The Volatility Framework
volatility.plugins.malware.impscan.ImpScan Class Reference

Scan for calls to imported functions. More...

Inheritance diagram for volatility.plugins.malware.impscan.ImpScan:
volatility.plugins.common.AbstractWindowsCommand volatility.commands.Command

Public Member Functions

def __init__ (self, config, args, kwargs)
 
def call_scan (self, addr_space, base_address, data)
 Disassemble a block of data and yield possible calls to imported functions. More...
 
def calculate (self)
 
def unified_output (self, data)
 
def generator (self, data)
 
def render_text (self, outfd, data)
 Render as text.
 
def render_idc (self, outfd, data)
 Render as IDC.
 
- Public Member Functions inherited from volatility.commands.Command
def __init__ (self, config, _args, _kwargs)
 Constructor uses args as an initializer. More...
 
def help (cls)
 This function returns a string that will be displayed when a user lists available plugins.
 
def calculate (self)
 This function is responsible for performing all calculations. More...
 
def execute (self)
 Executes the plugin command. More...
 
def format_value (self, value, fmt)
 Formats an individual field using the table formatting codes.
 
def table_header
 Table header renders the title row of a table. More...
 
def table_row (self, outfd, args)
 Outputs a single row of a table.
 
def text_cell_renderers (self, columns)
 Returns default renderers for the columns listed.
 
def unified_output (self, data)
 
def render_text (self, outfd, data)
 
def render_greptext (self, outfd, data)
 
def render_json (self, outfd, data)
 
def render_sqlite (self, outfd, data)
 
def render_dot (self, outfd, data)
 
def render_html (self, outfd, data)
 
def render_xlsx (self, outfd, data)
 

Static Public Member Functions

def enum_apis (all_mods)
 Enumerate all exported functions from kernel or process space. More...
 
- Static Public Member Functions inherited from volatility.plugins.common.AbstractWindowsCommand
def is_valid_profile (profile)
 
- Static Public Member Functions inherited from volatility.commands.Command
def register_options (config)
 Registers options into a config object provided.
 
def is_valid_profile (profile)
 

Public Attributes

 forwarded_imports
 FIXME. More...
 

Additional Inherited Members

- Static Public Attributes inherited from volatility.commands.Command
string op = ""
 
string opts = ""
 
string args = ""
 
string cmdname = ""
 
dictionary meta_info = {}
 
 elide_data = True
 
string tablesep = " "
 
 text_sort_column = None
 
dictionary text_stock_renderers
 

Detailed Description

Scan for calls to imported functions.

Member Function Documentation

def volatility.plugins.malware.impscan.ImpScan.call_scan (   self,
  addr_space,
  base_address,
  data 
)

Disassemble a block of data and yield possible calls to imported functions.

We're looking for instructions such as these:

x86: CALL DWORD [0x1000400] JMP DWORD [0x1000400]

x64: CALL QWORD [RIP+0x989d]

On x86, the 0x1000400 address is an entry in the IAT or call table. It stores a DWORD which is the location of the API function being called.

On x64, the 0x989d is a relative offset from the current instruction (RIP).

Parameters
addr_spacean AS to scan with
base_addressmemory base address
databuffer of data found at base_address
def volatility.plugins.malware.impscan.ImpScan.enum_apis (   all_mods)
static

Enumerate all exported functions from kernel or process space.

Parameters
all_modslist of _LDR_DATA_TABLE_ENTRY

To enum kernel APIs, all_mods is a list of drivers. To enum process APIs, all_mods is a list of DLLs.

The function name is used if available, otherwise we take the ordinal value.

Member Data Documentation

volatility.plugins.malware.impscan.ImpScan.forwarded_imports

FIXME.

ImpScan currently does not work on wow64 processes. Add an option to override the profile's memory_model and allow 32bit disasm on x64 operating systems.


The documentation for this class was generated from the following file: