekallRepositoryProfileServer, which won't actually work for
# an end to end test. We change it temporarily to allow the test to pass.
config_lib.CONFIG.Set("Rekall.profile_server",
"GRRRekallProfileServer")
# RDFValueCollections need to be deleted recursively.
aff4.FACTORY.Delete(self.client_id.Add(self.test_output_path),
token=self.token)
super(AbstractTestAnalyzeClientMemoryWindows, self).setUp()
def tearDown(self):
# RDFValueCollections need to be deleted recursively.
aff4.FACTORY.Delete(self.client_id.Add(self.test_output_path),
token=self.token)
config_lib.CONFIG.Set("Rekall.profile_server", self.old_config)
super(AbstractTestAnalyzeClientMemoryWindows, self).tearDown()
def CheckFlow(self):
self.response = aff4.FACTORY.Open(self.client_id.Add(
self.test_output_path),
token=self.token)
self.assertIsInstance(self.response, aff4.RDFValueCollection)
self.assertTrue(len(self.response) >= 1)
def testRekallModules(self):
"""Tests the end to end Rekall memory analysis."""
request = rdfvalue.RekallRequest()
request.plugins = [
# Only use these methods for listing processes.
rdfvalue.PluginRequest(
plugin="pslist", args=dict(
method=["PsActiveProcessHead", "CSRSS"]
)),
rdfvalue.PluginRequest(plugin="modules")]
self.LaunchRekallPlugin(request)
# Get the result collection - it should be a RekallResponseCollection.
fd = aff4.FACTORY.Open(self.client_id.Add("analysis/memory"),
token=self.token)
# Ensure that the client_id is set on each message. This helps us demux
# messages from different clients, when analyzing the collection from a
# hunt.
for x in fd:
self.assertEqual(x.client_urn, self.client_id)
# The output is merged and separated by ***.
module_output = re.split("^[*]{5}.+$", fd.RenderAsText(), flags=re.M)
# First output pslist.
output = module_output[1].strip()
# 34 processes and headers.
self.assertEqual(len(output.splitlines()), 34)
# And should include the DumpIt binary.
self.assertTrue("DumpIt.exe" in output)
# Next output modules plugin.
output = module_output[2].strip()
# 105 modules and headers.
self.assertEqual(len(output.splitlines()), 105)
# And should include the DumpIt kernel driver.
self.assertTrue("DumpIt.sys" in output)
def testParameters(self):
request = rdfvalue.RekallRequest()
request.plugins = [
# Only use these methods for listing processes.
rdfvalue.PluginRequest(plugin="pslist",
args=dict(pid=[4, 2860],
method="PsActiveProcessHead")),
]
self.LaunchRekallPlugin(request)
# Get the result collection - it should be a RekallResponseCollection.
fd = aff4.FACTORY.Open(self.client_id.Add("analysis/memory"),
token=self.token)
json_blobs = [x.json_messages for x in fd]
json_blobs = "".join(json_blobs)
for knownresult in ["System", "DumpIt.exe"]:
self.assertTrue(knownresult in json_blobs)
def testNestedProtobufAssignment(self):
"""Check that we can assign a nested protobuf."""
container = rdfvalue.RekallRequest()
pathspec = rdfvalue.PathSpec(path=r"\\.\pmem", pathtype=1)
# Should raise - incompatible RDFType.
self.assertRaises(type_info.TypeValueError, setattr, container,
"device", rdfvalue.RDFString("hello"))
# Should raise - incompatible RDFProto type.
self.assertRaises(type_info.TypeValueError, setattr, container,
"device", rdfvalue.StatEntry(st_size=5))
# Assign directly.
container.device = pathspec
self.assertEqual(container.device.path, r"\\.\pmem")
# Clear the field.
container.device = None
# Check the protobuf does not have the field set at all.
self.assertFalse(container.HasField("device"))
def testDLLList(self):
"""Tests that we can run a simple DLLList Action."""
request = rdfvalue.RekallRequest()
request.plugins = [
# Only use these methods for listing processes.
rdfvalue.PluginRequest(plugin="dlllist",
args=dict(proc_regex="dumpit",
method="PsActiveProcessHead")),
]
self.LaunchRekallPlugin(request)
# Get the result collection - it should be a RekallResponseCollection.
fd = aff4.FACTORY.Open(self.client_id.Add("analysis/memory"),
token=self.token)
json_blobs = [x.json_messages for x in fd]
json_blobs = "".join(json_blobs)
for knownresult in [
"DumpIt", "wow64win", "wow64", "wow64cpu", "ntdll"
]:
self.assertTrue(knownresult in json_blobs)
def testParameters(self):
request = rdfvalue.RekallRequest()
request.plugins = [
# Only use these methods for listing processes.
rdfvalue.PluginRequest(
plugin="pslist", args=dict(
pid=[4, 2860],
method="PsActiveProcessHead"
)),
]
self.LaunchRekallPlugin(request)
# Get the result collection - it should be a RekallResponseCollection.
fd = aff4.FACTORY.Open(self.client_id.Add("analysis/memory"),
token=self.token)
result = fd.RenderAsText().splitlines()[4:] # Drop the column headers.
# There should be 2 results back.
self.assertEqual(len(result), 2)
self.assertTrue("System" in result[0])
self.assertTrue("DumpIt.exe" in result[1])
class TestAnalyzeClientMemory(base.AutomatedTest):
"""Test AnalyzeClientMemory (Rekall)."""
platforms = ["Windows"]
flow = "AnalyzeClientMemory"
test_output_path = "analysis/memory"
args = {"request": rdfvalue.RekallRequest(),
"output": test_output_path}
def setUp(self):
# We are running a test but we want to use the real profile server.
config_lib.CONFIG.Set("Rekall.profile_server", "GRRRekallProfileServer")
self.setUpRequest()
# RDFValueCollections need to be deleted recursively.
aff4.FACTORY.Delete(self.client_id.Add(self.test_output_path),
token=self.token)
super(TestAnalyzeClientMemory, self).setUp()
def setUpRequest(self):
windows_binary_name = config_lib.CONFIG.Get(
"Client.binary_name", context=["Client context", "Platform:Windows"])
self.args["request"].plugins = [
rdfvalue.PluginRequest(plugin="pslist"),
rdfvalue.PluginRequest(plugin="dlllist",
args=dict(
proc_regex=windows_binary_name,
method="PsActiveProcessHead"
)),
rdfvalue.PluginRequest(plugin="modules"),
]
def tearDown(self):
# RDFValueCollections need to be deleted recursively.
aff4.FACTORY.Delete(self.client_id.Add(self.test_output_path),
token=self.token)
super(TestAnalyzeClientMemory, self).tearDown()
def CheckFlow(self):
response = aff4.FACTORY.Open(self.client_id.Add(self.test_output_path),
token=self.token)
self.assertIsInstance(response, aff4.RDFValueCollection)
self.assertTrue(len(response) >= 1)
result_str = unicode(response)
for plugin in ["pslist", "dlllist", "modules"]:
self.assertTrue("Plugin %s" % plugin in result_str)
# Split into results per plugin, strip the first half line.
parts = result_str.split("********* Plugin ")[1:]
self.assertEqual(len(parts), 3)
# Make sure the dlllist found our process by regex:
expected_name = self.GetGRRBinaryName()
self.assertTrue("%s" % expected_name in parts[1])
for part in parts:
# There should be some result per plugin.
self.assertTrue(len(part.split("\n")) > 10)
