def _get_scopes(self): """Builds the scopes for this query.""" scopes = helpers.EFILTER_SCOPES.copy() scopes["timestamp"] = api.user_func( lambda x, **_: basic.UnixTimeStamp(value=x, session=self.session), arg_types=[float, int, long]) # This function is used to indicate that the string represents # a filename. This will cause the agent to upload it if the # user requested uploading files. # > select file(path.filename.name).filename.name from glob("/*") scopes["file"] = api.user_func( lambda x: common.FileInformation(session=self.session, filename=x), arg_types=[unicode, str]) return scopes
def _get_scope(self): """Builds the scope for this query. We add some useful functions to be available to the query: timestamp(): Wrap an int or float in a UnixTimeStamp so it gets rendered properly. substr(): Allows a string to be substringed. file(): Marks a string as a file name. The Rekall Agent will then potentially upload this file. """ scope = helpers.EFILTER_SCOPES.copy() scope["timestamp"] = api.user_func( lambda x, **_: basic.UnixTimeStamp(value=x, session=self.session), arg_types=[float, int, long]) # This function is used to indicate that the string represents # a filename. This will cause the agent to upload it if the # user requested uploading files. # > select file(path.filename.name).filename.name from glob("/*") scope["file"] = api.scalar_function( lambda x: common.FileInformation(session=self.session, filename=x), arg_types=(string.IString,)) scope["substr"] = api.scalar_function( lambda x, start, end: utils.SmartUnicode(x)[int(start):int(end)], arg_types=(string.IString, number.INumber, number.INumber)) scope["hex"] = api.scalar_function( lambda x: hex(int(x)), arg_types=(number.INumber,)) scope["deref"] = api.scalar_function( lambda x: x.deref(), arg_types=(obj.Pointer,)) return scope
def column_types(self): return dict(path=common.FileInformation(filename="/etc"))