klezVirus · March 8, 2024 22:49 · Apr 25, 2018 · Apr 25, 2018 · Apr 25, 2018 · Apr 25, 2018
diff --git a/rekall-inspect-with-yara.sh b/rekall-inspect-with-yara.sh
@@ -1,3 +1,4 @@
+#!/bin/bash
 
 # Create a timestamp
 ts="$(date +%Y%m%d)"
@@ -138,23 +139,23 @@ rules_uri="https://github.com/Yara-Rules/rules/archive/master.zip"
 
 # Define a default set of available yara rules
 declare -a rules
-rules=( $(find / -xdev -type f -name "*.yar") )
+rules=( $(find / -type f -name "*.yar" 2>/dev/null) )
 
 # If ${#rules[@]} is 0
 if [ ${#rules[@]} -eq 0 ]; then
 
   echo "Attempting to download yara rules..."
 
   # Download the latest .zip archive from github.com
-  wget -k ${rules_uri} -O yara.rules.zip &>/dev/null
+  wget -k ${rules_uri} -O ${cwd}/yara.rules.zip &>/dev/null
 
   if [ -f yara.rules.zip ]; then
-    unzip -f yara.rules.zip ${cwd}/yara.rules 2>/dev/null
+    unzip yara.rules.zip ${cwd}/yara.rules 2>/dev/null
   fi
-fi
 
-# Try again
-rules=( $(find ${cwd}/yara.rules/ -xdev -type f -name "*.yar") )
+  # Try again if still empty
+  [ ${#rules[@]} -eq 0 ] && rules=( $(find ${cwd}/yara.rules/ -xdev -type f -name "*.yar") )
+fi
 
 # Bail if still not found
 if [ ${#rules[@]} -eq 0 ]; then
@@ -169,5 +170,5 @@ for rule in ${rules[@]}; do
   echo "Running ${rule}..."
 
   # Fire off a rekall memory analysis of ${rule} & log it for prosperity
-  rekall --live Memory --profile ${cwd}/$(uname -r).json yarascan --yara_file=${rule} &> ${ts}/${rule}.log
-done
+  rekall --live Memory --profile ${cwd}/$(uname -r).json yarascan --yara_file=${rule} &> ${ts}/$(basename ${rule}).log
+done
diff --git a/rekall-inspect-with-yara.sh b/rekall-inspect-with-yara.sh
@@ -0,0 +1,173 @@
+
+# Create a timestamp
+ts="$(date +%Y%m%d)"
+
+# Determine running directory
+cwd="$(pwd $(dirname $0))"
+
+# Define build_file
+build_file=
+
+
+# Define a default set of available plugins
+declare -a plugins
+plugins+=("address_resolver")
+plugins+=("arp")
+plugins+=("banner")
+plugins+=("bash")
+plugins+=("check_afinfo")
+plugins+=("check_creds")
+plugins+=("check_idt")
+plugins+=("check_modules")
+plugins+=("check_proc_fops")
+plugins+=("check_syscall")
+plugins+=("check_task_fops")
+plugins+=("check_ttys")
+plugins+=("cpuinfo")
+plugins+=("dmesg")
+plugins+=("dmp")
+plugins+=("find_dtb")
+plugins+=("heapdump")
+plugins+=("heapinfo")
+plugins+=("heapobjects")
+plugins+=("heaprefs")
+plugins+=("heapsearch")
+plugins+=("hostname")
+plugins+=("idx")
+plugins+=("ifconfig")
+plugins+=("iomem")
+plugins+=("keepassx")
+plugins+=("lsmod")
+plugins+=("lsmod")
+plugins+=("lsmod_parameters")
+plugins+=("lsmod_sections")
+plugins+=("lsof")
+plugins+=("maps")
+plugins+=("mcat")
+plugins+=("memdump")
+plugins+=("memmap")
+plugins+=("mfind")
+plugins+=("mls")
+plugins+=("moddump")
+plugins+=("mount")
+plugins+=("netstat")
+plugins+=("notifier_chains")
+plugins+=("pas2vas")
+plugins+=("pidhashtable")
+plugins+=("psaux")
+plugins+=("pslist")
+plugins+=("pstree")
+plugins+=("psxview")
+plugins+=("sigscan")
+plugins+=("vaddump")
+plugins+=("vadmap")
+plugins+=("vtop")
+plugins+=("yarascan")
+plugins+=("zsh")
+
+# Bail if plugins are not defined
+if [ ${#plugins[@]} -eq 0 ]; then
+  echo "Please define a set of plugins to operate on" && exit 1
+fi
+
+echo "Using ${#plugins[@]} plugins..."
+
+# Find the directory where we can build a profile
+builds=( $(find ${cwd} -type f -name "pmem.c" 2>/dev/null) )
+
+# Bail if nothing is found
+if [ ${#builds[@]} -eq 0 ]; then
+  echo "Could not find any rekall profile build directory" && exit 1
+fi
+
+
+# Iterate ${builds[@]}
+for build in ${builds[@]}; do
+
+  # If ${build_dir} is not null skip
+  [ "${build_file}" != "" ] && continue
+
+  # Strip pmem.c from ${build}
+  build="$(dirname ${build})"
+
+  echo "Testing ${build} for profile..."
+
+  # Change into ${build} and make the profile
+  cd ${build}
+
+  # Go ahead and build a profile
+  make profile &>/dev/null
+
+  # Test for $(uname -r).zip
+  if [ -f ${build}/$(uname -r).zip ]; then
+    build_file="${build}/$(uname -r).zip"
+  fi
+
+  # Change back to ${cwd}
+  cd ${cwd}
+done
+
+# If ${build_dir} not set bail
+if [ "${build_file}" == "" ]; then
+  echo "Unable to build profile for $(uname -r)" && exit 1
+fi
+
+
+# Export the profile to make things quick
+rekal convert_profile ${build_file} $(uname -r).json &> /dev/null
+
+# Test for $(uname -r).json or bail
+if [ ! -f $(uname -r).json ]; then
+  echo "Could not convert profile to JSON file" && exit 1
+fi
+
+echo "Built $(uname -r).json profile..."
+
+# Build a logging environment
+mkdir -p ${cwd}/${ts}
+
+# Go ahead and do some work robot
+for plugin in ${plugins[@]}; do
+  echo "Running ${plugin}..."
+  rekal --live Memory ${plugin} --profile ${cwd}/$(uname -r).json &> ${ts}/${plugin}.log
+done
+
+
+# Define the yara rules uri
+rules_uri="https://github.com/Yara-Rules/rules/archive/master.zip"
+
+# Define a default set of available yara rules
+declare -a rules
+rules=( $(find / -xdev -type f -name "*.yar") )
+
+# If ${#rules[@]} is 0
+if [ ${#rules[@]} -eq 0 ]; then
+
+  echo "Attempting to download yara rules..."
+
+  # Download the latest .zip archive from github.com
+  wget -k ${rules_uri} -O yara.rules.zip &>/dev/null
+
+  if [ -f yara.rules.zip ]; then
+    unzip -f yara.rules.zip ${cwd}/yara.rules 2>/dev/null
+  fi
+fi
+
+# Try again
+rules=( $(find ${cwd}/yara.rules/ -xdev -type f -name "*.yar") )
+
+# Bail if still not found
+if [ ${#rules[@]} -eq 0 ]; then
+  echo "Unable to locate any yara rules..." && exit 1
+fi
+
+echo "Using ${#rules[@]}..."
+
+# Iterate ${rules[@]}
+for rule in ${rules[@]}; do
+
+  echo "Running ${rule}..."
+
+  # Fire off a rekall memory analysis of ${rule} & log it for prosperity
+  rekall --live Memory --profile ${cwd}/$(uname -r).json yarascan --yara_file=${rule} &> ${ts}/${rule}.log
+done
diff --git a/rekall-inspect.sh b/rekall-inspect.sh
@@ -129,5 +129,6 @@ mkdir -p ${cwd}/${ts}
 
 # Go ahead and do some work robot
 for plugin in ${plugins[@]}; do
+  echo "Running ${plugin}..."
   rekal --live Memory ${plugin} --profile ${cwd}/$(uname -r).json &> ${ts}/${plugin}.log
 done
diff --git a/rekall-inspect.sh b/rekall-inspect.sh
@@ -1,5 +1,16 @@
-#!/bin/bash
+#!/bin/bash 
 
+# Create a timestamp
+ts="$(date +%Y%m%d)"
+
+# Determine running directory
+cwd="$(pwd $(dirname $0))"
+
+# Define build_file
+build_file=
+
+
+# Define a default set of available plugins
 declare -a plugins
 plugins+=("address_resolver")
 plugins+=("arp")
@@ -55,10 +66,68 @@ plugins+=("vtop")
 plugins+=("yarascan")
 plugins+=("zsh")
 
+# Bail if plugins are not defined
 if [ ${#plugins[@]} -eq 0 ]; then
   echo "Please define a set of plugins to operate on" && exit 1
 fi
 
