Class Search

source code

Searches and recombines output of other plugins.

Search allows you to use the EFILTER search engine to filter, transform
and combine output of most Rekall plugins. The most common use for this
is running IOCs.

## Some examples

* Find the process with pid 1:

  ```
  select * pslist() where proc.pid == 1
  ```

* Sort lsof output by file descriptor:

  ```
  select * from lsof() order by fd
  ```

* Filter and sort through lsof in one step:

  ```
  select * from lsof() where proc.name =~ "rekall" order by fd
  ```

* Is there any proc with PID 1, that has a TCPv6 connection and
  isn't a dead process?

  ```
  search("(any lsof where (proc.pid == 1 and fileproc.human_type == 'TCPv6'))
  and not (any dead_procs where (proc.pid == 1))")
  ```

Note: "ANY" is just a short hand for "SELECT ANY FROM" which does what
it sounds like, and returns True or False depending on whether the
query has any results.

You will probably need to use the *describe* plugin to help
discover the exact column structure.


* regex match on array of strings - case insensitive.

  ```
  (Windows)
  select proc, proc.environ from pslist() where
    proc.environ.TMP =~ "temp"

  (Linux)
  select proc, proc.environ from pslist() where
     proc.environ.PATH =~ "home"
  ```

* Format using the hex() method, using *as* to name columns.

  ```
  (Windows)
  select hex(VAD.start) as start, hex(VAD.end) as end,
        Protect from vad(proc_regex: "rekal")

  (Linux)
  select hex(start) as start, hex(end) as end, filename
        from maps(proc_regex: "rekall")
  ```

* Autoselect column names - second column can not clash with first
  column name (should be hex, column 1).

  ```
  (Windows)
  select hex(VAD.start), hex(VAD.end), Protect
        from vad(proc_regex: "rekal")

  (Linux)
  select hex(start), hex(end), filename from maps(proc_regex: "rekall")
  ```
* Timestamp user function

  ```
    select proc, timestamp(proc.create_time) from pslist()
  ```

* Yarascan with sub query

  ```
    select * from file_yara(
       paths: (
        select path.filename from glob(
            "c:\windows\*.exe")).filename,
       yara_expression: "rule r1 {strings: $a = "Microsoft" wide condition: any of them}")
  ```

  On Linux:
  ```
  select * from file_yara(
        paths: (
          select path.filename from glob(
             "/home/*/.ssh/*")).filename,
        yara_expression: "rule r1 {strings: $a = "ssh-rsa" condition: any of them}")
  ```

* Parameter interpolations:

  ```
    a =  "select * from file_yara(paths: ( select path.filename from glob({0})).filename, yara_expression: {1})"

    search a, [r"c:\windows\*.exe",
         "rule r1 {strings: $a = "Microsoft" wide condition: any of them}"]
  ```
* WMI integration + unknown field:

  ```
    select Result.Name, Result.SessionId, Result.foo
         from wmi("select * from Win32_Process")

    select Result.Name, Result.BootDevice
         from wmi("select * from Win32_OperatingSystem")
  ```

* Describe WMI dynamic query

  ```
    describe wmi, dict(query="select * from Win32_Process")
  ```

* Substitute a single string

  ```
    select sub("Microsoft", "MS", Result.Name)
           from wmi("select * from Win32_OperatingSystem")
  ```
* Substiture an array

  ```
    select sub("rekal", "REKALL", proc.cmdline) from pslist()
  ```

Return the search results without displaying them.

Returns:
    A list of results from the query solver.

Raises:
    EfilterError unless 'silent' flag was set.

Return the search results exactly as EFILTER returns them.

Returns:
    Depends on the query.

Raises:
    EfilterError if anything goes wrong.

Produce results on the renderer given.

Each plugin should implement this method to produce output on the
renderer. The framework will initialize the plugin and provide it with
some kind of renderer to write output on. The plugin should not assume
that the renderer is actually TextRenderer, only that the methods
defined in the BaseRenderer exist.

Args:
  renderer: A renderer based at rekall.ui.renderer.BaseRenderer.