def _get_scopes(self):
"""Builds the scopes for this query."""
scopes = helpers.EFILTER_SCOPES.copy()
scopes["timestamp"] = api.user_func(
lambda x, **_: basic.UnixTimeStamp(value=x, session=self.session),
arg_types=[float, int, long])
# This function is used to indicate that the string represents
# a filename. This will cause the agent to upload it if the
# user requested uploading files.
# > select file(path.filename.name).filename.name from glob("/*")
scopes["file"] = api.user_func(
lambda x: common.FileInformation(session=self.session, filename=x),
arg_types=[unicode, str])
return scopes
def _get_scope(self):
"""Builds the scope for this query.
We add some useful functions to be available to the query:
timestamp(): Wrap an int or float in a UnixTimeStamp so it
gets rendered properly.
substr(): Allows a string to be substringed.
file(): Marks a string as a file name. The Rekall Agent will
then potentially upload this file.
"""
scope = helpers.EFILTER_SCOPES.copy()
scope["timestamp"] = api.user_func(
lambda x, **_: basic.UnixTimeStamp(value=x, session=self.session),
arg_types=[float, int, long])
# This function is used to indicate that the string represents
# a filename. This will cause the agent to upload it if the
# user requested uploading files.
# > select file(path.filename.name).filename.name from glob("/*")
scope["file"] = api.scalar_function(
lambda x: common.FileInformation(session=self.session, filename=x),
arg_types=(string.IString,))
scope["substr"] = api.scalar_function(
lambda x, start, end: utils.SmartUnicode(x)[int(start):int(end)],
arg_types=(string.IString, number.INumber, number.INumber))
scope["hex"] = api.scalar_function(
lambda x: hex(int(x)),
arg_types=(number.INumber,))
scope["deref"] = api.scalar_function(
lambda x: x.deref(),
arg_types=(obj.Pointer,))
return scope
def column_types(self):
return dict(path=common.FileInformation(filename="/etc"))