Frequently Asked Questions (FAQ).
Rekall wants to access the internet for each profile, but my machine has no net access?
Rekall’s profile repository is rather large and grows all the time. We dont want to ship Rekall with hundreds of MB of profile data embedded in the tool. We therefore access the repository to fetch profiles on demand.
If you dont want to access the internet each time you can copy the entire profile repository locally and then just use it from your local machine. Since the profile repository is a git repository you can just check it out:
git clone --depth 1 https://github.com/google/rekall-profiles.git
You can then just keep it up to date by running:
from within this directory. Alternatively you can just download the latest snapshot as a zip file (you do not need the git tool in that case):
You will now need to edit your ~/.rekallrc file to use your local directory copy instead of the web copy:
profile_path: - /home/scudette/rekall-profiles - https://raw.githubusercontent.com/google/rekall-profiles/master
Rekall fails with “Unable to load profile from any repository”. What gives?
Rekall requires accurate profiles to operate. This is similar to the way the windows kernel debugger works - in order to analyse a windows image, the kernel debugger needs to obtain debugging symbols from the microsoft debugging server.
Since Rekall now uses indexes in its repository for autodetection you need to reindex the profile repository after you add a new GUID. This is the preferred way because Rekall will then be able to autodetect your profile afterwards:
- The first step is to figure out the precise version of the windows kernel this image has. We do this by scanning for the GUID of the ntoskrnl.exe process from the image itself.
- Check out the profile repository as explained above.
- Add you new GUID to v1.0/src/guids.txt
- Now change directory to the v1.0/ directory.
- Run the profile management tool:
python ~/rekall/tools/profiles/build_profile_repo.py src/guids.txt
This will automatically notice the new GUIDs in the file, download them from Microsoft, parse them and update all indexes. You can send us a pull request to update the public repository if you like :-).
Alternatively you can just download the pdb file yourself and convert it. This will work but you will have to provide the new profile through the –profile command line arg.
To generate a profile file for an image, simple use the fetch_pdb and parse_pdb plugins. For example, suppose you have a memory image which you are not quite sure what exact version of Windows it is.
The first step is to figure out the precise version of the windows kernel this image has. We do this by scanning for the GUID of the ntoskrnl.exe process from the image itself.
We then fetch the debugging symbols (pdb file) for this kernel from Microsoft’s debug symbols.
Finally we convert the pdb file into Rekall’s own json format.
$ rekal -f ~/images/win7.elf version_scan --name ntkrnl 0x0000027bb5fc f8e2a8b5c9b74bf4a6e4a48f180099942 ntkrnlmp.pdb $ rekal fetch_pdb --dump-dir . --pdb_filename ntkrnlmp.pdb --guid f8e2a8b5c9b74bf4a6e4a48f180099942 Trying to fetch http://msdl.microsoft.com/download/symbols/ntkrnlmp.pdb/F8E2A8B5C9B74BF4A6E4A48F180099942/ntkrnlmp.pd_ Received 2675077 bytes Extracting cabinet: ./ntkrnlmp.pd_ extracting ntkrnlmp.pdb All done, no errors. $ rekal parse_pdb -f ntkrnlmp.pdb --output ntkrnlmp.json --profile_class Win7x64 $ rekal --profile ./ntkrnlmp.json -f ~/images/win7.elf pslist Offset (V) Name PID PPID Thds Hnds Sess Wow64 Start Exit -------------- -------------------- ------ ------ ------ -------- ------ ------ ------------------------ ------------------------ 0xfa80008959e0 System 4 0 84 511 ------ False 2012-10-01 21:39:51+0000 - 0xfa8001994310 smss.exe 272 4 2 29 ------ False 2012-10-01 21:39:51+0000 - 0xfa8002259060 csrss.exe 348 340 9 436 0 False 2012-10-01 21:39:57+0000 - 0xfa8000901060 wininit.exe 384 340 3 75 0 False 2012-10-01 21:39:57+0000 - 0xfa8000900420 csrss.exe 396 376 8 192 1 False 2012-10-01 21:39:57+0000 - ....
The same technique can be used to generate symbols for other profiles which might be needed - for example tcpip.pdb or win32k.pdb.