Fixed the windows build.

 * Include OSQueryi
 * Added new icons for the new logo.
 * Include nssm and bat file for starting the Rekall Agent.

BUG=

Review URL: https://codereview.appspot.com/321410043.

rekall-core/rekall/plugins/response/osquery.py

@@ -31,8 +31,11 @@
 the path.
 """
 import json
+import os
+import platform
 import subprocess
 
+from rekall import resources
 from rekall.plugins.response import common
 
 
@@ -53,13 +56,30 @@ class OSQuery(common.AbstractIRCommandPlugin):
 
     table_header = []
 
+    def try_to_find_osquery(self):
+        extention = ""
+        if platform.system() == "Windows":
+            extention = ".exe"
+
+        try:
+            return resources.get_resource("osqueryi" + extention)
+        except IOError as e:
+            # Maybe it is installed on the system.
+            if  platform.system() == "Windows":
+                result = r"c:\ProgramData\osquery\osqueryi.exe"
+                if os.access(result, os.R_OK):
+                    return result
+
+            raise e
+
     def render(self, renderer):
         osquery_path = self.plugin_args.osquery_path
         if osquery_path == None:
             osquery_path = self.session.GetParameter("osquery_path")
         if osquery_path == None:
-            osquery_path = "osqueryi"
+            osquery_path = self.try_to_find_osquery()
 
+        self.session.logging.debug("Found OSQuery at %s" % osquery_path)
         self.json_result = json.loads(
             subprocess.check_output(
                 [osquery_path, "--json", self.plugin_args.query]))

rekall-core/resources/OSQuery.license

@@ -0,0 +1,33 @@
+If OSQuery is included in this binary package, the following license
+applies to OSQuery:
+
+BSD License
+
+For osquery software
+
+Copyright (c) 2014-present, Facebook, Inc. All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification,
+
+are permitted provided that the following conditions are met:
+
+ * Redistributions of source code must retain the above copyright notice, this
+   list of conditions and the following disclaimer.
+ * Redistributions in binary form must reproduce the above copyright notice,
+   this list of conditions and the following disclaimer in the documentation
+   and/or other materials provided with the distribution.
+
+ * Neither the name Facebook nor the names of its contributors may be used to
+   endorse or promote products derived from this software without specific
+   prior written permission.
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND
+ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
+WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE
+DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR
+ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES
+(INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON
+ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
+SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.

rekall-core/resources/rekall-agent-windows.bat

@@ -0,0 +1,31 @@
+rem This batch script installs Rekall Agent as a windows service using
+rem the nssm tool which was originally downloaded from http://nssm.cc/
+
+rem Edit the following if needed.
+set "service=RekallAgent"
+set "RekallPath=%PROGRAMFILES%\Rekall"
+set "nssm=%RekallPath%\resources\nssm.exe"
+
+rem Make sure to edit this before deployment.
+set "RekallAgentConfig=%RekallPath%\resources\rekall-agent.yaml"
+
+"%nssm%" stop "%service%" confirm
+"%nssm%" remove "%service%" confirm
+"%nssm%" install "%service%" "%RekallPath%\rekal.exe"
+"%nssm%" set "%service%" AppParameters agent --agent_config """%RekallAgentConfig%"""
+
+rem This is a log file of Rekall Agent messages.
+"%nssm%" set "%service%" AppStdout "%RekallPath%\RekallAgent.log"
+"%nssm%" set "%service%" AppStderr "%RekallPath%\RekallAgent.log"
+
+rem This will rotate the log files.
+"%nssm%" set "%service%" AppRotateFiles 1
+"%nssm%" set "%service%" AppRotateBytes 10000000
+
+rem Service must be running at least this long to be considered healthy.
+"%nssm%" set "%service%" AppThrottle 30000
+
+rem Service may not be restarted more frequently than this many ms.
+"%nssm%" set "%service%" AppRestartDelay 60000
+
+"%nssm%" start "%service%"

rekall-core/resources/rekall-agent.yaml

@@ -0,0 +1,26 @@
+# Sample configuration file for the Rekall Agent. Modify this to point
+# at your server project.
+__type__: Configuration
+client:
+  __type__: GAEClientPolicy
+
+  # Add intrinsic labels to this client here.
+  labels:
+    - All
+    - Linux
+
+  # Set to false to prevent the agent from polling - it will just
+  # exit after a single poll. Note that the nanny will wake it anyway
+  # after 2 minutes so the agent will continue to poll but will be
+  # restarted every 2 minutes. This achieves the smaller possible
+  # resident memory footprint.
+  poll: true
+  poll_min: 60
+  poll_max: 60
+  manifest_location:
+    __type__: HTTPLocation
+    # Change this to point at the deployed server.
+    base: http://127.0.0.1:8080/api/control
+    path_prefix: /manifest
+  # Persistent path to keep the same client.
+  writeback_path: rekall-agent-writeback.json

rekall-core/setup.py

@@ -62,7 +62,7 @@ def find_data_files(source):
     "pyelftools == 0.24",
     "pyparsing==2.1.5",
     "pytz == 2016.4",
-    "psutil >= 4.0, < 5.0",
+    "psutil >= 5.0, < 6.0",
     "rekall-capstone == 3.0.4.post2",
     "rekall-yara == 3.4.0.1",
     "pytsk3 == 20160721",

tools/installers/rekal.py

@@ -2,6 +2,7 @@
 # Pyinstaller typically can not see these imports.
 from rekall import rekal
 import rekall.plugins
+from rekall_agent import agent
 #import rekall_gui.plugins.webconsole_plugin
 
 rekal.main()

tools/installers/winbuild.py

@@ -146,6 +146,14 @@ def main():
     # Recent versions of Pyinstaller already copy resources they know about.
     copy("rekall-core/resources", "dist/rekal")
 
+    # Copy osqueryi.exe from the default location into the dist. NOTE:
+    # Install osquery using chocolaty
+    # https://chocolatey.org/packages/osquery
+    path = r"c:\ProgramData\osquery\osqueryi.exe"
+    if os.access(path, os.R_OK):
+        print "Copying osquery into the package."
+        copy(path, "dist/rekal")
+
     print "Remove unnecessary crap added by pyinstaller."
     rm("dist/rekal/_MEI")
     rm("dist/rekal/tcl/*")