Source Code for Module rekall.plugins.common.efilter_plugins.helpers

  1  # The below are helper routines for 
  2   
  3  import functools 
  4  import re 
  5  import six 
  6   
  7  from efilter import query as q 
  8  from efilter import api 
  9   
 10  from efilter.protocols import applicative 
 11  from efilter.protocols import repeated 
 12  from efilter.protocols import structured 
 13  from efilter.transforms import solve 
 14  from rekall_lib import utils 
 15   
 16   
 17  # Exported EFilter functions. These can be used within efilter 
 18  # queries. For example select hex(cmd_address) from dis(0xfa8000895a32). 
 19 -def hex_function(value): 
 20      """A Function to format the output as a hex string.""" 
 21      if value == None: 
 22          return 
 23   
 24      return "%#x" % value 
 25   
 26 -def str_function(value): 
 27      if value == None: 
 28          return 
 29   
 30      return utils.SmartUnicode(value) 
 31   
 32 -def int_function(value): 
 33      if value == None: 
 34          return 
 35   
 36      return int(value) 
 37   
 38 -def noncase_search_function(regex, value): 
 39      """Case insensitive regex search function.""" 
 40      return bool(re.search(unicode(regex), unicode(value), re.I)) 
 41   
 42   
 43 -def substitute(pattern, repl, target): 
 44      if target is None: 
 45          return 
 46   
 47      if isinstance(target, (list, tuple)): 
 48          result = [] 
 49          for item in target: 
 50              result.append(substitute(pattern, repl, item)) 
 51   
 52          return result 
 53      else: 
 54          return re.sub(pattern, repl, six.text_type(target), re.I) 
 55   
 56   
 57  EFILTER_SCOPES = dict( 
 58      hex=api.user_func( 
 59          hex_function, arg_types=[int], return_type=[str]), 
 60   
 61      str=api.user_func( 
 62          str_function, arg_types=[], return_type=[unicode]), 
 63   
 64      int=api.user_func( 
 65          int_function, arg_types=[], return_type=[int]), 
 66   
 67      regex_search=api.user_func( 
 68          noncase_search_function, arg_types=[unicode, unicode], 
 69          return_type=[bool]), 
 70   
 71      concat=api.user_func(lambda *args: "".join(args)), 
 72      sub=api.user_func(substitute), 
 73  ) 
 74   
 75   
 76 -class GeneratorRunner(object): 
 77 -    def __init__(self, cb): 
 78          self.cb = cb 
 79   
 80 -    def apply(self, args, kwargs): 
 81          return repeated.lazy(functools.partial(self.cb, *args, **kwargs)) 
 82   
 83   
 84  # Implement IApplicative for Command to get reflection APIs. 
 85  applicative.IApplicative.implement( 
 86      for_type=GeneratorRunner, 
 87      implementations={ 
 88          applicative.apply: 
 89              lambda x, *args, **kwargs: x.apply(*args, **kwargs), 
 90   
 91          # Plugins "return" themselves, as far as the type inference cares. 
 92          applicative.reflect_runtime_return: lambda x: x 
 93      } 
 94  ) 
 95   
 96   
 97 -class EfilterRunner(object): 
 98      """An easy to use class for using Efilter. 
 99   
100      The Efilter interface is fairly complex but most people just want to filter 
101      a range of callables. This class is a helper class to help with using 
102      Efilter. 
103   
104      All one needs to do is to extend this class and implement any functions 
105      which should exist in the EFilter namespace. For example, to add a foo() 
106      function: 
107   
108      class NewRunner(search.EfilterRunner): 
109          def run_foo(self): 
110              for x in range(10): 
111                  yield dict(A=x, B=2*x) 
112   
113   
114      for x in NewRunner().filter("select * from foo()"): 
115          print x 
116   
117      {'A': 0, 'B': 0} 
118      {'A': 1, 'B': 2} 
119      {'A': 2, 'B': 4} 
120      {'A': 3, 'B': 6} 
121      {'A': 4, 'B': 8} 
122      """ 
123   
124 -    def resolve(self, name): 
125          function = EFILTER_SCOPES.get(name) 
126          if function: 
127              return function 
128   
129          method = getattr(self, "run_" + name, None) 
130          if method: 
131              return GeneratorRunner(method) 
132   
133          raise KeyError("No plugin named %r." % name) 
134   
135 -    def getmembers_runtime(self): 
136          return [c["name"] for c in self.columns] 
137   
138 -    def filter(self, query, **query_args): 
139          query = q.Query(query, params=query_args) 
140          return repeated.getvalues(solve.solve(query, self).value) 
141   
142   
143  structured.IStructured.implicit_dynamic(EfilterRunner) 
144   
145   
146 -class ListFilter(EfilterRunner): 
147      """A helper to filter a list of dicts using efilter.""" 
148   
149      _list = None 
150   
151 -    def run_list(self): 
152          return self._list 
153   
154 -    def filter(self, filter_exr, data, **query_args): 
155          """Filter the data using the filter expression. 
156   
157          Args: 
158            filter_exr: essentially the where clause. 
159            data: A list of dicts, each dict representing a row. 
160          """ 
161          if not filter_exr: 
162              return data 
163   
164          self._list = data 
165          query = "select * from list()" 
166          if filter_exr: 
167              query += "where " + filter_exr 
168   
169          return super(ListFilter, self).filter(query, **query_args) 
170