Module renderer
source code
This module implements the Rekall renderer API.
Rekall has a pluggable rendering system. At the top level we have renderers
which are reponsible for converting the output of plugins into something usable
for the user (whatever that means).
A Rekall plugin uses the renderer to produce output by providing it with a bunch
of objects which are derived from the analysis stage. The renderer is then
responsible for rendering these special objects using pluggable
ObjectRenderer() classes.
1. The framework creates a BaseRenderer implementation (e.g. TextRenderer or
JsonRenderer)
2. This is passed to a plugin's render() method.
3. The Plugin provides various objects to the renderer via its table_row(),
format() etc methods.
4. The renderer than uses specialized ObjectRenderer() instances to render the
objects that the plugin gave it.
For example, by default the renderer used is an instance of TextRenderer. The
PSList() plugin in its render() method, calls renderer.table_row() passing a
WinFileTime() instance as the "Create Time" cell of the table.
The TextRenderer plugin aims to layout the output into the text terminal. For
this to happen it must convert the WinFileTime() instance to a rendering
primitive, specific to the TextRenderer - in this case a Cell() instance. This
conversion is done using an ObjectRenderer instance.
The TextRenderer therefore selects an ObjectRenderer instance based on two
criteria:
- The ObjectRenderer claims to support the WinFileTime() object, or any of its
base classes in order (using the ObjectRenderer.renders_type attribute).
- The ObjectRenderer claims to support the specific renderer
(i.e. TextRenderer) using its `renderers` attribute.
The TextRenderer searches for an ObjectRenderer() by traversing the
WinFileTime's __mro__ (i.e. inheritance hierarchy) for a plugin capable of
rendering it. This essentially goes from most specialized to the least
specialized renderer:
- WinFileTime
- UnixTimeStamp <-- Specialized object renderer for unix times.
- NativeType
- BaseObject
- object <--- Generic renderer for all objects.
Once a renderer is found, it is used to output the cell value.
## NOTES
1. A specialized object renderer is written specifically for the renderer. This
means that it is possible to have a specialized _EPROCESS object renderer for
TextRenderer but when using the JsonRenderer a more general renderer may be
chosen (say at the BaseObject level).
2. The ObjectRenderer.render_row() method actually returns something which makes
sense to the supported renderer. There is no API specification for the return
value. For example the TextRenderer needs a Cell instance but the
JsonRenderer requires just a dict. Since ObjectRenderer instances are only
used within the renderer they only need to cooperate with the renderer class
they support.
|
|
MRO_RENDERER_CACHE = utils.FastStore(100, lock= True)
|
|
|
MRO_CACHE = utils.FastStore(100, lock= True)
|
|
|
__package__ = 'rekall.ui' |
Automatically copy the object renderers for a renderer.
This is a convenience method which automatically generates the handlers for
the given renderer by copying them from the object renderers given in args.
Args:
args: classes to copy.
renderer: A string describing the renderer to apply the object renderers
to.
Return:
Nothing - new renderers are automatically registered.
|