Class ImpScan

Declare the command line args we need.

Overrides: plugin.Command.args

Scans the imports from a module.

Often when dumping a PE executable from memory the import address tables
are over written. This makes it hard to resolve function names when
disassembling the binary.

This plugin enumerates all dlls in the process address space and
examines their export address tables. It then disassembles the
executable code for calls to external functions. We attempt to resolve
the names of the calls using the known exported functions we gathered in
step 1.

This technique can be used for a process, or the kernel itself. In the
former case, we examine dlls, while in the later case we examine kernel
modules using the modules plugin.

Args:

  base: Start disassembling at this address - this is normally the base
    address of the dll or module we care about. If omitted we use the
    kernel base (if in kernel mode) or the main executable (if in
    process mode).

  size: Disassemble this many bytes from the address space. If omitted
    we use the module which starts at base.

  kernel: The mode to use. If set, we operate in kernel mode.

Overrides: object.__init__

Locate calls in a block of code.

Disassemble a block of data and yield possible calls to imported functions. We're looking for instructions such as these:

x86: CALL DWORD [0x1000400] JMP DWORD [0x1000400]

x64: CALL QWORD [RIP+0x989d]

On x86, the 0x1000400 address is an entry in the IAT or call table. It stores a DWORD which is the location of the API function being called.

On x64, the 0x989d is a relative offset from the current instruction (RIP).

So we simply disassemble the entire code section of the executable looking for calls, then we collect all the targets of the calls.

Parameters:

• addr_space - an AS to scan with
• base_address - memory base address
• data - buffer of data found at base_address

Produce results on the renderer given.

Each plugin should implement this method to produce output on the
renderer. The framework will initialize the plugin and provide it with
some kind of renderer to write output on. The plugin should not assume
that the renderer is actually TextRenderer, only that the methods
defined in the BaseRenderer exist.

Args:
  renderer: A renderer based at rekall.ui.renderer.BaseRenderer.

Overrides: plugin.Command.render

(inherited documentation)

Overrides: plugin.Command.ImplementationByClass

Overrides: plugin.Command.ImplementationByName

FORWARDED_IMPORTS

Value:

{'RtlAllocateHeap': 'kernel32.dll!HeapAlloc', 'RtlDeleteCriticalSection': 'kernel32.dll!DeleteCriticalSection', 'RtlEnterCriticalSection': 'kernel32.dll!EnterCriticalSection', 'RtlFreeHeap': 'kernel32.dll!HeapFree', 'RtlGetLastWin32Error': 'kernel32.dll!GetLastError', 'RtlLeaveCriticalSection': 'kernel32.dll!LeaveCriticalSection', 'RtlReAllocateHeap': 'kernel32.dll!HeapReAlloc', 'RtlRestoreLastWin32Error': 'kernel32.dll!SetLastError', ...

CALL_RULE

Value:

{'mnemonic': 'CALL', 'operands': [{'address': '$address', 'target': '$target', 'type': 'MEM'}]}

JMP_RULE

Value:

{'mnemonic': 'JMP', 'operands': [{'address': '$address', 'target': '$target', 'type': 'MEM'}]}