 |
The Volatility Framework
|
|
|
The Volatility Framework
|
|
A class for API hooks. More...
Public Member Functions | |
| def | __init__ |
| Initalize a hook class instance. More... | |
| def | add_hop_chunk (self, address, data) |
| Support disassembly for multiple hops. | |
| def | Type (self) |
| Translate the hook type into a string. | |
| def | Mode (self) |
| Translate the hook mode into a string. | |
| def | Function (self) |
| Return the function name if its available. | |
| def | Detail (self) |
| The detail depends on the hook type. | |
| def | HookModule (self) |
| Name of the hooking module. | |
| def | VictimModule (self) |
| Name of the victim module. | |
Public Attributes | |
| hook_mode | |
| hook_type | |
| function_name | |
| function_address | |
| hook_address | |
| hook_module | |
| victim_module | |
| decode_bits | |
| disassembled_hops | |
A class for API hooks.
It helps organize the many pieces of information required to report on the hook.
| def volatility.plugins.malware.apihooks.Hook.__init__ | ( | self, | |
| hook_type, | |||
| hook_mode, | |||
| function_name, | |||
function_address = None, |
|||
hook_address = None, |
|||
hook_module = None, |
|||
victim_module = None, |
|||
decode_bits = distorm3.Decode32Bits |
|||
| ) |
Initalize a hook class instance.
hook_type: one of the HOOK_TYPE_* constants hook_mode: one of the HOOK_MODE_* constants
function_name: name of the function being hooked
function_address: address of the hooked function in process or kernel memory.
hook_address: address where the hooked function actually points.
hook_module: the _LDR_DATA_TABLE_ENTRY of the hooking module (owner of the hook_address). note: this can be None if the module cannot be identified.
victim_module: the _LDR_DATA_TABLE_ENTRY of the module being hooked (contains the function_address). note: this can be a string if checking IAT hooks.
1.8.9.1