A Hook heuristic detects possible hooks.
This heuristic emulates some common CPU instructions to try and detect
control flow jumps within the first few instructions of a function.
These are essentially guesses based on the most common hook types. Be
aware that these are pretty easy to defeat which will cause the hook to
be missed.
See rekall/src/hooks/amd64.asm and rekall/src/hooks/i386.asm For the
test cases which illustrate the type of hooks that we will detect.
|
|
__init__(self,
session=None)
x.__init__(...) initializes x; see help(type(x)) for signature |
source code
|
|
|
|
|
|
|
|
|
|
|
|
|
process_lea(self,
instruction)
Copies the address from the second operand to the first. |
source code
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
process_cmp(self,
instruction)
We dont do anything with the comparison since we dont test for it. |
source code
|
|
|
|
process_test(self,
instruction)
We dont do anything with the comparison since we dont test for it. |
source code
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Inspect(self,
function,
instructions=10)
The main entry point to the Hook processor. |
source code
|
|
|
Inherited from object:
__delattr__,
__format__,
__getattribute__,
__hash__,
__new__,
__reduce__,
__reduce_ex__,
__repr__,
__setattr__,
__sizeof__,
__str__,
__subclasshook__
|
