Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package response :: Module yarascan
[frames] | no frames]

Source Code for Module rekall.plugins.response.yarascan

 1  # Rekall Memory Forensics 
 2  # Copyright (c) 2012, Michael Cohen <scudette@gmail.com> 
 3  # Copyright (c) 2010, 2011, 2012 Michael Ligh <michael.ligh@mnin.org> 
 4  # Copyright 2013 Google Inc. All Rights Reserved. 
 5  # 
 6  # This program is free software; you can redistribute it and/or modify 
 7  # it under the terms of the GNU General Public License as published by 
 8  # the Free Software Foundation; either version 2 of the License, or (at 
 9  # your option) any later version. 
10  # 
11  # This program is distributed in the hope that it will be useful, but 
12  # WITHOUT ANY WARRANTY; without even the implied warranty of 
13  # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU 
14  # General Public License for more details. 
15  # 
16  # You should have received a copy of the GNU General Public License 
17  # along with this program; if not, write to the Free Software 
18  # Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 
19  # 
20   
21  from rekall import addrspace 
22  from rekall_lib import utils 
23   
24  from rekall.plugins import yarascanner 
25  from rekall.plugins.addrspaces import standard 
26  from rekall.plugins.response import common 
27   
28   
29   

30 -class FileYaraScanner(yarascanner.YaraScanMixin, 
31                        common.AbstractIRCommandPlugin): 

32      """Yara scanner which operates on files.""" 
33      name = "file_yara" 
34   
35      __args = [ 
36          dict(name="paths", positional=True, type="Array", 
37               help="Paths to scan."), 
38      ] 
39   
40   

41 -    def collect(self): 

42          count = 0 
43   
44          for path in self.plugin_args.paths: 
45              self.session.logging.debug("File yara scanning %s", path) 
46              file_info = common.FileFactory(path, session=self.session) 
47              run = addrspace.Run(start=0, end=file_info.st_size, 
48                                  file_offset=0, 
49                                  address_space=standard.FDAddressSpace( 
50                                      session=self.session, 
51                                      fhandle=file_info.open())) 
52   
53              for rule, address in self.generate_hits(run): 
54                  count += 1 
55                  if count >= self.plugin_args.hits: 
56                      break 
57   
58                  yield (file_info, 
59                         rule, address, 
60                         utils.HexDumpedString( 
61                             run.address_space.read( 
62                                 address - self.plugin_args.pre_context, 
63                                 self.plugin_args.context + 
64                                 self.plugin_args.pre_context)), None) 

65

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:29:49 2017 http://epydoc.sourceforge.net