Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package common :: Package efilter_plugins :: Module info
[frames] | no frames]

Source Code for Module rekall.plugins.common.efilter_plugins.info

  1  # Rekall Memory Forensics 
  2  # Copyright 2016 Google Inc. All Rights Reserved. 
  3  # 
  4  # This program is free software; you can redistribute it and/or modify 
  5  # it under the terms of the GNU General Public License as published by 
  6  # the Free Software Foundation; either version 2 of the License, or (at 
  7  # your option) any later version. 
  8  # 
  9  # This program is distributed in the hope that it will be useful, but 
 10  # WITHOUT ANY WARRANTY; without even the implied warranty of 
 11  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
 12  # General Public License for more details. 
 13  # 
 14  # You should have received a copy of the GNU General Public License 
 15  # along with this program; if not, write to the Free Software 
 16  # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
 17  # 
 18   
 19  """Informational plugins for assistance of efilter operations.""" 
 20  from efilter.protocols import structured 
 21   
 22  from rekall import plugin 
 23  from rekall import obj 
 24  from rekall import session 
 25  from rekall import testlib 
 26   
 27   

 28 -class Describe(plugin.TypedProfileCommand, plugin.ProfileCommand): 

 29      """Describe the output of a plugin.""" 
 30   
 31      name = "describe" 
 32   
 33      PROFILE_REQUIRED = False 
 34   
 35      __args = [ 
 36          dict(name="plugin_name", required=True, positional=True, 
 37               help="A plugin or plugin name to describe."), 
 38   
 39          dict(name="args", required=False, default={}, type="dict", 
 40               positional=True, 
 41               help="args to run the plugin with."), 
 42   
 43          dict(name="max_depth", positional=True, required=False, 
 44               type="IntParser", default=3, 
 45               help="The maximum depth to follow mappings."), 
 46      ] 
 47   
 48      table_header = [ 
 49          dict(name="Field", type="TreeNode", max_depth=5, width=50), 
 50          dict(name="Type"), 
 51      ] 
 52   

 53 -    def collect_members(self, item, depth): 

 54          if depth > self.plugin_args.max_depth: 
 55              return 
 56   
 57          try: 
 58              for member in sorted(structured.getmembers(item)): 
 59                  type_instance = structured.resolve(item, member) 
 60                  # If it was given as a type, we need an instance here. 
 61                  yield dict( 
 62                      Field=member, 
 63                      Type=self._determine_type_name(type_instance), 
 64                      depth=depth, 
 65                  ) 
 66                  if isinstance(type_instance, obj.Pointer): 
 67                      type_instance = type_instance.dereference() 
 68   
 69                  for x in self.collect_members(type_instance, depth + 1): 
 70                      yield x 
 71   
 72          except (TypeError, NotImplementedError): 
 73              pass 

 74   

 75 -    def _determine_type_name(self, column_type_instance): 

 76          if isinstance(column_type_instance, type): 
 77              column_type_instance = column_type_instance() 
 78   
 79          object_type = None 
 80          try: 
 81              object_type = column_type_instance.obj_type 
 82          except AttributeError: 
 83              pass 
 84   
 85          if object_type is None: 
 86              object_type = type(column_type_instance).__name__ 
 87   
 88          return object_type 

 89   

 90 -    def _get_exemplar_row(self, instance): 

 91          if self.plugin_args.args: 
 92              for row in instance.collect(): 
 93                  # Skip divider rows because they are mostly empty. 
 94                  if isinstance(row, dict) and "divider" in row: 
 95                      continue 
 96   
 97                  return row 
 98   
 99          return instance.column_types() 

100   

101 -    def collect(self): 

102          plugin_name = self.plugin_args.plugin_name 
103          if isinstance(plugin_name, session.PluginRunner): 
104              plugin_name = self.plugin_args.plugin_name.plugin_name 
105   
106          plugin_cls = self.session.plugins.GetPluginClass(plugin_name) 
107          if not plugin_cls: 
108              raise plugin.PluginError("Please specify a valid plugin.") 
109   
110          plugin_args = self.plugin_args.args.copy() 
111          plugin_args["ignore_required"] = True 
112          instance = plugin_cls(session=self.session, **plugin_args) 
113          table_header = getattr(instance, "table_header", None) 
114          if not table_header: 
115              raise plugin.PluginError( 
116                  "Plugin %s is not a Typed Plugin. It can not be used in " 
117                  "searches." % plugin_name) 
118   
119          column_types = self._get_exemplar_row(instance) 
120          for i, column in enumerate(table_header): 
121              column_name = column["name"] 
122              if isinstance(column_types, dict): 
123                  column_type_instance = column_types.get(column_name) 
124              else: 
125                  column_type_instance = column_types[i] 
126   
127              yield dict( 
128                  Field=column_name, 
129                  Type=self._determine_type_name(column_type_instance), 
130              ) 
131   
132              for x in self.collect_members(column_type_instance, 1): 
133                  yield x 

134   
135   

136 -class TestDescribe(testlib.SimpleTestCase): 

137      PARAMETERS = dict(commandline="describe pslist") 

138

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:29:53 2017 http://epydoc.sourceforge.net