The Volatility Framework
volatility.plugins.malware.apihooks.ApiHooks Class Reference

Detect API hooks in process and kernel memory. More...

Inheritance diagram for volatility.plugins.malware.apihooks.ApiHooks:
volatility.plugins.procdump.ProcDump volatility.plugins.taskmods.DllList volatility.plugins.common.AbstractWindowsCommand volatility.cache.Testable volatility.commands.Command

Public Member Functions

def __init__ (self, config, args, kwargs)
 
def compile (self)
 Precompile the regular expression rules. More...
 
def whitelist (self, rule_key, process, src_mod, dst_mod, function)
 Check if an API hook should be ignored due to whitelisting. More...
 
def check_ucpcall (self, addr_space, module, module_group)
 Scan for calls to unknown code pages. More...
 
def check_wsp (self, addr_space, module, module_group)
 Check for hooks of non-exported WSP* functions. More...
 
def gather_stuff (self, _addr_space, module)
 Use the Volatility object classes to enumerate imports and exports. More...
 
def get_hooks (self, hook_mode, addr_space, module, module_group)
 Enumerate IAT, EAT, Inline hooks. More...
 
def calculate (self)
 
def unified_output (self, data)
 
def generator (self, data)
 
def render_text (self, outfd, data)
 
- Public Member Functions inherited from volatility.plugins.procdump.ProcDump
def __init__ (self, config, args, kwargs)
 
def dump_pe (self, space, base, dump_file)
 Dump a PE from an AS into a file. More...
 
def calculate (self)
 
def unified_output (self, data)
 Renders the tasks to disk images, outputting progress as they go.
 
def generator (self, data)
 
def render_text (self, outfd, data)
 Renders the tasks to disk images, outputting progress as they go.
 
- Public Member Functions inherited from volatility.plugins.taskmods.DllList
def __init__ (self, config, args, kwargs)
 
def unified_output (self, data)
 
def generator (self, data)
 
def render_text (self, outfd, data)
 
def filter_tasks (self, tasks)
 Reduce the tasks based on the user selectable PIDS parameter. More...
 
def calculate (self)
 Produces a list of processes, or just a single process based on an OFFSET.
 
- Public Member Functions inherited from volatility.commands.Command
def __init__ (self, config, _args, _kwargs)
 Constructor uses args as an initializer. More...
 
def help (cls)
 This function returns a string that will be displayed when a user lists available plugins.
 
def calculate (self)
 This function is responsible for performing all calculations. More...
 
def execute (self)
 Executes the plugin command. More...
 
def format_value (self, value, fmt)
 Formats an individual field using the table formatting codes.
 
def table_header
 Table header renders the title row of a table. More...
 
def table_row (self, outfd, args)
 Outputs a single row of a table.
 
def text_cell_renderers (self, columns)
 Returns default renderers for the columns listed.
 
def unified_output (self, data)
 
def render_text (self, outfd, data)
 
def render_greptext (self, outfd, data)
 
def render_json (self, outfd, data)
 
def render_sqlite (self, outfd, data)
 
def render_dot (self, outfd, data)
 
def render_html (self, outfd, data)
 
def render_xlsx (self, outfd, data)
 
- Public Member Functions inherited from volatility.cache.Testable
def calculate (self)
 Empty function used to allow mixin.
 
def test (self)
 This forces the test to be memoised with a key name derived from the class name.
 

Static Public Member Functions

def check_syscall (addr_space, module, module_group)
 Enumerate syscall hooks in ntdll.dll. More...
 
def check_inline
 Check for inline API hooks. More...
 
- Static Public Member Functions inherited from volatility.plugins.taskmods.DllList
def virtual_process_from_physical_offset (addr_space, offset)
 Returns a virtual process from a physical offset in memory.
 
- Static Public Member Functions inherited from volatility.plugins.common.AbstractWindowsCommand
def is_valid_profile (profile)
 
- Static Public Member Functions inherited from volatility.commands.Command
def register_options (config)
 Registers options into a config object provided.
 
def is_valid_profile (profile)
 

Public Attributes

 compiled_rules
 
 critical_process
 
 critical_dlls
 
 ucpscan_modules
 

Additional Inherited Members

- Static Public Attributes inherited from volatility.commands.Command
string op = ""
 
string opts = ""
 
string args = ""
 
string cmdname = ""
 
dictionary meta_info = {}
 
 elide_data = True
 
string tablesep = " "
 
 text_sort_column = None
 
dictionary text_stock_renderers
 

Detailed Description

Detect API hooks in process and kernel memory.

