Trees | Indices | Help |
|
---|
|
Scan for calls to imported functions.
Nested Classes | |
__metaclass__ Automatic Plugin Registration through metaclasses. (Inherited from rekall.plugin.Command) |
|
top_level_class A command can be run from the rekall command line. (Inherited from rekall.plugin.Command) |
Instance Methods | |||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
|
|||
Inherited from |
Class Methods | |||
|
|||
|
|||
|
|||
|
|||
|
|||
|
Class Variables | |
FORWARDED_IMPORTS =
|
|
CALL_RULE =
|
|
JMP_RULE =
|
|
METHODS =
(Inherited from rekall.plugins.windows.common.WinProcessFilter)
|
|
PHYSICAL_AS_REQUIRED = True
(Inherited from rekall.plugin.PhysicalASMixin)
|
|
PROFILE_REQUIRED = True
(Inherited from rekall.plugin.ProfileCommand)
|
|
ROW_OPTIONS =
(Inherited from rekall.plugin.TypedProfileCommand)
|
|
classes =
(Inherited from rekall.plugin.Command)
|
|
classes_by_name =
(Inherited from rekall.plugin.Command)
|
|
error_status = None hash(x) (Inherited from rekall.plugin.Command) |
|
interactive = False
(Inherited from rekall.plugin.Command)
|
|
mode =
hash(x) (Inherited from rekall.plugins.windows.common.AbstractWindowsCommandPlugin) |
|
plugin_args = None hash(x) (Inherited from rekall.plugin.ArgsParserMixin) |
|
plugin_feature =
(Inherited from rekall.plugin.Command)
|
|
producer = False
(Inherited from rekall.plugin.Command)
|
|
table_header = None hash(x) (Inherited from rekall.plugin.TypedProfileCommand) |
|
table_options =
(Inherited from rekall.plugin.TypedProfileCommand)
|
Properties | |
filtering_requested (Inherited from rekall.plugins.windows.common.WinProcessFilter) | |
name (Inherited from rekall.plugin.Command) | |
Inherited from |
Method Details |
Declare the command line args we need.
|
Scans the imports from a module. Often when dumping a PE executable from memory the import address tables are over written. This makes it hard to resolve function names when disassembling the binary. This plugin enumerates all dlls in the process address space and examines their export address tables. It then disassembles the executable code for calls to external functions. We attempt to resolve the names of the calls using the known exported functions we gathered in step 1. This technique can be used for a process, or the kernel itself. In the former case, we examine dlls, while in the later case we examine kernel modules using the modules plugin. Args: base: Start disassembling at this address - this is normally the base address of the dll or module we care about. If omitted we use the kernel base (if in kernel mode) or the main executable (if in process mode). size: Disassemble this many bytes from the address space. If omitted we use the module which starts at base. kernel: The mode to use. If set, we operate in kernel mode.
|
Locate calls in a block of code. Disassemble a block of data and yield possible calls to imported functions. We're looking for instructions such as these: x86: CALL DWORD [0x1000400] JMP DWORD [0x1000400] x64: CALL QWORD [RIP+0x989d] On x86, the 0x1000400 address is an entry in the IAT or call table. It stores a DWORD which is the location of the API function being called. On x64, the 0x989d is a relative offset from the current instruction (RIP). So we simply disassemble the entire code section of the executable looking for calls, then we collect all the targets of the calls.
|
Produce results on the renderer given. Each plugin should implement this method to produce output on the renderer. The framework will initialize the plugin and provide it with some kind of renderer to write output on. The plugin should not assume that the renderer is actually TextRenderer, only that the methods defined in the BaseRenderer exist. Args: renderer: A renderer based at rekall.ui.renderer.BaseRenderer.
|
|
|
Class Variable Details |
FORWARDED_IMPORTS
|
CALL_RULE
|
JMP_RULE
|
Trees | Indices | Help |
|
---|
Generated by Epydoc 3.0.1 on Mon Oct 9 03:29:13 2017 | http://epydoc.sourceforge.net |