Detect API hooks in process and kernel memory. More...
Public Member Functions | |
def | __init__ (self, config, args, kwargs) |
def | compile (self) |
Precompile the regular expression rules. More... | |
def | whitelist (self, rule_key, process, src_mod, dst_mod, function) |
Check if an API hook should be ignored due to whitelisting. More... | |
def | check_ucpcall (self, addr_space, module, module_group) |
Scan for calls to unknown code pages. More... | |
def | check_wsp (self, addr_space, module, module_group) |
Check for hooks of non-exported WSP* functions. More... | |
def | gather_stuff (self, _addr_space, module) |
Use the Volatility object classes to enumerate imports and exports. More... | |
def | get_hooks (self, hook_mode, addr_space, module, module_group) |
Enumerate IAT, EAT, Inline hooks. More... | |
def | calculate (self) |
def | unified_output (self, data) |
def | generator (self, data) |
def | render_text (self, outfd, data) |
Public Member Functions inherited from volatility.plugins.procdump.ProcDump | |
def | __init__ (self, config, args, kwargs) |
def | dump_pe (self, space, base, dump_file) |
Dump a PE from an AS into a file. More... | |
def | calculate (self) |
def | unified_output (self, data) |
Renders the tasks to disk images, outputting progress as they go. | |
def | generator (self, data) |
def | render_text (self, outfd, data) |
Renders the tasks to disk images, outputting progress as they go. | |
Public Member Functions inherited from volatility.plugins.taskmods.DllList | |
def | __init__ (self, config, args, kwargs) |
def | unified_output (self, data) |
def | generator (self, data) |
def | render_text (self, outfd, data) |
def | filter_tasks (self, tasks) |
Reduce the tasks based on the user selectable PIDS parameter. More... | |
def | calculate (self) |
Produces a list of processes, or just a single process based on an OFFSET. | |
Public Member Functions inherited from volatility.commands.Command | |
def | __init__ (self, config, _args, _kwargs) |
Constructor uses args as an initializer. More... | |
def | help (cls) |
This function returns a string that will be displayed when a user lists available plugins. | |
def | calculate (self) |
This function is responsible for performing all calculations. More... | |
def | execute (self) |
Executes the plugin command. More... | |
def | format_value (self, value, fmt) |
Formats an individual field using the table formatting codes. | |
def | table_header |
Table header renders the title row of a table. More... | |
def | table_row (self, outfd, args) |
Outputs a single row of a table. | |
def | text_cell_renderers (self, columns) |
Returns default renderers for the columns listed. | |
def | unified_output (self, data) |
def | render_text (self, outfd, data) |
def | render_greptext (self, outfd, data) |
def | render_json (self, outfd, data) |
def | render_sqlite (self, outfd, data) |
def | render_dot (self, outfd, data) |
def | render_html (self, outfd, data) |
def | render_xlsx (self, outfd, data) |
Public Member Functions inherited from volatility.cache.Testable | |
def | calculate (self) |
Empty function used to allow mixin. | |
def | test (self) |
This forces the test to be memoised with a key name derived from the class name. | |
Static Public Member Functions | |
def | check_syscall (addr_space, module, module_group) |
Enumerate syscall hooks in ntdll.dll. More... | |
def | check_inline |
Check for inline API hooks. More... | |
Static Public Member Functions inherited from volatility.plugins.taskmods.DllList | |
def | virtual_process_from_physical_offset (addr_space, offset) |
Returns a virtual process from a physical offset in memory. | |
Static Public Member Functions inherited from volatility.plugins.common.AbstractWindowsCommand | |
def | is_valid_profile (profile) |
Static Public Member Functions inherited from volatility.commands.Command | |
def | register_options (config) |
Registers options into a config object provided. | |
def | is_valid_profile (profile) |
Public Attributes | |
compiled_rules | |
critical_process | |
critical_dlls | |
ucpscan_modules | |
Additional Inherited Members | |
Static Public Attributes inherited from volatility.commands.Command | |
string | op = "" |
string | opts = "" |
string | args = "" |
string | cmdname = "" |
dictionary | meta_info = {} |
elide_data = True | |
string | tablesep = " " |
text_sort_column = None | |
dictionary | text_stock_renderers |
Detect API hooks in process and kernel memory.
|
static |
Check for inline API hooks.
