Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Module scan :: Class MultiStringScanner
[frames] | no frames]

Class MultiStringScanner

source code

A scanner for multiple strings at once.

Nested Classes
  __metaclass__
Automatic Plugin Registration through metaclasses. (Inherited from rekall.scan.BaseScanner)
  top_level_class
Base class for all scanners. (Inherited from rekall.scan.BaseScanner)
Instance Methods
 
__init__(self, needles=None, **kwargs)
The base scanner.		 source code
 
check_addr(self, offset, buffer_as=None)
Check an address.		 source code
 
skip(self, buffer_as, offset)
Skip uninteresting regions.		 source code
 
build_constraints(self) (Inherited from rekall.scan.BaseScanner) source code
 
scan(self, offset=0, maxlen=None, end=None)
Scan the region from offset for maxlen. (Inherited from rekall.scan.BaseScanner)		 source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __repr__, __setattr__, __sizeof__, __str__, __subclasshook__

Class Methods
 
ImplementationByClass(self, name) source code
 
ImplementationByName(self, name) source code
Class Variables
  needles = []
  checks = () (Inherited from rekall.scan.BaseScanner)
  classes = {'BaseScanner': <class 'rekall.scan.BaseScanner'>, '... (Inherited from rekall.scan.BaseScanner)
  classes_by_name = {None: [<class 'rekall.scan.BaseScanner'>, <... (Inherited from rekall.scan.BaseScanner)
  overlap = 1024 (Inherited from rekall.scan.BaseScanner)
  plugin_feature = 'BaseScanner' (Inherited from rekall.scan.BaseScanner)
  progress_message = 'Scanning 0x%(offset)08X with %(name)s' (Inherited from rekall.scan.BaseScanner)
Properties

Inherited from object: __class__

Method Details

__init__(self, needles=None, **kwargs)
(Constructor)

source code  
The base scanner.

Args:
   profile: The profile to use for this scan.
   address_space: The address space we use for scanning.
   window_size: The size of the overlap window between each buffer read.
Overrides: object.__init__
(inherited documentation)

check_addr(self, offset, buffer_as=None)

source code  
Check an address.

This calls our constraints on the offset and returns if any contraints
did not match.

Args:
   offset: The offset to test (in self.address_space).

Returns:
   None if the offset is not a hit, the hit if the hit is correct.
Overrides: BaseScanner.check_addr
(inherited documentation)

skip(self, buffer_as, offset)

source code 

Skip uninteresting regions.

Where should we go next? By default we go 1 byte ahead, but if some of the checkers have skippers, we may actually go much farther. Checkers with skippers basically tell us that there is no way they can match anything before the skipped result, so there is no point in trying them on all the data in between. This optimization is useful to really speed things up.

Overrides: BaseScanner.skip
(inherited documentation)

ImplementationByClass(self, name)
Class Method

source code 
Overrides: BaseScanner.ImplementationByClass

ImplementationByName(self, name)
Class Method

source code 
Overrides: BaseScanner.ImplementationByName

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:29:26 2017 http://epydoc.sourceforge.net