Package rekall :: Package plugins :: Package windows :: Package malware :: Module svcscan

Module svcscan

Classes
	ServiceModification A modification for the service control manager.
	SvcRecordScanner A scanner for the service tags.
	SvcHeaderScanner A scanner for the service tags.
	SvcScan Scan for Windows services

Variables
	SERVICE_TYPE_FLAGS = `{'SERVICE_FILE_SYSTEM_DRIVER': 1, 'SERVIC...`
	SERVICE_STATE_ENUM = `{1: 'SERVICE_STOPPED', 2: 'SERVICE_START_...`
	svcscan_base_x86 = `{'_SERVICE_HEADER': [None, {'ServiceRecord'...`
	svcscan_base_x64 = `{'_SERVICE_HEADER': [None, {'ServiceRecord'...`
	__package__ = `'rekall.plugins.windows.malware'`

Variables Details

SERVICE_TYPE_FLAGS

Value:

{'SERVICE_FILE_SYSTEM_DRIVER': 1,
 'SERVICE_INTERACTIVE_PROCESS': 8,
 'SERVICE_KERNEL_DRIVER': 0,
 'SERVICE_WIN32_OWN_PROCESS': 4,
 'SERVICE_WIN32_SHARE_PROCESS': 5}

SERVICE_STATE_ENUM

Value:

{1: 'SERVICE_STOPPED',
 2: 'SERVICE_START_PENDING',
 3: 'SERVICE_STOP_PENDING',
 4: 'SERVICE_RUNNING',
 5: 'SERVICE_CONTINUE_PENDING',
 6: 'SERVICE_PAUSE_PENDING',
 7: 'SERVICE_PAUSED'}

svcscan_base_x86

Value:

{'_SERVICE_HEADER': [None,
                     {'ServiceRecord': [12,
                                        ['pointer',
                                         ['_SERVICE_RECORD']]],
                      'Tag': [0, ['array', 4, ['unsigned char']]]}],
 '_SERVICE_PROCESS': [None,
                      {'BinaryPath': [8,
                                      ['pointer', ['UnicodeString', {'
...

svcscan_base_x64

Value:

{'_SERVICE_HEADER': [None,
                     {'ServiceRecord': [16,
                                        ['Pointer',
                                         {'target': '_SERVICE_RECORD'}
]],
                      'Tag': [0,
                              ['Array',
                               {'count': 4, 'target': 'unsigned char'}
...