We check for direct and indirect calls, direct and indirect jumps, and PUSH/RET combinations.
va | the virtual address of the function to check |
addr_space | process or kernel AS where the function resides |
mem_start | base address of the module containing the function being checked. |
mem_end | end address of the module containing the func being checked. |
mode | 32 or 64 bit mode (default: 32) |
|
static |
Enumerate syscall hooks in ntdll.dll.
A syscall hook is one that modifies the function prologue of an NT API function (i.e. ntdll!NtCreateFile) or swaps the location of the sysenter with a malicious address.
addr_space | a process AS for the process containing the ntdll.dll module. |
module | the _LDR_DATA_TABLE_ENTRY for ntdll.dll |
module_group | a ModuleGroup instance for the process. |
def volatility.plugins.malware.apihooks.ApiHooks.check_ucpcall | ( | self, | |
addr_space, | |||
module, | |||
module_group | |||
) |
Scan for calls to unknown code pages.
addr_space | a kernel AS |
module | the _LDR_DATA_TABLE_ENTRY to scan |
module_group | a ModuleGroup instance for the process. |
def volatility.plugins.malware.apihooks.ApiHooks.check_wsp | ( | self, | |
addr_space, | |||
module, | |||
module_group | |||
) |
Check for hooks of non-exported WSP* functions.
The mswsock.dll module contains a global variable which points to all the internal Winsock functions. We find the function table by the reference from the exported WSPStartup API.
.text:6C88922E 8B 7D 50 mov edi, [ebp+lpProcTable] .text:6C889231 6A 1E push 1Eh .text:6C889233 59 pop ecx .text:6C889234 BE 40 64 8B 6C mov esi, offset _SockProcTable .text:6C889239 F3 A5 rep movsd
addr_space | process AS |
module | the _LDR_DATA_TABLE_ENTRY for mswsock.dll |
module_group | a ModuleGroup instance for the process. |
def volatility.plugins.malware.apihooks.ApiHooks.compile | ( | self | ) |
Precompile the regular expression rules.
Its quicker if we do this once per plugin run, rather than once per API hook that needs checking.
def volatility.plugins.malware.apihooks.ApiHooks.gather_stuff | ( | self, | |
_addr_space, | |||
module | |||
) |
Use the Volatility object classes to enumerate imports and exports.
This function can be overriden to use pefile instead for speed testing
def volatility.plugins.malware.apihooks.ApiHooks.get_hooks | ( | self, | |
hook_mode, | |||
addr_space, | |||
module, | |||
module_group | |||
) |
Enumerate IAT, EAT, Inline hooks.
Also acts as a dispatcher for NT syscall, UCP scans, and winsock procedure table hooks.
hook_mode | one of the HOOK_MODE_* constants |
addr_space | a process AS or kernel AS |
module | an _LDR_DATA_TABLE_ENTRY for the module being checked for hooks. |
module_group | a ModuleGroup instance for the process. |
def volatility.plugins.malware.apihooks.ApiHooks.whitelist | ( | self, | |
rule_key, | |||
process, | |||
src_mod, | |||
dst_mod, | |||
function | |||
) |
Check if an API hook should be ignored due to whitelisting.
rule_key | a key from the whitelist_rules dictionary which describes the type of hook (i.e. Usermode IAT or Kernel Inline). |
process | name of the suspected victim process. |
src_mod | name of the source module whose function has been hooked. this varies depending on whether we're dealing with IAT EAT, inline, etc. |
dst_mod | name of the module that is the destination of the hook pointer. this is usually the rootkit dll, exe, or sys, however, in many cases there is no module name since the rootkit is trying to be stealthy. |
function | name of the function that has been hooked. |