Issue 299810043: Refactored scanners to use a common interface for selection of scanning regions.

Issue 299810043: Refactored scanners to use a common interface for selection of scanning regions. (Closed)

Can't Edit
Can't Publish+Mail
Start Review

Created:
8 years ago by scudette

Modified:
7 years, 11 months ago

Reviewers:
the80srobot, amoser

CC:
rekall-dev_googlegroups.com

Base URL:
https://github.com/google/rekall.git@master

Visibility:
Public.

More Reviews

Description

Refactored scanners to use a common interface for selection of scanning regions. * Added typed argument parsing for plugins. * Fixes for the netscan plugin - it was not showing the Owner field properly since it did not switch to the kernel's profile. R=amoser@google.com Committed: 7af9fc4645f202712e3a9ac0512330bba1c98d06

Patch Set 1 #

Patch Set 2 : #

Patch Set 3 : #

Total comments: 6

Patch Set 4 : #

Patch Set 5 : #

Created: 7 years, 11 months ago

Download [raw] [tar.bz2]

	Unified diffs	Side-by-side diffs	Delta from patch set	Stats (+1289 lines, -570 lines)			Patch
M	rekall-core/rekall/addrspace.py	View	1 2 3 4	1 chunk	+7 lines, -6 lines	0 comments	Download
M	rekall-core/rekall/args.py	View	1	1 chunk	+1 line, -1 line	0 comments	Download
M	rekall-core/rekall/obj.py	View	1	5 chunks	+21 lines, -3 lines	0 comments	Download
M	rekall-core/rekall/plugin.py	View	1	3 chunks	+113 lines, -1 line	0 comments	Download
M	rekall-core/rekall/plugins/addrspaces/pagefile.py	View	1 2 3 4	1 chunk	+1 line, -2 lines	0 comments	Download
M	rekall-core/rekall/plugins/addrspaces/win32.py	View		1 chunk	+1 line, -1 line	0 comments	Download
M	rekall-core/rekall/plugins/common/__init__.py	View	1 2 3	1 chunk	+1 line, -0 lines	0 comments	Download
M	rekall-core/rekall/plugins/common/address_resolver.py	View	1 2 3 4	6 chunks	+65 lines, -1 line	0 comments	Download
A	rekall-core/rekall/plugins/common/scanners.py	View	1 2 3	1 chunk	+124 lines, -0 lines	0 comments	Download
M	rekall-core/rekall/plugins/common/search.py	View	1 2 3 4	6 chunks	+28 lines, -22 lines	0 comments	Download
M	rekall-core/rekall/plugins/darwin/address_resolver.py	View	1 2 3	3 chunks	+14 lines, -1 line	0 comments	Download
M	rekall-core/rekall/plugins/darwin/common.py	View	1 2 3	1 chunk	+5 lines, -8 lines	0 comments	Download
M	rekall-core/rekall/plugins/darwin/lsof.py	View	1 2 3	1 chunk	+1 line, -1 line	0 comments	Download
M	rekall-core/rekall/plugins/darwin/maps.py	View	1 2 3	2 chunks	+2 lines, -2 lines	0 comments	Download
M	rekall-core/rekall/plugins/darwin/networking.py	View	1 2 3	1 chunk	+1 line, -1 line	0 comments	Download
M	rekall-core/rekall/plugins/darwin/processes.py	View	1 2 3	3 chunks	+3 lines, -3 lines	0 comments	Download
M	rekall-core/rekall/plugins/darwin/sessions.py	View	1 2 3	1 chunk	+1 line, -1 line	0 comments	Download
M	rekall-core/rekall/plugins/darwin/yarascan.py	View	1 2 3 4	1 chunk	+4 lines, -1 line	0 comments	Download
M	rekall-core/rekall/plugins/darwin/zones.py	View	1 2 3	1 chunk	+1 line, -1 line	0 comments	Download
M	rekall-core/rekall/plugins/guess_profile.py	View	1 2 3	2 chunks	+23 lines, -20 lines	0 comments	Download
M	rekall-core/rekall/plugins/linux/address_resolver.py	View	1 2 3	2 chunks	+13 lines, -0 lines	0 comments	Download
M	rekall-core/rekall/plugins/linux/bash.py	View	1 2 3	1 chunk	+1 line, -1 line	0 comments	Download
M	rekall-core/rekall/plugins/linux/common.py	View	1 2 3	2 chunks	+47 lines, -0 lines	0 comments	Download
