| Trees | Indices | Help |
|
|---|
|
|
Analyzes User handles registered with the Win32k Subsystem.
Windows allows user applications to register handles with the GUI subsystem. The GUI subsystem can then call back into the user code for various purposes. The Win32k allocates tag* structures for each user object that is registered. These allocations exist on the win32k heap.
In this module we enumerate the heap and extract the tag* objects which correspond to each heap allocation. This allows us to examine these allocations in more detail.
One of the user handles is tagEVENTHOOK. A user application can register a hook callback with SetWindowsHookEx(). This invokes a callback when an event is seen (e.g. keyboard press - for a key logger) or desktop switch. Since tagEVENTHOOK is just another user object, we can leverage the yser handles plugin to retrieve all hooks.
References: http://mista.nu/research/mandt-win32k-paper.pdf
http://volatility-labs.blogspot.de/2012/09/movp-31-detecting-malware-hooks-in.html
| Classes | |
|
UserHandles Dump the USER handle tables |
|
|
WinEventHooks Print details on windows event hooks |
|
|
Gahti Dump the USER handle type information. |
|
|
WinMessageHooks List desktop and thread window message hooks. |
|
| Variables | |
__package__ = |
|
| Trees | Indices | Help |
|
|---|
| Generated by Epydoc 3.0.1 on Mon Oct 9 03:27:47 2017 | http://epydoc.sourceforge.net |