Package rekall :: Module args

Module args

This module manages the command line parsing logic.

Rekall uses the argparse module for command line parsing, however this module contains so many bugs it might be worth to implement our own parser in future.

Author: Michael Cohen <scudette@gmail.com>

Classes
	RekallHelpFormatter
	RekallArgParser
	IntParser Class to parse ints either in hex or as ints.
	ArrayIntParser Parse input as a comma separated list of integers.
	ArrayStringParser

Functions

LoadPlugins(paths=None)

source code

ParseGlobalArgs(parser, argv, user_session)
Parse some session wide args which must be done before anything else.

source code

FindPlugin(argv=None, user_session=None)
Search the argv for the first occurrence of a valid plugin name.

source code

ConfigureCommandLineParser(command_metadata, parser, critical=False)
Apply the plugin configuration to an argparse parser.

source code

parse_args(argv=None, user_session=None, global_arg_cb=None)
Parse the args from the command line argv.

source code

Variables
	DISAMBIGUATE_OPTIONS = `['profile']`
	__package__ = `'rekall'`

Function Details

FindPlugin(argv=None, user_session=None)

source code

Search the argv for the first occurrence of a valid plugin name.

Returns a mutated argv where the plugin is moved to the front. If a plugin is not found we assume the plugin is "shell" (i.e. the interactive session).

This maintains backwards compatibility with the old global/plugin specific options. In the current implementation, the plugin name should probably come first:

rekal pslist -v -f foo.elf --pid 4

but this still works:

rekal -v -f foo.elf pslist --pid 4

ConfigureCommandLineParser(command_metadata, parser, critical=False)

source code

Apply the plugin configuration to an argparse parser.

This method is the essential glue between the abstract plugin metadata and
argparse.

The main intention is to de-couple the plugin's args definition from arg
parser's specific implementation. The plugin then conveys semantic meanings
about its arguments rather than argparse implementation specific
details. Note that args are parsed through other mechanisms in a number of
cases so this gives us flexibility to implement arbitrary parsing:

- Directly provided to the plugin in the constructor.
- Parsed from json from the web console.

parse_args(argv=None, user_session=None, global_arg_cb=None)

source code

Parse the args from the command line argv.

Args:
  argv: The args to process.
  user_session: The session we work with.
  global_arg_cb: A callback that will be used to process global
     args. Global args are those which affect the state of the
     Rekall framework and must be processed prior to any plugin
     specific args. In essence these flags control which plugins
     can be available.