M	rekall-core/rekall/plugins/linux/yarascan.py	View	1 2 3 4	1 chunk	+4 lines, -1 line	0 comments	Download
M	rekall-core/rekall/plugins/overlays/basic.py	View	1	3 chunks	+6 lines, -2 lines	0 comments	Download
M	rekall-core/rekall/plugins/overlays/linux/linux.py	View	1 2 3	1 chunk	+1 line, -38 lines	0 comments	Download
M	rekall-core/rekall/plugins/overlays/windows/common.py	View	1 2 3 4	4 chunks	+38 lines, -2 lines	0 comments	Download
M	rekall-core/rekall/plugins/overlays/windows/tcpip_vtypes.py	View		4 chunks	+73 lines, -1 line	0 comments	Download
M	rekall-core/rekall/plugins/overlays/windows/win10.py	View	1	2 chunks	+31 lines, -0 lines	0 comments	Download
M	rekall-core/rekall/plugins/overlays/windows/win7.py	View	1 2 3 4	1 chunk	+1 line, -2 lines	0 comments	Download
M	rekall-core/rekall/plugins/tools/disassembler.py	View	1	2 chunks	+5 lines, -0 lines	0 comments	Download
M	rekall-core/rekall/plugins/windows/__init__.py	View	1	1 chunk	+1 line, -0 lines	0 comments	Download
M	rekall-core/rekall/plugins/windows/address_resolver.py	View	1 2 3	4 chunks	+4 lines, -4 lines	0 comments	Download
M	rekall-core/rekall/plugins/windows/common.py	View	1 2 3 4	3 chunks	+92 lines, -0 lines	0 comments	Download
M	rekall-core/rekall/plugins/windows/filescan.py	View	1 2	5 chunks	+55 lines, -47 lines	0 comments	Download
M	rekall-core/rekall/plugins/windows/heap_analysis.py	View	1	4 chunks	+8 lines, -8 lines	0 comments	Download
M	rekall-core/rekall/plugins/windows/malware/__init__.py	View	1	1 chunk	+2 lines, -10 lines	0 comments	Download
M	rekall-core/rekall/plugins/windows/malware/psxview.py	View	1 2 3 4	1 chunk	+7 lines, -3 lines	0 comments	Download
M	rekall-core/rekall/plugins/windows/malware/yarascan.py	View	1 2 3	1 chunk	+4 lines, -38 lines	0 comments	Download
M	rekall-core/rekall/plugins/windows/misc.py	View	1 2 3	4 chunks	+8 lines, -164 lines	0 comments	Download
M	rekall-core/rekall/plugins/windows/modules.py	View	1	1 chunk	+13 lines, -0 lines	0 comments	Download
M	rekall-core/rekall/plugins/windows/netscan.py	View		2 chunks	+7 lines, -2 lines	0 comments	Download
M	rekall-core/rekall/plugins/windows/network.py	View		1 chunk	+1 line, -1 line	0 comments	Download
M	rekall-core/rekall/plugins/windows/pagefile.py	View	1 2 3 4	1 chunk	+9 lines, -0 lines	0 comments	Download
A	rekall-core/rekall/plugins/windows/pool.py	View	1 2 3 4	1 chunk	+283 lines, -0 lines	0 comments	Download
M	rekall-core/rekall/plugins/windows/privileges.py	View	1	1 chunk	+1 line, -2 lines	0 comments	Download
M	rekall-core/rekall/plugins/windows/procdump.py	View		2 chunks	+3 lines, -2 lines	0 comments	Download
M	rekall-core/rekall/plugins/windows/vadinfo.py	View		1 chunk	+1 line, -1 line	0 comments	Download
M	rekall-core/rekall/plugins/yarascanner.py	View	1 2 3 4	4 chunks	+112 lines, -155 lines	0 comments	Download
M	rekall-core/rekall/scan.py	View	1 2 3	1 chunk	+4 lines, -2 lines	0 comments	Download
M	rekall-core/rekall/session.py	View	1	5 chunks	+14 lines, -2 lines	0 comments	Download
M	rekall-core/rekall/ui/identity.py	View		3 chunks	+13 lines, -2 lines	0 comments	Download
M	rekall-core/rekall/ui/renderer.py	View		1 chunk	+1 line, -1 line	0 comments	Download
M	tools/devel/pylintrc	View	1	1 chunk	+1 line, -1 line	0 comments	Download
M	tools/installers/winbuild.py	View		1 chunk	+5 lines, -2 lines	0 comments	Download
M	tools/pmem/win_pmem.cc	View		1 chunk	+3 lines, -0 lines	0 comments	Download

Messages

Total messages: 4

Expand All Messages | Collapse All Messages

scudette

Started to refactor the scanner framework to use a common scanner class which controls the ...

7 years, 12 months ago (2016-04-29 06:26:13 UTC) #1

amoser

LGTM https://codereview.appspot.com/299810043/diff/40001/rekall-core/rekall/plugins/common/search.py File rekall-core/rekall/plugins/common/search.py (right): https://codereview.appspot.com/299810043/diff/40001/rekall-core/rekall/plugins/common/search.py#newcode267 rekall-core/rekall/plugins/common/search.py:267: with renderer.start(): This looks a bit weird to ...

7 years, 12 months ago (2016-04-30 00:06:51 UTC) #2

scudette

Committed patchset #5 (id:80001) manually as 7af9fc4645f202712e3a9ac0512330bba1c98d06 (presubmit successful).

7 years, 11 months ago (2016-05-02 23:50:31 UTC) #3

scudette

7 years, 11 months ago (2016-05-03 00:33:46 UTC) #4

Message was sent while issue was closed.

https://codereview.appspot.com/299810043/diff/40001/rekall-core/rekall/plugin...
File rekall-core/rekall/plugins/common/search.py (right):

https://codereview.appspot.com/299810043/diff/40001/rekall-core/rekall/plugin...
rekall-core/rekall/plugins/common/search.py:267: with renderer.start():
On 2016/04/30 00:06:51, amoser wrote:
> This looks a bit weird to me, "with" should already imply that you want to
> "start".
> 
> This is maybe not for this CL I feel it would be better to have only one
> starting point, __enter__. What do you think?

I think either will work actually but the bare "with" semantics does not allow
to pass any parameters like plugin name and kwargs:

with renderer:
    ....

The main renderer which uses this is the json renderer which can be started and
stopped multiple time in order to run several plugins in a row (this is done in
GRR).

Alternatively we could just call renderer.start() but then we must remember to
call renderer.end() which the __exit__() does for us.

https://codereview.appspot.com/299810043/diff/40001/rekall-core/rekall/plugin...
File rekall-core/rekall/plugins/guess_profile.py (right):

https://codereview.appspot.com/299810043/diff/40001/rekall-core/rekall/plugin...
rekall-core/rekall/plugins/guess_profile.py:400: KERNEL_PATH =
[r"C:\Windows\SysNative\ntoskrnl.exe",
On 2016/04/30 00:06:51, amoser wrote:
> PATHS now?

Done.

This is mainly here to support acquisition with winpmem because that is a 32 bit
program so it stores the kernel in sysnative instead.

https://codereview.appspot.com/299810043/diff/40001/rekall-core/rekall/plugin...
File rekall-core/rekall/plugins/windows/common.py (right):

https://codereview.appspot.com/299810043/diff/40001/rekall-core/rekall/plugin...
rekall-core/rekall/plugins/windows/common.py:672: start=0, end=2**64,
On 2016/04/30 00:06:51, amoser wrote:
> Should this constant come from self.session.kernel_address_space.end()?

Done.

Expand All Messages | Collapse All Messages