def testVolatilityModules(self):
"""Tests the end to end volatility memory analysis."""
image_path = os.path.join(self.base_path, "win7_trial_64bit.raw")
if not os.access(image_path, os.R_OK):
logging.warning(
"Unable to locate test memory image. Skipping test.")
return
self.CreateClient()
self.CreateSignedDriver()
class ClientMock(test_lib.MemoryClientMock):
"""A mock which returns the image as the driver path."""
def GetMemoryInformation(self, _):
"""Mock out the driver loading code to pass the memory image."""
reply = rdfvalue.MemoryInformation(device=rdfvalue.PathSpec(
path=image_path, pathtype=rdfvalue.PathSpec.PathType.OS))
reply.runs.Append(offset=0, length=1000000000)
return [reply]
request = rdfvalue.VolatilityRequest()
request.args["pslist"] = {}
request.args["modules"] = {}
# To speed up the test we provide these values. In real life these values
# will be provided by the kernel driver.
request.session = rdfvalue.Dict(dtb=0x187000, kdbg=0xF80002803070)
# Allow the real VolatilityAction to run against the image.
for _ in test_lib.TestFlowHelper("AnalyzeClientMemory",
ClientMock("VolatilityAction"),
token=self.token,
client_id=self.client_id,
request=request,
output="analysis/memory"):
pass
fd = aff4.FACTORY.Open(self.client_id.Add("analysis/memory/pslist"),
token=self.token)
result = fd.Get(fd.Schema.RESULT)
# Pslist should have 32 rows.
self.assertEqual(len(result.sections[0].table.rows), 32)
# And should include the DumpIt binary.
self.assert_("DumpIt.exe" in str(result))
fd = aff4.FACTORY.Open(self.client_id.Add("analysis/memory/modules"),
token=self.token)
result = fd.Get(fd.Schema.RESULT)
# Modules should have 133 lines.
self.assertEqual(len(result.sections[0].table.rows), 133)
# And should include the DumpIt kernel driver.
self.assert_("DumpIt.sys" in str(result))
def VolatilityPlugin(self, collector):
"""Run a Volatility Plugin."""
request = rdfvalue.VolatilityRequest()
request.args[collector.args["plugin"]] = self.InterpolateDict(
collector.args.get("args", {}))
self.CallFlow("AnalyzeClientMemory",
request=request,
request_data={
"artifact_name": self.current_artifact_name,
"vol_plugin": collector.args["plugin"],
"collector": collector.ToPrimitiveDict()
},
next_state="ProcessCollected")
def SetupRequest(self, plugin):
# Only run this test if the image file is found.
image_path = os.path.join(self.base_path, "win7_trial_64bit.raw")
if not os.access(image_path, os.R_OK):
logging.warning(
"Unable to locate test memory image. Skipping test.")
return False
self.request = rdfvalue.VolatilityRequest(
device=rdfvalue.PathSpec(path=image_path,
pathtype=rdfvalue.PathSpec.PathType.OS),
# To speed up the test we provide these values. In real life these
# values will be provided by the kernel driver.
session=rdfvalue.Dict(dtb=0x187000, kdbg=0xF80002803070))
# In this test we explicitly do not set the profile to use so we can see if
# the profile autodetection works.
# Add the plugin to the request.
self.request.args[plugin] = None
return True
def testNestedProtobufAssignment(self):
"""Check that we can assign a nested protobuf."""
container = rdfvalue.VolatilityRequest()
pathspec = rdfvalue.PathSpec(path=r"\\.\pmem", pathtype=1)
# Should raise - incompatible RDFType.
self.assertRaises(type_info.TypeValueError, setattr, container,
"device", rdfvalue.RDFString("hello"))
# Should raise - incompatible RDFProto type.
self.assertRaises(type_info.TypeValueError, setattr, container,
"device", rdfvalue.StatEntry(st_size=5))
# Assign directly.
container.device = pathspec
self.assertEqual(container.device.path, r"\\.\pmem")
# Clear the field.
container.device = None
# Check the protobuf does not have the field set at all.
self.assertFalse(container.HasField("device"))
class TestAnalyzeClientMemory(ClientTestBase):
platforms = ["windows"]
flow = "AnalyzeClientMemory"
args = {
"request":
rdfvalue.VolatilityRequest(plugins=["pslist"], args={"pslist": {}}),
"output":
"analysis/pslist/testing"
}
def setUp(self):
super(TestAnalyzeClientMemory, self).setUp()
self.urn = self.client_id.Add(self.args["output"])
self.DeleteUrn(self.urn)
self.assertRaises(AssertionError, self.CheckFlow)
def CheckFlow(self):
response = aff4.FACTORY.Open(self.urn, token=self.token)
self.assertIsInstance(response, aff4.RDFValueCollection)
self.assertEqual(len(response), 1)
result = response[0]
self.assertEqual(result.error, "")
self.assertGreater(len(result.sections), 0)
rows = result.sections[0].table.rows
self.assertGreater(len(rows), 0)
expected_name = self.GetGRRBinaryName()
for values in rows:
for value in values.values:
if value.name == "ImageFileName":
if expected_name == value.svalue:
return
self.fail("Process listing does not contain %s." % expected_name)