Source Code for Module rekall.plugins.tools.profile_tool_test

  1  """Tests for profile_tool.""" 
  2   
  3  import logging 
  4  import unittest 
  5   
  6  from rekall import session 
  7  from rekall import testlib 
  8  from rekall.plugins.tools import profile_tool 
  9   
 10   
 11 -class BuildIndexTester(profile_tool.BuildIndex): 
 12 -    def __init__(self, profiles=None, **kwargs): 
 13          super(BuildIndexTester, self).__init__(**kwargs) 
 14          self.profiles = profiles 
 15   
 16 -    def _LoadRawProfile(self, filepath): 
 17          self.profiles[self._ProfileIdFromPath(filepath)] 
 18   
 19 -    def _FindNewProfiles(self, *args, **kwargs): 
 20          return self.profiles 
 21   
 22   
 23 -class BuildSymbolOffsetIndexTest(testlib.RekallBaseUnitTestCase): 
 24 -    def setUp(self): 
 25          # This is the set of profiles we're trying to index. It covers all 
 26          # the edge cases I've seen "in the wild" so far. 
 27          self.raw_profiles = { 
 28              # P1 is a profile that will have a single symbol trait = c:3 once 
 29              # we remove duplicates. 
 30              "P1": { 
 31                  "$CONSTANTS": 
 32                  { 
 33                      "a": 1, 
 34                      "b": 2, 
 35                      "c": 3 
 36                  } 
 37              }, 
 38              # P1-DUPLICATE is simply a duplicate profile from P1, to test that 
 39              # we detect and discard profiles that are new and duplicates with 
 40              # other new profiles. 
 41              "P1-DUPLICATE": { 
 42                  "$CONSTANTS": 
 43                  { 
 44                      "a": 1, 
 45                      "b": 2, 
 46                      "c": 3, 
 47                  } 
 48              }, 
 49              # P1-1 is simply a newer version of P1. Simulates the usual 
 50              # minor kernel version bump where some symbols are readjusted. 
 51              # Single symbol traits = c:4 
 52              "P1-1": { 
 53                  "$CONSTANTS": 
 54                  { 
 55                      "a": 1, 
 56                      "b": 2, 
 57                      "c": 4 
 58                  } 
 59              }, 
 60   
 61              # P1-2 simulates a slightly newer P1 profile that's virtually the 
 62              # same but has an artifact of a static function that's been 
 63              # chunked by GCC and its symbol made public. 
 64              # 
 65              # Real-world example: 
 66              #   * Ubuntu precise 3.19.0-21-generic 
 67              #   * Ubuntu precise 3.19.0-22-generic 
 68              # 
 69              # P1-2 should be considered a duplicate of P1. 
 70              "P1-2": { 
 71                          # 
 72                          # function that's been chunked by GCC and its symbol 
 73                          # made public. 
 74                  "$CONSTANTS": 
 75                  { 
 76                      "a": 1, 
 77                      "b": 2, 
 78                      "c": 3, 
 79                      "d.part.3": 4 
 80                  } 
 81              }, 
 82   
 83              # P3 is a completely different profile. 
 84              # Single symbol traits = b:3, c:5, d:6 
 85              "P3": { 
 86                  "$CONSTANTS": 
 87                  { 
 88                      "b": 3, 
 89                      "c": 5, 
 90                      "d": 6 
 91                  } 
 92              }, 
 93   
 94              # Next is an example of profiles that collectively clash with 
 95              # another profile. DOPPLE-1 and DOPPLE-2 make DOPPLE not have any 
 96              # single-symbol trait. This forces us to compute traits with a 
 97              # pair of symbols. 
 98              # 
 99              # Real-world example: 
100              #   * Ubuntu precise 3.2.0-72-generic 
101              #   * Ubuntu precise 3.2.0-73-generic 
102              #   * Ubuntu precise 3.2.0-74-generic 
103              # Single-symbol traits = d:9 
104              "DOPPLE-1": { 
105                  "$CONSTANTS": 
106                  { 
107                      "b": 7, 
108                      "c": 8, 
109                      "d": 9 
110                  } 
111              }, 
112              # The clashing profile. 
113              # Double-symbol trait = (b:7, d:10) 
114              "DOPPLE": { 
115                  "$CONSTANTS": 
116                  { 
117                      "b": 7, 
118                      "c": 8, 
119                      "d": 10 
120                  } 
121              }, 
122              # Single-symbol traits = b:1 
123              "DOPPLE-2": { 
124                  "$CONSTANTS": 
125                  { 
126                      "b": 1, 
127                      "c": 8, 
128                      "d": 10 
129                  } 
130              }, 
131          } 
132   
133          self.build_index = BuildIndexTester(profiles=self.raw_profiles, 
134                                              session=session.Session()) 
135          # A dict of profile_symbols. 
136          self.symbols_dict = dict([(x[0], x[1].get("$CONSTANTS")) 
137                                    for x in self.raw_profiles.iteritems()]) 
138   
139 -    def testFindTraits(self): 
140          traits = self.build_index._FindTraits( 
141              profile_id="P3", 
142              profiles=self.symbols_dict, 
143              num_traits=3, trait_length=1) 
144          self.assertListEqual(sorted(traits), 
145                               [ 
146                                   [("b", 3)], 
147                                   [("c", 5)], 
148                                   [("d", 6)] 
149                               ]) 
150   
151   
152          # We can't find any traits when there are duplicates 
153          traits = self.build_index._FindTraits( 
154              profile_id="P1", 
155              profiles=self.symbols_dict, 
156              num_traits=3, trait_length=1) 
157          self.assertListEqual(sorted(traits), []) 
158   
159          # But if we remove duplicates, we find them. 
160          symbols_dict_nodups = self.symbols_dict.copy() 
161          symbols_dict_nodups.pop("P1-DUPLICATE") 
162          symbols_dict_nodups.pop("P1-2") 
163          traits = self.build_index._FindTraits( 
164              profile_id="P1", 
165              profiles=symbols_dict_nodups, 
166              num_traits=3, trait_length=1) 
167          self.assertListEqual(sorted(traits), 
168                               [ 
169                                   [("c", 3)] 
170                               ]) 
171   
172          # Some profiles simply don't have single symbol traits.. 
173          traits = self.build_index._FindTraits( 
174              profile_id="DOPPLE", 
175              profiles=self.symbols_dict, 
176              num_traits=3, trait_length=1) 
177          self.assertListEqual(sorted(traits), []) 
178   
179          # But we can find 2-symbol traits. 
180          traits = self.build_index._FindTraits( 
181              profile_id="DOPPLE", 
182              profiles=self.symbols_dict, 
183              num_traits=3, trait_length=2) 
184          self.assertListEqual(sorted(traits), 
185                               [ 
186                                   [("b", 7), ("d", 10)], 
187                               ]) 
188   
189 -    def testFindProfilesWithSymbolOffset(self): 
190          results = self.build_index._FindProfilesWithSymbolOffset( 
191              "b", 7, profiles=self.symbols_dict) 
192          self.assertEqual(results, 
193                           set(["DOPPLE-1", "DOPPLE"])) 
194   
195          results = self.build_index._FindProfilesWithSymbolOffset( 
196              "NONEXISTING", 12, profiles=self.symbols_dict) 
197          self.assertEqual(results, set()) 
198   
199   
200   
201  if __name__ == '__main__': 
202    logging.basicConfig(level=logging.DEBUG) 
203    unittest.main() 
204