Trees       Indices       Help   
Rekall Memory Forensics
Package rekall :: Package plugins :: Package windows :: Package malware :: Module apihooks :: Class CheckPEHooks
[frames] | no frames]

Class CheckPEHooks

source code

Checks a pe file mapped into memory for hooks.

Nested Classes
  __metaclass__
Automatic Plugin Registration through metaclasses. (Inherited from rekall.plugin.Command)
  top_level_class
A command can be run from the rekall command line. (Inherited from rekall.plugin.Command)
Instance Methods
 
reported_access(self, address)
Determines if the address should be reported.		 source code
 
detect_IAT_hooks(self)
Detect Import Address Table hooks.		 source code
 
collect_iat_hooks(self) source code
 
detect_EAT_hooks(self, size=0)
Detect Export Address Table hooks.		 source code
 
collect_eat_hooks(self) source code
 
detect_inline_hooks(self)
A Generator of hooked exported functions from this PE file.		 source code
 
collect_inline_hooks(self) source code
 
collect(self)
Collect data that will be passed to renderer.table_row.		 source code
 
__init__(self, *args, **kwargs)
A mixin for plugins which require a valid kernel address space. (Inherited from rekall.plugin.KernelASMixin)		 source code
 
__iter__(self)
Make plugins that define collect iterable, as convenience. (Inherited from rekall.plugin.Command)		 source code
 
__repr__(self)
repr(x) (Inherited from rekall.plugin.Command)		 source code
 
__str__(self)
Render into a string using the text renderer. (Inherited from rekall.plugin.Command)		 source code
 
collect_as_dicts(self) (Inherited from rekall.plugin.TypedProfileCommand) source code
 
column_types(self)
Returns instances for each column definition. (Inherited from rekall.plugin.TypedProfileCommand)		 source code
 
get_column(self, name) (Inherited from rekall.plugin.TypedProfileCommand) source code
 
get_column_type(self, name) (Inherited from rekall.plugin.TypedProfileCommand) source code
 
get_plugin(self, name, **kwargs)
Returns an instance of the named plugin. (Inherited from rekall.plugin.Command)		 source code
 
getkeys(self) (Inherited from rekall.plugin.TypedProfileCommand) source code
 
reflect(self, member) (Inherited from rekall.plugin.TypedProfileCommand) source code
 
render(self, renderer, **options) (Inherited from rekall.plugin.TypedProfileCommand) source code

Inherited from object: __delattr__, __format__, __getattribute__, __hash__, __new__, __reduce__, __reduce_ex__, __setattr__, __sizeof__, __subclasshook__

Class Methods
 
GetActiveClasses(cls, session)
Return only the active commands based on config. (Inherited from rekall.plugin.Command)		 source code
 
GetPrototype(cls, session)
Return an instance of this plugin with suitable default arguments. (Inherited from rekall.plugin.Command)		 source code
 
ImplementationByClass(self, name) source code
 
ImplementationByName(self, name) source code
 
args(cls, metadata) (Inherited from rekall.plugin.PhysicalASMixin) source code
 
is_active(cls, session)
Checks we are active. (Inherited from rekall.plugin.ProfileCommand)		 source code
Class Variables
  name = 'check_pehooks'
  table_header = [{'name': 'Type', 'width': 10}, {'name': 'sourc...
hash(x)
  PHYSICAL_AS_REQUIRED = True (Inherited from rekall.plugin.PhysicalASMixin)
  PROFILE_REQUIRED = True (Inherited from rekall.plugin.ProfileCommand)
  ROW_OPTIONS = set(['annotation', 'depth', 'hex_width', 'highli... (Inherited from rekall.plugin.TypedProfileCommand)
  classes = {'AFF4Acquire': <class 'rekall.plugins.tools.aff4acq... (Inherited from rekall.plugin.Command)
  classes_by_name = {None: [<class 'rekall.plugins.tools.ipython... (Inherited from rekall.plugin.Command)
  error_status = None
hash(x) (Inherited from rekall.plugin.Command)
  interactive = False (Inherited from rekall.plugin.Command)
  mode = 'mode_windows_memory'
hash(x) (Inherited from rekall.plugins.windows.common.AbstractWindowsCommandPlugin)
  plugin_args = None
hash(x) (Inherited from rekall.plugin.ArgsParserMixin)
  plugin_feature = 'Command' (Inherited from rekall.plugin.Command)
  producer = False (Inherited from rekall.plugin.Command)
  table_options = {} (Inherited from rekall.plugin.TypedProfileCommand)
Properties

Inherited from object: __class__

Method Details

reported_access(self, address)

source code 

Determines if the address should be reported.

This assesses the destination address for suspiciousness. For example if the address resides in a VAD region which is not mapped by a dll then it might be suspicious.

detect_IAT_hooks(self)

source code 

Detect Import Address Table hooks.

An IAT hook is where malware changes the IAT entry for a dll after its loaded so that when it is called from within the DLL, flow control is directed to the malware instead.

We determine the IAT entry is hooked if the address is outside the dll which is imported.

detect_EAT_hooks(self, size=0)

source code 

Detect Export Address Table hooks.

An EAT hook is where malware changes the EAT entry for a dll after its loaded so that a new DLL wants to link against it, the new DLL will use the malware's function instead of the exporting DLL's function.

We determine the EAT entry is hooked if the address lies outside the exporting dll.

detect_inline_hooks(self)

source code  
A Generator of hooked exported functions from this PE file.

Yields:
  A tuple of (function, name, jump_destination)

collect(self)

source code 

Collect data that will be passed to renderer.table_row.

Overrides: plugin.TypedProfileCommand.collect
(inherited documentation)

ImplementationByClass(self, name)
Class Method

source code 
Overrides: plugin.Command.ImplementationByClass

ImplementationByName(self, name)
Class Method

source code 
Overrides: plugin.Command.ImplementationByName

Class Variable Details

table_header

hash(x)

Value:
[{'name': 'Type', 'width': 10},
 {'name': 'source', 'width': 20},
 {'name': 'target', 'width': 20},
 {'name': 'source_func', 'width': 60},
 {'name': 'target_func'}]

   Trees       Indices       Help   
Rekall Memory Forensics
Generated by Epydoc 3.0.1 on Mon Oct 9 03:29:11 2017 http://epydoc.sourceforge.net