1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20 """This module implements the data export renderer.
21
22 The data export renderer is a way of exporting structured data from Rekall. The
23 renderer is based on the JsonRenderer but has a different goal - while the
24 JsonRenderer is designed to be able to exactly recreate the objects in the
25 future the data export renderer aims to include useful information about
26 exported objects.
27
28 For example, in order to decode the JsonRenderer output one must have access to
29 the original image, since the decoder will generate the exact BaseObject()
30 instances that the encoder used.
31
32 Not so with the data exporter - the exported data contains a lot of additional
33 information about the exported objects. The exported data also omits information
34 which is not relevant without access to the original image.
35 """
36
37 import datetime
38 import pytz
39
40 from rekall.ui import renderer
41 from rekall.ui import json_renderer
42
43 from rekall.plugins.renderers import json_storage
44
45 from rekall_lib import utils
46
47
48
49
50 renderer.CopyObjectRenderers((
51 json_renderer.StringRenderer,
52 json_storage.ArrowObjectRenderer,
53 json_storage.AttributeDictObjectRenderer,
54 json_storage.BaseAddressSpaceObjectRenderer,
55 json_storage.FileAddressSpaceObjectRenderer,
56 json_storage.IA32PagedMemoryObjectRenderer,
57 json_storage.JsonAttributedStringRenderer,
58 json_storage.JsonEnumerationRenderer,
59 json_storage.JsonFormattedAddress,
60 json_storage.JsonHexdumpRenderer,
61 json_storage.JsonInstructionRenderer,
62 json_storage.NoneObjectRenderer,
63 json_storage.ProfileObjectRenderer,
64 json_storage.SessionObjectRenderer,
65 json_storage.SetObjectRenderer,
66 json_storage.SlottedObjectObjectRenderer,
67 json_storage.UnixTimestampJsonObjectRenderer,
68 ), renderer="DataExportRenderer")
69
70
72 """An exporter for data."""
73
74 name = "data"
75
77
78
79 result = self.encoder.Encode(options)
80 for i, arg in enumerate(args):
81 column_spec = self.table.column_specs[i].copy()
82 column_spec.update(options)
83
84 object_renderer = self.object_renderers[i]
85 if object_renderer is not None:
86 column_spec["type"] = object_renderer
87
88 column_name = column_spec["name"]
89 if column_name:
90 result[column_name] = self.encoder.Encode(
91 arg, **column_spec)
92
93 self.SendMessage(["r", result])
94
95
97 """This is the fallback for all objects without a dedicated renderer."""
98 renderers = ["DataExportRenderer"]
99
100 - def Summary(self, item, formatstring=None, header=False, **options):
101 """Returns a short summary of the object.
102
103 The summary is a short human readable string, describing the object.
104 """
105 try:
106 if formatstring == "[addrpad]" and not header:
107 return "%#014x" % item
108 except TypeError:
109 pass
110
111
112 return utils.SmartStr(item)
113
114
117
118
120 renders_type = "datetime"
121 renderers = ["DataExportRenderer"]
122
123 EPOCH = datetime.datetime(1970, 1, 1, 0, 0, 0, 0, pytz.UTC)
124
126 return dict(epoch=(item - self.EPOCH).total_seconds(),
127 string_value=item.strftime("%Y-%m-%d %H:%M:%S%z"))
128
129
143
144
146 renders_type = "Pointer"
147
148 - def Summary(self, item, **options):
149 """Returns the object formatted according to the column_spec."""
150 item = item["target"]
151 return self.FromEncoded(item, "DataExportRenderer")(
152 self.renderer).Summary(item, **options)
153
166
167
173
174
194
195
197 renders_type = "RDFValue"
198
200 return utils.SmartStr(item.get("str", ""))
201
203 return dict(str=item.SerializeToString())
204
205
206 -class DataExportPhysicalAddressContextObjectRenderer(
207 DataExportRDFValueObjectRenderer):
208 renders_type = "PhysicalAddressContext"
209
210 - def Summary(self, item, **_):
211 return utils.SmartStr(item.get("str", ""))
212
213 - def GetState(self, item, **options):
214 return item.summary()
215