Package rekall :: Package plugins :: Package common :: Module scanners :: Class BaseScannerPlugin

Class BaseScannerPlugin

A mixin that implements scanner memory region selectors.

Most scanners are very similar - they search for specific byte patterns over some sections of memory, validate those and present the results. Depending on the type of structures searched for, different regions of memory need to be looked at.

This mixin attempts to present a common interface to all scanning plugins, where users may select different regions using common selector options, and those will be generated automatically.

The plugin may select a set of default regions to scan, which are most relevant to the specific data searched for, but the user may override the defaults at all times.

NOTE: This plugin must be mixed with the specific OS's ProcessFilter implementation in order to bring in standard process selectors.

Instance Methods

scan_specification_requested(self)
Return True if the user requested any specific regions.

source code

generate_memory_ranges(self)
Parse the plugin args and generate memory ranges.

source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __init__, __new__, __reduce__, __reduce_ex__, __repr__, __setattr__, __sizeof__, __str__, __subclasshook__

Class Variables
	scanner_defaults = `{}`

Properties
Inherited from `object`: `__class__`

Method Details

generate_memory_ranges(self)

source code

Parse the plugin args and generate memory ranges.

Yields rekall.addrspace.Run objects.