 |
The Volatility Framework
|
|
|
The Volatility Framework
|
|
Scan for calls to imported functions. More...
Public Member Functions | |
| def | __init__ (self, config, args, kwargs) |
| def | call_scan (self, addr_space, base_address, data) |
| Disassemble a block of data and yield possible calls to imported functions. More... | |
| def | calculate (self) |
| def | unified_output (self, data) |
| def | generator (self, data) |
| def | render_text (self, outfd, data) |
| Render as text. | |
| def | render_idc (self, outfd, data) |
| Render as IDC. | |
 Public Member Functions inherited from volatility.commands.Command | |
| def | __init__ (self, config, _args, _kwargs) |
| Constructor uses args as an initializer. More... | |
| def | help (cls) |
| This function returns a string that will be displayed when a user lists available plugins. | |
| def | calculate (self) |
| This function is responsible for performing all calculations. More... | |
| def | execute (self) |
| Executes the plugin command. More... | |
| def | format_value (self, value, fmt) |
| Formats an individual field using the table formatting codes. | |
| def | table_header |
| Table header renders the title row of a table. More... | |
| def | table_row (self, outfd, args) |
| Outputs a single row of a table. | |
| def | text_cell_renderers (self, columns) |
| Returns default renderers for the columns listed. | |
| def | unified_output (self, data) |
| def | render_text (self, outfd, data) |
| def | render_greptext (self, outfd, data) |
| def | render_json (self, outfd, data) |
| def | render_sqlite (self, outfd, data) |
| def | render_dot (self, outfd, data) |
| def | render_html (self, outfd, data) |
| def | render_xlsx (self, outfd, data) |
Static Public Member Functions | |
| def | enum_apis (all_mods) |
| Enumerate all exported functions from kernel or process space. More... | |
| Static Public Member Functions inherited from volatility.plugins.common.AbstractWindowsCommand | |
| def | is_valid_profile (profile) |
| Static Public Member Functions inherited from volatility.commands.Command | |
| def | register_options (config) |
| Registers options into a config object provided. | |
| def | is_valid_profile (profile) |
Public Attributes | |
| forwarded_imports | |
| FIXME. More... | |
Additional Inherited Members | |
| Static Public Attributes inherited from volatility.commands.Command | |
| string | op = "" |
| string | opts = "" |
| string | args = "" |
| string | cmdname = "" |
| dictionary | meta_info = {} |
| elide_data = True | |
| string | tablesep = " " |
| text_sort_column = None | |
| dictionary | text_stock_renderers |
Scan for calls to imported functions.
| def volatility.plugins.malware.impscan.ImpScan.call_scan | ( | self, | |
| addr_space, | |||
| base_address, | |||
| data | |||
| ) |
Disassemble a block of data and yield possible calls to imported functions.
We're looking for instructions such as these:
x86: CALL DWORD [0x1000400] JMP DWORD [0x1000400]
x64: CALL QWORD [RIP+0x989d]
On x86, the 0x1000400 address is an entry in the IAT or call table. It stores a DWORD which is the location of the API function being called.
On x64, the 0x989d is a relative offset from the current instruction (RIP).
| addr_space | an AS to scan with |
| base_address | memory base address |
| data | buffer of data found at base_address |
|
static |
Enumerate all exported functions from kernel or process space.
| all_mods | list of _LDR_DATA_TABLE_ENTRY |
To enum kernel APIs, all_mods is a list of drivers. To enum process APIs, all_mods is a list of DLLs.
The function name is used if available, otherwise we take the ordinal value.
| volatility.plugins.malware.impscan.ImpScan.forwarded_imports |
FIXME.
ImpScan currently does not work on wow64 processes. Add an option to override the profile's memory_model and allow 32bit disasm on x64 operating systems.
1.8.9.1