dissect.target.plugins.scrape.qfind

Module Contents

Classes

QFindPlugin

Basically grep -a "malware" on steroids.

Attributes

re_NOFLAG
QFindMatchRecord

dissect.target.plugins.scrape.qfind.re_NOFLAG = 0

dissect.target.plugins.scrape.qfind.QFindMatchRecord

class dissect.target.plugins.scrape.qfind.QFindPlugin(target: dissect.target.target.Target)

Bases: dissect.target.plugin.Plugin

Basically grep -a "malware" on steroids.

check_compatible() → None

Perform a compatibility check with the target.

This function should return None if the plugin is compatible with the current target (self.target). For example, check if a certain file exists. Otherwise it should raise an UnsupportedPluginError.

Raises:

UnsupportedPluginError – If the plugin could not be loaded.

qfind(needles: list[str] | None = None, needle_file: pathlib.Path | None = None, encoding: str = '', no_hex_decode: bool = False, regex: bool = False, ignore_case: bool = False, unique: bool = False, window: int = 256, strip_null_bytes: bool = False, *, progress: collections.abc.Callable[[dissect.target.container.Container | dissect.target.volume.Volume, int, int], None] | None = None) → collections.abc.Iterator[QFindMatchRecord]

Find a needle in a haystack.

Hex encode needles starting with # in needle files, otherwise these needles are ignored.

Example

# find all instances of "malware" in the target
target-qfind <TARGET> --needles malware

# find all instances of "malware" in the target, ignoring case
target-qfind <TARGET> --needles MaLwArE --ignore-case

# find all instances of "malware" in the target and show raw hex dumps
target-qfind <TARGET> --needles malware --raw

# find all instances of "malware" in the target, in UTF-8 and UTF-16-LE (UTF-8 is default)
target-qfind <TARGET> --needles malware --encoding utf-16-le

# find all matches of regular expression "malware\s\d+" in the target (e.g. ``malware 1337``)
target-qfind <TARGET> --needles "malware\s\d+" --regex

# use a file for needles
target-qfind <TARGET> --needle-file needles.txt

# use target-query instead of target-qfind (output in records)
target-query <TARGET> -f qfind --needles malware