Trees | Indices | Help |
|
---|
|
Checks a pe file mapped into memory for hooks.
Nested Classes | |
__metaclass__ Automatic Plugin Registration through metaclasses. (Inherited from rekall.plugin.Command) |
|
top_level_class A command can be run from the rekall command line. (Inherited from rekall.plugin.Command) |
Instance Methods | |||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
Inherited from |
Class Methods | |||
|
|||
|
|||
|
|||
|
|||
|
|||
|
Class Variables | |
name =
|
|
table_header =
hash(x) |
|
PHYSICAL_AS_REQUIRED = True
(Inherited from rekall.plugin.PhysicalASMixin)
|
|
PROFILE_REQUIRED = True
(Inherited from rekall.plugin.ProfileCommand)
|
|
ROW_OPTIONS =
(Inherited from rekall.plugin.TypedProfileCommand)
|
|
classes =
(Inherited from rekall.plugin.Command)
|
|
classes_by_name =
(Inherited from rekall.plugin.Command)
|
|
error_status = None hash(x) (Inherited from rekall.plugin.Command) |
|
interactive = False
(Inherited from rekall.plugin.Command)
|
|
mode =
hash(x) (Inherited from rekall.plugins.windows.common.AbstractWindowsCommandPlugin) |
|
plugin_args = None hash(x) (Inherited from rekall.plugin.ArgsParserMixin) |
|
plugin_feature =
(Inherited from rekall.plugin.Command)
|
|
producer = False
(Inherited from rekall.plugin.Command)
|
|
table_options =
(Inherited from rekall.plugin.TypedProfileCommand)
|
Properties | |
Inherited from |
Method Details |
Determines if the address should be reported. This assesses the destination address for suspiciousness. For example if the address resides in a VAD region which is not mapped by a dll then it might be suspicious. |
Detect Import Address Table hooks. An IAT hook is where malware changes the IAT entry for a dll after its loaded so that when it is called from within the DLL, flow control is directed to the malware instead. We determine the IAT entry is hooked if the address is outside the dll which is imported. |
Detect Export Address Table hooks. An EAT hook is where malware changes the EAT entry for a dll after its loaded so that a new DLL wants to link against it, the new DLL will use the malware's function instead of the exporting DLL's function. We determine the EAT entry is hooked if the address lies outside the exporting dll. |
A Generator of hooked exported functions from this PE file. Yields: A tuple of (function, name, jump_destination) |
Collect data that will be passed to renderer.table_row.
|
|
|
Class Variable Details |
table_headerhash(x)
|
Trees | Indices | Help |
|
---|
Generated by Epydoc 3.0.1 on Mon Oct 9 03:29:11 2017 | http://epydoc.sourceforge.net |