Package rekall :: Module scan :: Class ScannerCheck

Class ScannerCheck

A scanner check is a special class which is invoked on an AS to check for a specific condition.

The main method is def check(self, buffer_as, offset): This will return True if the condition is true or False otherwise.

This class is the base class for all checks.

Nested Classes
	__metaclass__ Automatic Plugin Registration through metaclasses.
	top_level_class A scanner check is a special class which is invoked on an AS to check for a specific condition.

Instance Methods

__init__(self, profile=None, address_space=None, session=None, **_kwargs)
x.__init__(...) initializes x; see help(type(x)) for signature

source code

object_offset(self, offset)

source code

check(self, buffer_as, offset)
Is the needle found at 'offset'?

source code

skip(self, buffer_as, offset)
Determine how many bytes we can skip.

source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __repr__, __setattr__, __sizeof__, __str__, __subclasshook__

Class Methods

ImplementationByClass(self, name)

source code

ImplementationByName(self, name)

source code

Class Variables
	classes = `{'CheckPoolIndex': <class 'rekall.plugins.windows.co...`
	classes_by_name = `{None: [<class 'rekall.scan.MultiStringFinde...`
	plugin_feature = `'ScannerCheck'`

Properties
Inherited from `object`: `__class__`

Method Details

init(self, profile=None, address_space=None, session=None, **_kwargs)
(Constructor)

source code

x.__init__(...) initializes x; see help(type(x)) for signature

Overrides: object.__init__: (inherited documentation)

check(self, buffer_as, offset)

source code

Is the needle found at 'offset'?

Arguments:
  buffer_as: An address space object with a chunk of data that can be
    checked for the needle.
offset: The offset in the address space to check.

skip(self, buffer_as, offset)

source code

Determine how many bytes we can skip.

If you want to speed up the scanning define this method - it
will be used to skip the data which is obviously not going to
match. You will need to return the number of bytes from offset
to skip to. We take the maximum number of bytes to guarantee
that all checks have a chance of passing.

Args:
  buffer_as: A BufferAddressSpace instance wrapping self.address_space,
  containing a copy of the data at the specified offset.

  offset: The offset in the address space to check.

Returns:
  Number of bytes to be skipped.

Class Variable Details

classes

Value:

{'CheckPoolIndex': <class 'rekall.plugins.windows.common.CheckPoolInde
x'>,
 'CheckPoolSize': <class 'rekall.plugins.windows.common.CheckPoolSize'
>,
 'CheckPoolType': <class 'rekall.plugins.windows.common.CheckPoolType'
>,
 'DebugChecker': <class 'rekall.scan.DebugChecker'>,
 'MultiPoolTagCheck': <class 'rekall.plugins.windows.common.MultiPoolT
...

classes_by_name

Value:

{None: [<class 'rekall.scan.MultiStringFinderCheck'>,
        <class 'rekall.scan.StringCheck'>,
        <class 'rekall.scan.RegexCheck'>,
        <class 'rekall.scan.DebugChecker'>,
        <class 'rekall.plugins.hypervisors.VMCSCheck'>,
        <class 'rekall.plugins.common.sigscan.SignatureScannerCheck'>,
        <class 'rekall.plugins.windows.common.PoolTagCheck'>,
        <class 'rekall.plugins.windows.common.MultiPoolTagCheck'>,
...

Class ScannerCheck

__init__(self, profile=None, address_space=None, session=None, **_kwargs) (Constructor)

check(self, buffer_as, offset)

skip(self, buffer_as, offset)

classes

classes_by_name

init(self, profile=None, address_space=None, session=None, **_kwargs)
(Constructor)