Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package windows :: Package malware :: Module yarascan :: Class WinPhysicalYaraScanner
[frames] | no frames]

Class WinPhysicalYaraScanner

source code

An experimental yara scanner over the physical address space.

Yara does not provide a streaming interface, which means that when we scan
for yara rules we can only ever match strings within the same buffer. This
is a problem for physical address space scanning because each page (although
it might appear to be contiguous) usually comes from a different
process/mapped file.

Therefore we need a more intelligent way to apply yara signatures on the
physical address space:

1. The original set of yara rules is converted into a single rule with all
the strings from all the rules in it. The rule has a condition "any of them"
which will match any string appearing in the scanned buffer.

2. This rule is then applied over the physical address space.

3. For each hit we derive a context and add the hit to the context.

4. Finally we test all the rules within the same context with the original
rule set.
Nested Classes
  __metaclass__
Automatic Plugin Registration through metaclasses. (Inherited from rekall.plugin.Command)
  top_level_class
A command can be run from the rekall command line. (Inherited from rekall.plugin.Command)
Instance Methods
 
__init__(self, *args, **kwargs)
A mixin for those plugins requiring a physical address space.		 source code
 
collect(self)
Collect data that will be passed to renderer.table_row.		 source code
 
__iter__(self)
Make plugins that define collect iterable, as convenience. (Inherited from rekall.plugin.Command)		 source code
 
__repr__(self)
repr(x) (Inherited from rekall.plugin.Command)		 source code
 
__str__(self)
Render into a string using the text renderer. (Inherited from rekall.plugin.Command)		 source code
 
collect_as_dicts(self) (Inherited from rekall.plugin.TypedProfileCommand) source code
 
column_types(self)
Returns instances for each column definition. (Inherited from rekall.plugin.TypedProfileCommand)		 source code
 
get_column(self, name) (Inherited from rekall.plugin.TypedProfileCommand) source code
 
get_column_type(self, name) (Inherited from rekall.plugin.TypedProfileCommand) source code
 
get_plugin(self, name, **kwargs)
Returns an instance of the named plugin. (Inherited from rekall.plugin.Command)		 source code
 
getkeys(self) (Inherited from rekall.plugin.TypedProfileCommand) source code
 
reflect(self, member) (Inherited from rekall.plugin.TypedProfileCommand) source code
 
render(self, renderer, **options) (Inherited from rekall.plugin.TypedProfileCommand) source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __setattr__, __sizeof__, __subclasshook__

Class Methods
 
GetActiveClasses(cls, session)
Return only the active commands based on config. (Inherited from rekall.plugin.Command)		 source code
 
GetPrototype(cls, session)
Return an instance of this plugin with suitable default arguments. (Inherited from rekall.plugin.Command)		 source code
 
ImplementationByClass(self, name) source code
 
ImplementationByName(self, name) source code
 
args(cls, metadata) (Inherited from rekall.plugin.PhysicalASMixin) source code
 
is_active(cls, session)
Checks we are active. (Inherited from rekall.plugin.ProfileCommand)		 source code
Class Variables
  name = 'yarascan_physical'
  table_header = [{'name': 'Owner', 'width': 20}, {'name': 'Rule...
hash(x)
  scanner_defaults = {'scan_physical': True}
  PHYSICAL_AS_REQUIRED = True (Inherited from rekall.plugin.PhysicalASMixin)
  PROFILE_REQUIRED = True (Inherited from rekall.plugin.ProfileCommand)
  ROW_OPTIONS = set(['annotation', 'depth', 'hex_width', 'highli... (Inherited from rekall.plugin.TypedProfileCommand)
  classes = {'AFF4Acquire': <class 'rekall.plugins.tools.aff4acq... (Inherited from rekall.plugin.Command)
  classes_by_name = {None: [<class 'rekall.plugins.tools.ipython... (Inherited from rekall.plugin.Command)
  error_status = None
hash(x) (Inherited from rekall.plugin.Command)
  interactive = False (Inherited from rekall.plugin.Command)
  mode = 'mode_windows_memory'
hash(x) (Inherited from rekall.plugins.windows.common.AbstractWindowsCommandPlugin)
  plugin_args = None
hash(x) (Inherited from rekall.plugin.ArgsParserMixin)
  plugin_feature = 'Command' (Inherited from rekall.plugin.Command)
  producer = False (Inherited from rekall.plugin.Command)
  table_options = {} (Inherited from rekall.plugin.TypedProfileCommand)
Properties

Inherited from object: __class__

Method Details

__init__(self, *args, **kwargs)
(Constructor)

source code  
A mixin for those plugins requiring a physical address space.

Args:
  physical_address_space: The physical address space to use. If not
    specified we use the following options:

    1) session.physical_address_space,

    2) Guess using the load_as() plugin,

    3) Use session.kernel_address_space.base.
Overrides: object.__init__
(inherited documentation)

collect(self)

source code 

Collect data that will be passed to renderer.table_row.

Overrides: plugin.TypedProfileCommand.collect
(inherited documentation)

ImplementationByClass(self, name)
Class Method

source code 
Overrides: plugin.Command.ImplementationByClass

ImplementationByName(self, name)
Class Method

source code 
Overrides: plugin.Command.ImplementationByName

Class Variable Details

table_header

hash(x)

Value:
[{'name': 'Owner', 'width': 20},
 {'name': 'Rule', 'width': 10},
 {'name': 'Offset', 'style': 'address'},
 {'hex_width': 16, 'name': 'HexDump', 'width': 67},
 {'name': 'Context'}]

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:29:15 2017 http://epydoc.sourceforge.net