search

scudette / rekall-agent-server

Rekall is an endpoint security solution.
http://www.rekall-forensic.com
Other
39 stars 10 forks source link

API flows/plugins/launch #8

Open Rukhsar-Khan opened 6 years ago

Rukhsar-Khan commented 6 years ago

When I'm trying to launch a flow with the REST endpoint above, how does the syntax of the fields plugin_arg and rekall_session looks like if I want to use e.g. APIPslist plugin?

scudette commented 6 years ago

They are both dicts. The fields and their allowed types are described in the API files. For example, the rekall_session is described here: https://github.com/rekall-innovations/rekall-agent-server/blob/master/applications/Rekall/private/session_api.yaml

The plugin_arg depends on the plugin you run and the valid args are described here: https://github.com/rekall-innovations/rekall-agent-server/blob/master/applications/Rekall/private/api.yaml

The GUI reads those API files and generates the forms automatically.

Rukhsar-Khan commented 6 years ago

I'm using under plugin_arg

proc_regex:svchost

and under rekall_session

choices:API

and I'm receiving following error message:

error: string indices must be integers, not str
type: Invalid Arguments

Can you give me a few examples?

Rukhsar-Khan commented 6 years ago

I also tried in the form of a json dict

"proc_regex": "svchost"

but I'm receiving the same error message

scudette commented 6 years ago

The nice thing about the API is that GUI itself uses it. So if you even want to see exactly how it should work, you just need to look at how the GUI does it. Just press ctrl-shift-j in the browser to get the developer screen, then just do the action you want (in this case launch a flow): capture image 1

Then you can see the request going to the API end point: capture image 2

In this case the GUI uses a GET (maybe we should use a POST to make it clearer - either will work) to the endpoint /api/flows/plugins/launch . You can see how the parameters are encoded if you click the "view parsed" in the windows on the bottom right you will see:

plugin_arg.pids[]:
plugin_arg.proc_regex:svchost
plugin_arg.verbosity:
plugin:APIPslist
client_id:C.8c3578be635f7280
rekall_session.autodetect[]:linux_index
rekall_session.autodetect[]:osx
rekall_session.autodetect[]:windows_kernel_file
rekall_session.cpu_quota:
rekall_session.flow_precondition:
rekall_session.live:API
rekall_session.load_quota:

So basically dicts are sent by their full paths for each variable. If the parameter does not provide a value it takes on its default (the GUI sends too many parameters because it builds them from the form).

Once you get the basic quest if you just tack the token on the end it should work (providing the token gives access).

scudette commented 6 years ago

Thanks for this comment - this is definitely lacking in the documentation. We need to add a new section to the manual :-).

Rukhsar-Khan commented 6 years ago

Awesome, thanks a lot for your precious support!