def RekallAction(self, request): self.rekall_request = request # Pretend Rekall returned the memory file. return [ rdf_rekall_types.RekallResponse(json_messages=""" [["file",{"path": "%s", "pathtype": "TMPFILE"}]] """ % self.memory_file, plugin="aff4acquire") ]
def RekallAction(self, _): # Generate this file with: # rekal --output data -f win7_trial_64bit.raw \ # pslist | gzip - > rekall_pslist_result.dat.gz ps_list_file = os.path.join(config.CONFIG["Test.data_dir"], self.result_filename) result = rdf_rekall_types.RekallResponse( json_messages=gzip.open(ps_list_file).read(), plugin="pslist", client_urn=self.client_id) return [result]
def DeleteFiles(self, responses): # Check that the MultiGetFile flow worked. if not responses.success: raise flow.FlowError("Could not get files: %s" % responses.status) for output_file in self.state.output_files: self.CallClient(server_stubs.DeleteGRRTempFiles, output_file, next_state="LogDeleteFiles") # Let calling flows know where files ended up in AFF4 space. self.SendReply( rdf_rekall_types.RekallResponse(downloaded_files=[ x.AFF4Path(self.client_urn) for x in responses ]))
def testBasicParsing(self): ps_list_file = os.path.join(config.CONFIG["Test.data_dir"], "rekall_vad_result.dat.gz") result = rdf_rekall_types.RekallResponse( json_messages=gzip.open(ps_list_file, "rb").read(), plugin="pslist") knowledge_base = rdf_client.KnowledgeBase() knowledge_base.environ_systemdrive = "C:" parser = rekall_artifact_parser.RekallVADParser() parsed_pathspecs = list(parser.Parse(result, knowledge_base)) paths = [p.path for p in parsed_pathspecs] self.assertIn(u"C:\\Windows\\System32\\spoolsv.exe", paths)
def write_data_stream(self): """Prepares a RekallResponse and send to the server.""" if self.data: response_msg = rdf_rekall_types.RekallResponse( json_messages=self.robust_encoder.encode(self.data), json_context_messages=self.robust_encoder.encode( list(iteritems(self.context_messages))), plugin=self.plugin) self.context_messages = self.new_context_messages self.new_context_messages = {} # Queue the response to the server. self.action.SendReply(response_msg)
def RekallAction(self, _): ps_list_file = os.path.join(config.CONFIG["Test.data_dir"], "rekall_vad_result.dat.gz") response = rdf_rekall_types.RekallResponse( json_messages=gzip.open(ps_list_file, "rb").read(), plugin="pslist") # If we are given process names here we need to craft a Rekall result # containing them. This is so they point to valid files in the fixture. if self.process_list: json_data = json.loads(response.json_messages) template = json_data[7] if template[1]["filename"] != ur"\Windows\System32\ntdll.dll": raise RuntimeError("Test data invalid.") json_data = [] for process in self.process_list: new_entry = copy.deepcopy(template) new_entry[1]["filename"] = process json_data.append(new_entry) response.json_messages = json.dumps(json_data) return [response]