Package rekall :: Package plugins :: Package common :: Package efilter_plugins :: Module search :: Class Explain

Class Explain

Prints various information about a query.

Explains how a query was parsed and how it will be interpreted. It also runs a full type inferencer, to attempt to determine the output of the query once it's executed.

The Explain plugin can analyse a strict superset of expressions that are valid in the Search plugin. It supports:

Any search query that can be passed to Search.
Expressions asking about types and members of profile types (like structs).

Nested Classes
	__metaclass__ Automatic Plugin Registration through metaclasses. (Inherited from rekall.plugin.Command)
	top_level_class A command can be run from the rekall command line. (Inherited from rekall.plugin.Command)

Instance Methods

reflect_runtime_member(self, name)
Reflect what Search reflects, and also struct types.

source code

getmembers_runtime(self)
Reflect what Search reflects, and also struct types.

source code

recurse_expr(self, expr, depth)

source code

render(self, renderer)
Produce results on the renderer given.

source code

render_output_analysis(self, renderer)
Render analysis of the expression's return type and its members.

source code

render_query_analysis(self, renderer)
Render query analysis if the input is a regular query.

source code

render_query(self, renderer, query)
Render a single query object's analysis.

source code

__init__(self, *args, **kwargs)
x.__init__(...) initializes x; see help(type(x)) for signature (Inherited from rekall.plugins.common.efilter_plugins.search.EfilterPlugin)

source code

__iter__(self)
Make plugins that define collect iterable, as convenience. (Inherited from rekall.plugin.Command)

source code

__repr__(self)
repr(x) (Inherited from rekall.plugin.Command)

source code

__str__(self)
Render into a string using the text renderer. (Inherited from rekall.plugin.Command)

source code

collect(self)
Collect data that will be passed to renderer.table_row. (Inherited from rekall.plugin.TypedProfileCommand)

source code

collect_as_dicts(self) (Inherited from rekall.plugin.TypedProfileCommand)

source code

column_types(self)
Returns instances for each column definition. (Inherited from rekall.plugin.TypedProfileCommand)

source code

get_column(self, name) (Inherited from rekall.plugin.TypedProfileCommand)

source code

get_column_type(self, name) (Inherited from rekall.plugin.TypedProfileCommand)

source code

get_plugin(self, name, **kwargs)
Returns an instance of the named plugin. (Inherited from rekall.plugin.Command)

source code

getkeys(self) (Inherited from rekall.plugin.TypedProfileCommand)

source code

reflect(self, member) (Inherited from rekall.plugin.TypedProfileCommand)

source code

render_error(self, renderer)
Render the query parsing error in a user-friendly manner. (Inherited from rekall.plugins.common.efilter_plugins.search.EfilterPlugin)

source code

resolve(self, name)
Find and return a CommandWrapper for the plugin 'name'. (Inherited from rekall.plugins.common.efilter_plugins.search.EfilterPlugin)

source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __setattr__, __sizeof__, __subclasshook__

Class Methods

GetActiveClasses(cls, session)
Return only the active commands based on config. (Inherited from rekall.plugin.Command)

source code

GetPrototype(cls, session)
Return an instance of this plugin with suitable default arguments. (Inherited from rekall.plugin.Command)

source code

ImplementationByClass(self, name)

source code

ImplementationByName(self, name)

source code

args(cls, parser) (Inherited from rekall.plugin.TypedProfileCommand)

source code

is_active(cls, session)
Checks we are active. (Inherited from rekall.plugin.ModeBasedActiveMixin)

source code

Class Variables
	name = `'explain'` hash(x)
	input_is_regular_query = `True`
	ROW_OPTIONS = `set(['annotation', 'depth', 'hex_width', 'highli...` (Inherited from rekall.plugin.TypedProfileCommand)
	classes = `{'AFF4Acquire': <class 'rekall.plugins.tools.aff4acq...` (Inherited from rekall.plugin.Command)
	classes_by_name = `{None: [<class 'rekall.plugins.tools.ipython...` (Inherited from rekall.plugin.Command)
	error_status = `None` hash(x) (Inherited from rekall.plugin.Command)
	interactive = `False` (Inherited from rekall.plugin.Command)
	mode = `None` hash(x) (Inherited from rekall.plugin.Command)
	plugin_args = `None` hash(x) (Inherited from rekall.plugin.ArgsParserMixin)
	plugin_feature = `'Command'` (Inherited from rekall.plugin.Command)
	producer = `False` (Inherited from rekall.plugin.Command)
	query = `None` hash(x) (Inherited from rekall.plugins.common.efilter_plugins.search.EfilterPlugin)
	query_error = `None` hash(x) (Inherited from rekall.plugins.common.efilter_plugins.search.EfilterPlugin)
	query_source = `None` hash(x) (Inherited from rekall.plugins.common.efilter_plugins.search.EfilterPlugin)
	table_header = `None` hash(x) (Inherited from rekall.plugin.TypedProfileCommand)
	table_options = `{}` (Inherited from rekall.plugin.TypedProfileCommand)

Properties
Inherited from `object`: `__class__`

Method Details

reflect_runtime_member(self, name)

source code

Reflect what Search reflects, and also struct types.

Overrides: EfilterPlugin.reflect_runtime_member

getmembers_runtime(self)

source code

Reflect what Search reflects, and also struct types.

Overrides: EfilterPlugin.getmembers_runtime

render(self, renderer)

source code

Produce results on the renderer given.

Each plugin should implement this method to produce output on the
renderer. The framework will initialize the plugin and provide it with
some kind of renderer to write output on. The plugin should not assume
that the renderer is actually TextRenderer, only that the methods
defined in the BaseRenderer exist.

Args:
  renderer: A renderer based at rekall.ui.renderer.BaseRenderer.