Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Module scan :: Class BaseScanner
[frames] | no frames]

Class BaseScanner

source code

Base class for all scanners.

Nested Classes
  __metaclass__
Automatic Plugin Registration through metaclasses.
  top_level_class
Base class for all scanners.
Instance Methods
 
__init__(self, profile=None, address_space=None, window_size=8, session=None, checks=None)
The base scanner.		 source code
 
build_constraints(self) source code
 
check_addr(self, offset, buffer_as=None)
Check an address.		 source code
 
skip(self, buffer_as, offset)
Skip uninteresting regions.		 source code
 
scan(self, offset=0, maxlen=None, end=None)
Scan the region from offset for maxlen.		 source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __repr__, __setattr__, __sizeof__, __str__, __subclasshook__

Class Methods
 
ImplementationByClass(self, name) source code
 
ImplementationByName(self, name) source code
Class Variables
  progress_message = 'Scanning 0x%(offset)08X with %(name)s'
  checks = ()
  overlap = 1024
  classes = {'BaseScanner': <class 'rekall.scan.BaseScanner'>, '...
  classes_by_name = {None: [<class 'rekall.scan.BaseScanner'>, <...
  plugin_feature = 'BaseScanner'
Properties

Inherited from object: __class__

Method Details

__init__(self, profile=None, address_space=None, window_size=8, session=None, checks=None)
(Constructor)

source code  
The base scanner.

Args:
   profile: The profile to use for this scan.
   address_space: The address space we use for scanning.
   window_size: The size of the overlap window between each buffer read.
Overrides: object.__init__

check_addr(self, offset, buffer_as=None)

source code  
Check an address.

This calls our constraints on the offset and returns if any contraints
did not match.

Args:
   offset: The offset to test (in self.address_space).

Returns:
   None if the offset is not a hit, the hit if the hit is correct.

skip(self, buffer_as, offset)

source code 

Skip uninteresting regions.

Where should we go next? By default we go 1 byte ahead, but if some of the checkers have skippers, we may actually go much farther. Checkers with skippers basically tell us that there is no way they can match anything before the skipped result, so there is no point in trying them on all the data in between. This optimization is useful to really speed things up.

scan(self, offset=0, maxlen=None, end=None)

source code  
Scan the region from offset for maxlen.

Args:
  offset: The starting offset in our current address space to scan.

  maxlen: The maximum length to scan. If not provided we just scan until
    there is no data.

Yields:
  offsets where all the constrainst are satisfied.

Class Variable Details

classes

Value:
{'BaseScanner': <class 'rekall.scan.BaseScanner'>,
 'CatfishScanner': <class 'rekall.plugins.darwin.common.CatfishScanner\
'>,
 'CertScanner': <class 'rekall.plugins.windows.dumpcerts.CertScanner'>\
,
 'ConsoleScanner': <class 'rekall.plugins.windows.malware.cmdhistory.C\
onsoleScanner'>,
 'DiscontigScannerGroup': <class 'rekall.scan.DiscontigScannerGroup'>,
...

classes_by_name

Value:
{None: [<class 'rekall.scan.BaseScanner'>,
        <class 'rekall.scan.FastStructScanner'>,
        <class 'rekall.scan.MultiStringScanner'>,
        <class 'rekall.scan.PointerScanner'>,
        <class 'rekall.scan.ScannerGroup'>,
        <class 'rekall.scan.DiscontigScannerGroup'>,
        <class 'rekall.plugins.hypervisors.VMCSScanner'>,
        <class 'rekall.plugins.common.sigscan.SignatureScanner'>,
...

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:29:26 2017 http://epydoc.sourceforge.net