Giters

google / grr

GRR Rapid Response: remote live forensics for incident response

Home Page:https://grr-doc.readthedocs.io/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

AnalyzeClientMemory psaux fails on OSX mojave

siftuser opened this issue · comments

commented

Backtrace:
Traceback (most recent call last): File "/usr/share/grr-server/local/lib/python2.7/site-packages/grr_response_server/flow_runner.py", line 568, in RunStateMethod method(responses) File "/usr/share/grr-server/local/lib/python2.7/site-packages/grr_response_server/flows/general/memory.py", line 261, in End raise flow.FlowError("Error running plugins: %s" % all_errors) FlowError: Error running plugins: Traceback (most recent call last): File "site-packages/grr_response_client/components/rekall_support/grr_rekall.py", line 280, in Run File "site-packages/rekall/session.py", line 869, in RunPlugin File "site-packages/rekall/session.py", line 862, in RunPlugin File "site-packages/rekall/session.py", line 912, in _GetPluginObj File "site-packages/rekall/session.py", line 155, in getattr File "site-packages/rekall/session.py", line 135, in GetPluginClass File "site-packages/rekall/plugin.py", line 982, in GetActivePlugin File "site-packages/rekall/plugin.py", line 434, in is_active File "site-packages/rekall_lib/utils.py", line 1079, in get File "site-packages/rekall/session.py", line 1062, in profile File "site-packages/rekall/session.py", line 768, in GetParameter File "site-packages/rekall/session.py", line 803, in _RunParameterHook File "site-packages/rekall/plugins/guess_profile.py", line 761, in calculate File "site-packages/rekall/plugins/guess_profile.py", line 629, in ScanProfiles File "site-packages/rekall/plugins/guess_profile.py", line 665, in _ScanProfiles File "site-packages/rekall/plugins/filesystems/tsk.py", line 176, in DetectFromHit File "site-packages/rekall/plugins/filesystems/tsk.py", line 125, in init File "site-packages/rekall/plugins/filesystems/tsk.py", line 152, in init RuntimeError: 'maximum recursion depth exceeded'

commented

What version of GRR are you running?

It looks like you are trying to use of the Rekall features which was deprecated and removed over a year ago. We had notorious problems with Rekall which is exactly why support for it was dropped in GRR. We interface with YARA though, so maybe this works for you if you need to do some memory scanning.

I will close the issue for now, but feel free to reopen if the issue occurs in more recent GRR versions as well.

commented

@panhania thanks for quick response! It's 3.2.4.

Could you share example of using Yara to pull ps aux list from memory ? Thanks

commented

Looks like an old version:

/usr/share/grr-server/local/lib/python2.7/site-packages/grr_response_server/flow_runner.py

Python 2.7 is deprecated, see:

site-packages/grr_response_client/components/rekall_support/grr_rekall.py

GRR Rekall support is deprecated see:

commented

@siftuser where did you get this version from? Is this the default version on SIFT?