Source Code for Module rekall.plugins.response.osquery

  1  #!/usr/bin/env python2 
  2   
  3  # Rekall Memory Forensics 
  4  # Copyright 2016 Google Inc. All Rights Reserved. 
  5  # 
  6  # Author: Michael Cohen scudette@google.com 
  7  # 
  8  # This program is free software; you can redistribute it and/or modify 
  9  # it under the terms of the GNU General Public License as published by 
 10  # the Free Software Foundation; either version 2 of the License, or (at 
 11  # your option) any later version. 
 12  # 
 13  # This program is distributed in the hope that it will be useful, but 
 14  # WITHOUT ANY WARRANTY; without even the implied warranty of 
 15  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
 16  # General Public License for more details. 
 17  # 
 18  # You should have received a copy of the GNU General Public License 
 19  # along with this program; if not, write to the Free Software 
 20  # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
 21  # 
 22   
 23  __author__ = "Michael Cohen <scudette@google.com>" 
 24   
 25  """The OSQuery plugin can capture the result of osquery queries and store in 
 26  Rekall result collections. 
 27   
 28  Note that we do not actually process the query itself, we just relay 
 29  the query to osqueryi and then write its output in a collection to be 
 30  uploaded. We therefore need to have osqueryi installed somewhere on 
 31  the path. 
 32  """ 
 33  import json 
 34  import os 
 35  import platform 
 36  import subprocess 
 37   
 38  from distutils import spawn 
 39   
 40  from rekall import plugin 
 41  from rekall import resources 
 42  from rekall.plugins.response import common 
 43   
 44   
 45 -class OSQuery(common.AbstractIRCommandPlugin): 
 46      """Runs the OSQuery query and emit the results. 
 47   
 48      Note that the columns emitted depend on osquery itself so we can 
 49      not predict in advance the table format. 
 50      """ 
 51      name = "osquery" 
 52   
 53      __args = [ 
 54          dict(name="query", positional=True, 
 55               help="The OSQuery query to run."), 
 56          dict(name="osquery_path", default=None, 
 57               help="The path to the osquery binary (default osqueryi)."), 
 58      ] 
 59   
 60      table_header = [] 
 61   
 62 -    def try_to_find_osquery(self): 
 63          extention = "" 
 64          if platform.system() == "Windows": 
 65              extention = ".exe" 
 66   
 67          try: 
 68              return resources.get_resource("osqueryi" + extention) 
 69          except IOError as e: 
 70              # Maybe it is installed on the system. 
 71              if  platform.system() == "Windows": 
 72                  result = r"c:\ProgramData\osquery\osqueryi.exe" 
 73                  if os.access(result, os.R_OK): 
 74                      return result 
 75   
 76              else: 
 77                  # Try to find it somewhere on the system. 
 78                  return spawn.find_executable("osqueryi") 
 79   
 80              raise e 
 81   
 82 -    def render(self, renderer): 
 83          osquery_path = self.plugin_args.osquery_path 
 84          if osquery_path == None: 
 85              osquery_path = self.session.GetParameter("osquery_path") 
 86          if osquery_path == None: 
 87              osquery_path = self.try_to_find_osquery() 
 88   
 89          if not self.plugin_args.query: 
 90              raise plugin.PluginError("Query must be provided") 
 91   
 92          self.session.logging.debug("Found OSQuery at %s" % osquery_path) 
 93          self.json_result = json.loads( 
 94              subprocess.check_output( 
 95                  [osquery_path, "--json", self.plugin_args.query])) 
 96   
 97          if self.json_result: 
 98              first_row = self.json_result[0] 
 99              self.table_header = [dict(name=x) for x in first_row] 
100   
101          super(OSQuery, self).render(renderer) 
102   
103 -    def collect(self): 
104          return self.json_result 
105