EFilter bugfixes

BUG= Review URL: https://codereview.appspot.com/322440043 .
attivonetworks · Aug 6, 2017 · 9536a0a · 9536a0a
1 parent 251d4be
commit 9536a0a
Show file tree

Hide file tree

Showing 7 changed files with 278 additions and 153 deletions.
diff --git a/rekall-core/rekall/plugins/common/efilter_plugins/helpers.py b/rekall-core/rekall/plugins/common/efilter_plugins/helpers.py
@@ -2,6 +2,7 @@
 
 import functools
 import re
+import six
 
 from efilter import query as q
 from efilter import api
@@ -39,6 +40,20 @@ def noncase_search_function(regex, value):
     return bool(re.search(unicode(regex), unicode(value), re.I))
 
 
+def substitute(pattern, repl, target):
+    if target is None:
+        return
+
+    if isinstance(target, (list, tuple)):
+        result = []
+        for item in target:
+            result.append(substitute(pattern, repl, item))
+
+        return result
+    else:
+        return re.sub(pattern, repl, six.text_type(target), re.I)
+
+
 EFILTER_SCOPES = dict(
     hex=api.user_func(
         hex_function, arg_types=[int], return_type=[str]),
@@ -52,6 +67,9 @@ def noncase_search_function(regex, value):
     regex_search=api.user_func(
         noncase_search_function, arg_types=[unicode, unicode],
         return_type=[bool]),
+
+    concat=api.user_func(lambda *args: "".join(args)),
+    sub=api.user_func(substitute),
 )
 
 

diff --git a/rekall-core/rekall/plugins/common/efilter_plugins/info.py b/rekall-core/rekall/plugins/common/efilter_plugins/info.py
@@ -37,10 +37,11 @@ class Describe(plugin.TypedProfileCommand, plugin.ProfileCommand):
              help="A plugin or plugin name to describe."),
 
         dict(name="args", required=False, default={}, type="dict",
+             positional=True,
              help="args to run the plugin with."),
 
         dict(name="max_depth", positional=True, required=False,
-             type="IntParser", default=0,
+             type="IntParser", default=3,
              help="The maximum depth to follow mappings."),
     ]
 

diff --git a/rekall-core/rekall/plugins/common/efilter_plugins/ipython.py b/rekall-core/rekall/plugins/common/efilter_plugins/ipython.py
@@ -13,14 +13,6 @@ def _RunPlugin(self, session, plugin_name, line):
 
         return session.RunPlugin(plugin_name, query=line)
 
-    @magic.line_cell_magic
-    def search(self, line, cell=None):
-        session = self.shell.user_global_ns["session"]
-        if cell is None:
-            return self._RunPlugin(session, "search", line)
-        else:
-            return self._RunPlugin(session, "search", cell)
-
     @magic.line_cell_magic
     def SELECT(self, line, cell=None):
         return self._process_select(line, cell)
@@ -39,10 +31,8 @@ def select(self, line, cell=None):
 
     def _process_select(self, line, cell=None):
         session = self.shell.user_module.session
-        if cell is None:
-            return self._RunPlugin(session, "search", "select " + line)
-        else:
-            return self._RunPlugin(session, "search", "select " + cell)
+        return self._RunPlugin(session, "search", "select " + line + (
+            cell or ""))
 
     @magic.line_cell_magic
     def pager(self, line, cell=None):