The Volatility Framework
Public Member Functions | Public Attributes | List of all members
volatility.plugins.malware.threads.AbstractThreadCheck Class Reference

Base thread check class. More...

Inheritance diagram for volatility.plugins.malware.threads.AbstractThreadCheck:
volatility.plugins.malware.threads.AttachedProcess volatility.plugins.malware.threads.DkomExit volatility.plugins.malware.threads.HideFromDebug volatility.plugins.malware.threads.HookedSSDT volatility.plugins.malware.threads.HwBreakpoint volatility.plugins.malware.threads.Impersonation volatility.plugins.malware.threads.OrphanThread volatility.plugins.malware.threads.ScannerOnly volatility.plugins.malware.threads.SystemThread

Public Member Functions

def __init__ (self, thread, mods, mod_addrs, hooked_tables, found_by_scanner)
 
def check (self)
 Return True or False from this method.
 

Public Attributes

 thread
 
 mods
 
 mod_addrs
 
 hooked_tables
 
 found_by_scanner
 
 flags
 

Detailed Description

Base thread check class.

Constructor & Destructor Documentation

def volatility.plugins.malware.threads.AbstractThreadCheck.__init__ (   self,
  thread,
  mods,
  mod_addrs,
  hooked_tables,
  found_by_scanner 
)
Parameters
threadthe _ETHREAD object
modsa dictionary with module bases as keys and _LDR_DATA_TABLE_ENTRY as values.
mod_addrsa sorted list of module base addresses
hooked_tablesa list of SSDTs that have one or more hooked functions.
found_by_scannerTrue/False if the _ETHREAD passed as the thread parameter was found via list walking or pool scanning.
The documentation for this class was generated from the following file: