Module search
source code
Rekall's search function.
The following queries should work and not break.
1) On Windows with --live API
* regex match on array of strings - case insensitive.
select proc, proc.environ from pslist() where proc.environ.TMP =~ "temp"
2) Format using the hex() method, using as to name columns.
select hex(VAD.start) as start, hex(VAD.end) as end, Protect from vad(proc_regex: "rekal")
3) Autoselect column names - second column can not clash with first
column name (should be hex, column 1).
select hex(VAD.start), hex(VAD.end), Protect from vad(proc_regex: "rekal")
4) Timestamp user function - requires a session to be passed (returns UnixTimeStamp).
select timestamp(proc.create_time) from pslist()
5) Yarascan with sub query
select * from file_yara(paths: (select path.filename from glob("c:\windows\*.exe")).filename, yara_expression: "rule r1 {strings: $a = "Microsoft" wide condition: any of them}")
6) Parameter interpolations:
a = "select * from file_yara(paths: ( select path.filename from glob({0})).filename, yara_expression: {1})"
plugins.search(a, query_parameters=[r"c:\windows\*.exe", "rule r1 {strings: $a = "Microsoft" wide condition: any of them}"])
7) WMI integration + unknown field:
select Result.Name, Result.SessionId, Result.foo from wmi("select * from Win32_Process")
select Result.Name, Result.BootDevice from wmi("select * from Win32_OperatingSystem")
8) Describe WMI dynamic query
describe wmi, dict(query="select * from Win32_Process")
9) Substitute a single string
select sub("Microsoft", "MS", Result.Name) from wmi("select * from Win32_OperatingSystem")
10) Substiture an array
select sub("rekal", "REKALL", proc.cmdline) from pslist()
Author:
Adam Sindelar <adamsh@google.com>
|
|
|
|
|
select_Pointer(ptr,
key)
Delegate to target of the pointer, if any. |
source code
|
|
|
|
resolve_Pointer(ptr,
member)
Delegate to target of the pointer, if any. |
source code
|
|
|
|
__package__ = 'rekall.plugins.common.efilter_plugins' |