Member Function Documentation

def volatility.plugins.malware.apihooks.ApiHooks.check_inline (   va,
  addr_space,
  mem_start,
  mem_end,
  mode = distorm3.Decode32Bits 
)
static

Check for inline API hooks.

We check for direct and indirect calls, direct and indirect jumps, and PUSH/RET combinations.

Parameters
vathe virtual address of the function to check
addr_spaceprocess or kernel AS where the function resides
mem_startbase address of the module containing the function being checked.
mem_endend address of the module containing the func being checked.
mode32 or 64 bit mode (default: 32)
Returns
: a tuple of (hooked, data, hook_address)
def volatility.plugins.malware.apihooks.ApiHooks.check_syscall (   addr_space,
  module,
  module_group 
)
static

Enumerate syscall hooks in ntdll.dll.

A syscall hook is one that modifies the function prologue of an NT API function (i.e. ntdll!NtCreateFile) or swaps the location of the sysenter with a malicious address.

Parameters
addr_spacea process AS for the process containing the ntdll.dll module.
modulethe _LDR_DATA_TABLE_ENTRY for ntdll.dll
module_groupa ModuleGroup instance for the process.
def volatility.plugins.malware.apihooks.ApiHooks.check_ucpcall (   self,
  addr_space,
  module,
  module_group 
)

Scan for calls to unknown code pages.

Parameters
addr_spacea kernel AS
modulethe _LDR_DATA_TABLE_ENTRY to scan
module_groupa ModuleGroup instance for the process.
def volatility.plugins.malware.apihooks.ApiHooks.check_wsp (   self,
  addr_space,
  module,
  module_group 
)

Check for hooks of non-exported WSP* functions.

The mswsock.dll module contains a global variable which points to all the internal Winsock functions. We find the function table by the reference from the exported WSPStartup API.

.text:6C88922E 8B 7D 50 mov edi, [ebp+lpProcTable] .text:6C889231 6A 1E push 1Eh .text:6C889233 59 pop ecx .text:6C889234 BE 40 64 8B 6C mov esi, offset _SockProcTable .text:6C889239 F3 A5 rep movsd

Parameters
addr_spaceprocess AS
modulethe _LDR_DATA_TABLE_ENTRY for mswsock.dll
module_groupa ModuleGroup instance for the process.
def volatility.plugins.malware.apihooks.ApiHooks.compile (   self)

Precompile the regular expression rules.

Its quicker if we do this once per plugin run, rather than once per API hook that needs checking.

def volatility.plugins.malware.apihooks.ApiHooks.gather_stuff (   self,
  _addr_space,
  module 
)

Use the Volatility object classes to enumerate imports and exports.

This function can be overriden to use pefile instead for speed testing

def volatility.plugins.malware.apihooks.ApiHooks.get_hooks (   self,
  hook_mode,
  addr_space,
  module,
  module_group 
)

Enumerate IAT, EAT, Inline hooks.

Also acts as a dispatcher for NT syscall, UCP scans, and winsock procedure table hooks.

Parameters
hook_modeone of the HOOK_MODE_* constants
addr_spacea process AS or kernel AS
modulean _LDR_DATA_TABLE_ENTRY for the module being checked for hooks.
module_groupa ModuleGroup instance for the process.
def volatility.plugins.malware.apihooks.ApiHooks.whitelist (   self,
  rule_key,
  process,
  src_mod,
  dst_mod,
  function 
)

Check if an API hook should be ignored due to whitelisting.

Parameters
rule_keya key from the whitelist_rules dictionary which describes the type of hook (i.e. Usermode IAT or Kernel Inline).
processname of the suspected victim process.
src_modname of the source module whose function has been hooked. this varies depending on whether we're dealing with IAT EAT, inline, etc.
dst_modname of the module that is the destination of the hook pointer. this is usually the rootkit dll, exe, or sys, however, in many cases there is no module name since the rootkit is trying to be stealthy.
functionname of the function that has been hooked.

The documentation for this class was generated from the following file: