volatility3.plugins.windows.malware package

All core windows malware plugins.

These modules should only be imported from volatility3.plugins NOT volatility3.framework.plugins

Submodules

• volatility3.plugins.windows.malware.direct_system_calls module
  • DirectSystemCalls
    • DirectSystemCalls.build_configuration()
    • DirectSystemCalls.config
    • DirectSystemCalls.config_path
    • DirectSystemCalls.context
    • DirectSystemCalls.get_disasm_function()
    • DirectSystemCalls.get_range_path()
    • DirectSystemCalls.get_requirements()
    • DirectSystemCalls.get_tasks_to_scan()
    • DirectSystemCalls.get_vad_maps()
    • DirectSystemCalls.make_subconfig()
    • DirectSystemCalls.open
    • DirectSystemCalls.run()
    • DirectSystemCalls.set_open_method()
    • DirectSystemCalls.unsatisfied()
    • DirectSystemCalls.valid_syscall_handlers
    • DirectSystemCalls.version
  • syscall_finder_type
    • syscall_finder_type.count()
    • syscall_finder_type.get_syscall_target_address
    • syscall_finder_type.index()
    • syscall_finder_type.invalid_ops
    • syscall_finder_type.rule_str
    • syscall_finder_type.termination_ops
    • syscall_finder_type.wants_syscall_inst
• volatility3.plugins.windows.malware.drivermodule module
  • DriverModule
    • DriverModule.build_configuration()
    • DriverModule.config
    • DriverModule.config_path
    • DriverModule.context
    • DriverModule.get_requirements()
    • DriverModule.make_subconfig()
    • DriverModule.open
    • DriverModule.run()
    • DriverModule.set_open_method()
    • DriverModule.unsatisfied()
    • DriverModule.version
• volatility3.plugins.windows.malware.hollowprocesses module
  • DLLData
    • DLLData.count()
    • DLLData.index()
    • DLLData.path
  • HollowProcesses
    • HollowProcesses.build_configuration()
    • HollowProcesses.config
    • HollowProcesses.config_path
    • HollowProcesses.context
    • HollowProcesses.get_requirements()
    • HollowProcesses.make_subconfig()
    • HollowProcesses.open
    • HollowProcesses.run()
    • HollowProcesses.set_open_method()
    • HollowProcesses.unsatisfied()
    • HollowProcesses.version
  • VadData
    • VadData.count()
    • VadData.index()
    • VadData.path
    • VadData.protection
• volatility3.plugins.windows.malware.indirect_system_calls module
  • IndirectSystemCalls
    • IndirectSystemCalls.build_configuration()
    • IndirectSystemCalls.config
    • IndirectSystemCalls.config_path
    • IndirectSystemCalls.context
    • IndirectSystemCalls.get_disasm_function()
    • IndirectSystemCalls.get_range_path()
    • IndirectSystemCalls.get_requirements()
    • IndirectSystemCalls.get_tasks_to_scan()
    • IndirectSystemCalls.get_vad_maps()
    • IndirectSystemCalls.make_subconfig()
    • IndirectSystemCalls.open
    • IndirectSystemCalls.run()
    • IndirectSystemCalls.set_open_method()
    • IndirectSystemCalls.unsatisfied()
    • IndirectSystemCalls.valid_syscall_handlers
    • IndirectSystemCalls.version
• volatility3.plugins.windows.malware.ldrmodules module
  • LdrModules
    • LdrModules.build_configuration()
    • LdrModules.config
    • LdrModules.config_path
    • LdrModules.context
    • LdrModules.get_requirements()
    • LdrModules.make_subconfig()
    • LdrModules.open
    • LdrModules.run()
    • LdrModules.set_open_method()
    • LdrModules.unsatisfied()
    • LdrModules.version
• volatility3.plugins.windows.malware.malfind module
  • Malfind
    • Malfind.build_configuration()
    • Malfind.config
    • Malfind.config_path
    • Malfind.context
    • Malfind.get_requirements()
    • Malfind.is_vad_empty()
    • Malfind.list_injection_sites()
    • Malfind.list_injections()
    • Malfind.make_subconfig()
    • Malfind.open
    • Malfind.run()
    • Malfind.set_open_method()
    • Malfind.unsatisfied()
    • Malfind.version
• volatility3.plugins.windows.malware.pebmasquerade module
  • PebMasquerade
    • PebMasquerade.build_configuration()
    • PebMasquerade.config
    • PebMasquerade.config_path
    • PebMasquerade.context
    • PebMasquerade.get_process_names()
    • PebMasquerade.get_requirements()
    • PebMasquerade.make_subconfig()
    • PebMasquerade.open
    • PebMasquerade.run()
    • PebMasquerade.set_open_method()
    • PebMasquerade.unsatisfied()
    • PebMasquerade.version
• volatility3.plugins.windows.malware.processghosting module
  • ProcessGhosting
    • ProcessGhosting.build_configuration()
    • ProcessGhosting.check_for_ghosting()
    • ProcessGhosting.config
    • ProcessGhosting.config_path
    • ProcessGhosting.context
    • ProcessGhosting.get_requirements()
    • ProcessGhosting.make_subconfig()
    • ProcessGhosting.open
    • ProcessGhosting.run()
    • ProcessGhosting.set_open_method()
    • ProcessGhosting.unsatisfied()
    • ProcessGhosting.version
• volatility3.plugins.windows.malware.psxview module
  • PsXView
    • PsXView.build_configuration()
    • PsXView.config
    • PsXView.config_path
    • PsXView.context
    • PsXView.get_requirements()
    • PsXView.make_subconfig()
    • PsXView.open
    • PsXView.run()
    • PsXView.set_open_method()
    • PsXView.unsatisfied()
    • PsXView.valid_proc_name_chars
    • PsXView.version
• volatility3.plugins.windows.malware.skeleton_key_check module
  • Skeleton_Key_Check
    • Skeleton_Key_Check.build_configuration()
    • Skeleton_Key_Check.config
    • Skeleton_Key_Check.config_path
    • Skeleton_Key_Check.context
    • Skeleton_Key_Check.get_requirements()
    • Skeleton_Key_Check.make_subconfig()
    • Skeleton_Key_Check.open
    • Skeleton_Key_Check.run()
    • Skeleton_Key_Check.set_open_method()
    • Skeleton_Key_Check.unsatisfied()
    • Skeleton_Key_Check.version
• volatility3.plugins.windows.malware.suspicious_threads module
  • SuspiciousThreads
    • SuspiciousThreads.build_configuration()
    • SuspiciousThreads.config
    • SuspiciousThreads.config_path
    • SuspiciousThreads.context
    • SuspiciousThreads.get_requirements()
    • SuspiciousThreads.make_subconfig()
    • SuspiciousThreads.open
    • SuspiciousThreads.run()
    • SuspiciousThreads.set_open_method()
    • SuspiciousThreads.unsatisfied()
    • SuspiciousThreads.version
• volatility3.plugins.windows.malware.svcdiff module
  • SvcDiff
    • SvcDiff.build_configuration()
    • SvcDiff.config
    • SvcDiff.config_path
    • SvcDiff.context
    • SvcDiff.enumerate_vista_or_later_header()
    • SvcDiff.get_prereq_info()
    • SvcDiff.get_record_tuple()
    • SvcDiff.get_requirements()
    • SvcDiff.make_subconfig()
    • SvcDiff.open
    • SvcDiff.run()
    • SvcDiff.service_diff()
    • SvcDiff.service_scan()
    • SvcDiff.set_open_method()
    • SvcDiff.unsatisfied()
    • SvcDiff.version
• volatility3.plugins.windows.malware.unhooked_system_calls module
  • UnhookedSystemCalls
    • UnhookedSystemCalls.build_configuration()
    • UnhookedSystemCalls.config
    • UnhookedSystemCalls.config_path
    • UnhookedSystemCalls.context
    • UnhookedSystemCalls.get_requirements()
    • UnhookedSystemCalls.make_subconfig()
    • UnhookedSystemCalls.open
    • UnhookedSystemCalls.run()
    • UnhookedSystemCalls.set_open_method()
    • UnhookedSystemCalls.system_calls
    • UnhookedSystemCalls.unsatisfied()
    • UnhookedSystemCalls.version