-for plugin in ${plugins[@]}; do
-  rekal --live Memory ${plugin} &> ${plugin}.log
+echo "Using ${#plugins[@]} plugins..."
+
+# Find the directory where we can build a profile
+builds=( $(find ${cwd} -type f -name "pmem.c" 2>/dev/null) )
+
+# Bail if nothing is found
+if [ ${#builds[@]} -eq 0 ]; then
+  echo "Could not find any rekall profile build directory" && exit 1
+fi
+
+
+# Iterate ${builds[@]}
+for build in ${builds[@]}; do
+
+  # If ${build_dir} is not null skip
+  [ "${build_file}" != "" ] && continue
+
+  # Strip pmem.c from ${build}
+  build="$(dirname ${build})"
+
+  echo "Testing ${build} for profile..."
+
+  # Change into ${build} and make the profile
+  cd ${build}
+
+  # Go ahead and build a profile
+  make profile &>/dev/null
+
+  # Test for $(uname -r).zip
+  if [ -f ${build}/$(uname -r).zip ]; then
+    build_file="${build}/$(uname -r).zip"
+  fi
+
+  # Change back to ${cwd}
+  cd ${cwd}
 done
+
+# If ${build_dir} not set bail
+if [ "${build_file}" == "" ]; then
+  echo "Unable to build profile for $(uname -r)" && exit 1
+fi
+
+
+# Export the profile to make things quick
+rekal convert_profile ${build_file} $(uname -r).json &> /dev/null
+
+# Test for $(uname -r).json or bail
+if [ ! -f $(uname -r).json ]; then
+  echo "Could not convert profile to JSON file" && exit 1
+fi
+
+echo "Built $(uname -r).json profile..."
+
+# Build a logging environment
+mkdir -p ${cwd}/${ts}
+
+# Go ahead and do some work robot
+for plugin in ${plugins[@]}; do
+  rekal --live Memory ${plugin} --profile ${cwd}/$(uname -r).json &> ${ts}/${plugin}.log
+done
diff --git a/rekall-inspect.sh b/rekall-inspect.sh
@@ -60,5 +60,5 @@ if [ ${#plugins[@]} -eq 0 ]; then
 fi
 
 for plugin in ${plugins[@]}; do
-  python rekal --live Memory ${plugin} &> ${plugin}.log
+  rekal --live Memory ${plugin} &> ${plugin}.log
 done
diff --git a/rekall-inspect.sh b/rekall-inspect.sh
@@ -0,0 +1,64 @@
+#!/bin/bash
+
+declare -a plugins
+plugins+=("address_resolver")
+plugins+=("arp")
+plugins+=("banner")
+plugins+=("bash")
+plugins+=("check_afinfo")
+plugins+=("check_creds")
+plugins+=("check_idt")
+plugins+=("check_modules")
+plugins+=("check_proc_fops")
+plugins+=("check_syscall")
+plugins+=("check_task_fops")
+plugins+=("check_ttys")
+plugins+=("cpuinfo")
+plugins+=("dmesg")
+plugins+=("dmp")
+plugins+=("find_dtb")
+plugins+=("heapdump")
+plugins+=("heapinfo")
+plugins+=("heapobjects")
+plugins+=("heaprefs")
+plugins+=("heapsearch")
+plugins+=("hostname")
+plugins+=("idx")
+plugins+=("ifconfig")
+plugins+=("iomem")
+plugins+=("keepassx")
+plugins+=("lsmod")
+plugins+=("lsmod")
+plugins+=("lsmod_parameters")
+plugins+=("lsmod_sections")
+plugins+=("lsof")
+plugins+=("maps")
+plugins+=("mcat")
+plugins+=("memdump")
+plugins+=("memmap")
+plugins+=("mfind")
+plugins+=("mls")
+plugins+=("moddump")
+plugins+=("mount")
+plugins+=("netstat")
+plugins+=("notifier_chains")
+plugins+=("pas2vas")
+plugins+=("pidhashtable")
+plugins+=("psaux")
+plugins+=("pslist")
+plugins+=("pstree")
+plugins+=("psxview")
+plugins+=("sigscan")
+plugins+=("vaddump")
+plugins+=("vadmap")
+plugins+=("vtop")
+plugins+=("yarascan")
+plugins+=("zsh")
+
+if [ ${#plugins[@]} -eq 0 ]; then
+  echo "Please define a set of plugins to operate on" && exit 1
+fi
+
+for plugin in ${plugins[@]}; do
+  python rekal --live Memory ${plugin} &> ${plugin}.log
+done
No results found