dissect.target.plugins.scrape.qfind

Module Contents

Classes

QFindPlugin

Basically grep -a "malware" on steroids.

Functions

progress

Progress handler of the qfind plugin.

class dissect.target.plugins.scrape.qfind.QFindPlugin(target: dissect.target.Target)

Bases: dissect.target.plugin.Plugin

Basically grep -a "malware" on steroids.

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

qfind(needles: list[str] | None = None, needle_file: pathlib.Path | None = None, encoding: str = '', no_hex_decode: bool = False, raw: bool = False, ignore_case: bool = False, allow_non_ascii: bool = False, unique: bool = False, window: int = 256) → None

Find a needle in a haystack.

Example

# find all instances of "malware" in the target
target-qfind <TARGET> --needles malware

# find all instances of "malware" in the target, ignoring case
target-qfind <TARGET> --needles MaLwArE --ignore-case

# find all instances of "malware" in the target and show raw hex dumps
target-qfind <TARGET> --needles malware --raw

# find all instances of "malware" in the target, in UTF-8 and UTF-16-LE (UTF-8 is default)
target-qfind <TARGET> --needles malware --encoding utf-16-le

# use target-query instead of target-qfind
target-query <TARGET> -f qfind --needles malware

dissect.target.plugins.scrape.qfind.progress(target: dissect.target.target.Target) → Callable[[dissect.target.container.Container | dissect.target.volume.Volume, int, int], None]

Progress handler of the qfind plugin.