Tools Overview

Aralez utilizes a combination of internal tools, external tools, and Windows system commands to collect forensic artifacts and provide detailed system overview. This page explains each tool type and provides guidance on adding and configuring tools.

Internal Tools #

Internal tools are built directly into Aralez and provide specific forensic functionalities, such as retrieving process details, active network ports, and other system-level data. These tools are integrated into the tool’s source code and do not rely on external executables.

Available Internal Tools #

Tool Name	Description
ProcInfo	Retrieves basic process information, including PID, parent PID, and executable name.
ProcDetailsInfo	Collects detailed process information such as loaded modules, memory usage, and hashes (MD5, SHA-256).
PortsInfo	Gathers information on open TCP ports, including local/remote addresses and connection states.

Example:

tasks:
  tools:
    priority: 3
    type: "execute"
    entries:
      internal: 
        - name: "ProcInfo"
          output_file: "ProcInfo.txt"
          exec_type: "internal"
        - name: "ProcDetailsInfo"
          output_file: "ProcDetailsInfo.txt"
          exec_type: "internal"
        - name: "PortsInfo"
          output_file: "PortsInfo.txt"
          exec_type: "internal"

External Tools #

External tools are third-party utilities included in the Sysinternals Suite or other external sources. These tools are widely used in system analysis and troubleshooting.

Available External Tools #

Tool Name	Description
autorunsc.exe	Lists auto-start programs and services.
handle.exe	Displays open handles for processes.
Listdlls.exe	Lists loaded DLLs and their associated processes.
pslist.exe	Lists active processes with detailed information.
PsService.exe	Displays and controls services on the system.
tcpvcon.exe	Lists active TCP connections.
pipelist.exe	Displays named pipes and the processes using them.

Example:

tasks:
  tools:
    priority: 3
    type: "execute"
    entries:
      external: 
        - name: "autorunsc.exe"
          args: ["-nobanner", "-c", "/accepteula"]
          output_file: "Autorunsc.txt"
          exec_type: "external"
        - name: "handle.exe"
          args: ["/accepteula", "/a", "/nobanner"]
          output_file: "Handle.txt"
          exec_type: "external"

Adding New External Tools #

To add new external tools:

Modify build.rs:
- Update the list of external tools in the exe_files array.
- Ensure the build script downloads and extracts the new tool during the build process.
Update the Configuration File:
- Add the new tool under the external section with its name, args, and output_file.

Steps to Add a New External Tool #

Edit build.rs: Add the new tool’s executable name to the exe_files array:

let exe_files = vec![
    "autorunsc.exe",
    "handle.exe",
    "Listdlls.exe",
    "pslist.exe",
    "PsService.exe",
    "tcpvcon.exe",
    "pipelist.exe",
    "new_tool.exe", // Add your new tool here
];

Recompile the Project: Run the following command to rebuild the tool with the updated build.rs:

cargo build --release

Update the Configuration File: Define the new tool in the YAML file:

tasks:
  tools:
    priority: 3
    type: "execute"
    entries:
      external:
        - name: "new_tool.exe"
          args: ["--example-arg"]
          output_file: "NewToolOutput.txt"
          exec_type: "external"

Windows System Tools #

Windows system tools are native utilities included in every Windows installation. Aralez uses these tools to collect system and network information without requiring external dependencies.

Some examples of Windows System Tools #

Command	Description
netstat.exe	Displays active network connections and listening ports.
ipconfig.exe	Displays network configuration, including IP addresses and DNS cache.
systeminfo.exe	Collects system hardware and software information.
tasklist.exe	Lists running tasks and their details.
net.exe	Displays network shares on the system.
powershell	Executes a PowerShell command to gather detailed system information.

Example:

tasks:
  tools:
    priority: 3
    type: "execute"
    entries:
      system:
        - name: "netstat.exe"
          args: ["-anob"]
          output_file: "NetStat.txt"
          exec_type: "system"
        - name: "ipconfig.exe"
          args: ["/all"]
          output_file: "IPConfig.txt"
          exec_type: "system"
        - name: "systeminfo.exe"
          args: []
          output_file: "SystemInfo.txt"
          exec_type: "system"

How to Add or Customize Tools #

Internal Tools:

Modify the Aralez source code and recompile the tool.

External Tools:

Update the build.rs file to include the new tool in the download and extraction process.
Add the tool’s configuration in the YAML file.

Windows System Tools:

Add the command and its arguments to the configuration file under the system section.

1. Introduction

2. Getting Started

3. Core Functionality

4. Configuration and Customization

5. Advanced Usage

6. Appendix

Tools Overview

Internal Tools #

Available Internal Tools #

External Tools #

Available External Tools #

Adding New External Tools #

Steps to Add a New External Tool #

Windows System Tools #

Some examples of Windows System Tools #

How to Add or Customize Tools #