Scan for calls to imported functions. More...
Public Member Functions | |
def | __init__ (self, config, args, kwargs) |
def | call_scan (self, addr_space, base_address, data) |
Disassemble a block of data and yield possible calls to imported functions. More... | |
def | calculate (self) |
def | unified_output (self, data) |
def | generator (self, data) |
def | render_text (self, outfd, data) |
Render as text. | |
def | render_idc (self, outfd, data) |
Render as IDC. | |
Public Member Functions inherited from volatility.commands.Command | |
def | __init__ (self, config, _args, _kwargs) |
Constructor uses args as an initializer. More... | |
def | help (cls) |
This function returns a string that will be displayed when a user lists available plugins. | |
def | calculate (self) |
This function is responsible for performing all calculations. More... | |
def | execute (self) |
Executes the plugin command. More... | |
def | format_value (self, value, fmt) |
Formats an individual field using the table formatting codes. | |
def | table_header |
Table header renders the title row of a table. More... | |
def | table_row (self, outfd, args) |
Outputs a single row of a table. | |
def | text_cell_renderers (self, columns) |
Returns default renderers for the columns listed. | |
def | unified_output (self, data) |
def | render_text (self, outfd, data) |
def | render_greptext (self, outfd, data) |
def | render_json (self, outfd, data) |
def | render_sqlite (self, outfd, data) |
def | render_dot (self, outfd, data) |
def | render_html (self, outfd, data) |
def | render_xlsx (self, outfd, data) |
Static Public Member Functions | |
def | enum_apis (all_mods) |
Enumerate all exported functions from kernel or process space. More... | |
Static Public Member Functions inherited from volatility.plugins.common.AbstractWindowsCommand | |
def | is_valid_profile (profile) |
Static Public Member Functions inherited from volatility.commands.Command | |
def | register_options (config) |
Registers options into a config object provided. | |
def | is_valid_profile (profile) |
Public Attributes | |
forwarded_imports | |
FIXME. More... | |
Additional Inherited Members | |
Static Public Attributes inherited from volatility.commands.Command | |
string | op = "" |
string | opts = "" |
string | args = "" |
string | cmdname = "" |
dictionary | meta_info = {} |
elide_data = True | |
string | tablesep = " " |
text_sort_column = None | |
dictionary | text_stock_renderers |
Scan for calls to imported functions.
def volatility.plugins.malware.impscan.ImpScan.call_scan | ( | self, | |
addr_space, | |||
base_address, | |||
data | |||
) |
Disassemble a block of data and yield possible calls to imported functions.
We're looking for instructions such as these:
x86: CALL DWORD [0x1000400] JMP DWORD [0x1000400]
x64: CALL QWORD [RIP+0x989d]
On x86, the 0x1000400 address is an entry in the IAT or call table. It stores a DWORD which is the location of the API function being called.
On x64, the 0x989d is a relative offset from the current instruction (RIP).
addr_space | an AS to scan with |
base_address | memory base address |
data | buffer of data found at base_address |
|
static |
Enumerate all exported functions from kernel or process space.
all_mods | list of _LDR_DATA_TABLE_ENTRY |
To enum kernel APIs, all_mods is a list of drivers. To enum process APIs, all_mods is a list of DLLs.
The function name is used if available, otherwise we take the ordinal value.
volatility.plugins.malware.impscan.ImpScan.forwarded_imports |
FIXME.
ImpScan currently does not work on wow64 processes. Add an option to override the profile's memory_model and allow 32bit disasm on x64 operating systems.