Sangrail / malwarecookbook

Automatically exported from code.google.com/p/malwarecookbook
0 stars 0 forks source link

ApiHooks plugin takes too long time to scan (I think) #31

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
>What steps will reproduce the problem?
vol.py -f d:\memimg\temp.vmem apihooks

>What is the expected output? What do you see instead?

Expected output is the same but in shorter time.

Volatile Systems Volatility Framework 1.4_rc1
Name                             Type     Target                                
   Value
lsass.exe[664]                   inline   
pstorsvc.dll!PSTOREServiceMain[0x743a1459L] 0x743a1459 CALL [0x743a1010] =>> 
0x77df3e57 (ADVAPI32.dll)
svchost.exe[1032]                inline   
cryptsvc.dll!CryptServiceMain[0x76ce1579L] 0x76ce1579 CALL [0x76ce10a0] =>> 
0x77df3e57 (ADVAPI32.dll)
TOTALCMD.EXE[1976]@totalcmd.exe  iat      winmm.dll!*invalid*                   
   0x0 0x7752bb33 (ole32.dll)
TOTALCMD.EXE[1976]@totalcmd.exe  iat      gdi32.dll!*invalid*                   
   0x0 0x77df1576 (advapi32.dll)
TOTALCMD.EXE[1976]@totalcmd.exe  iat      advapi32.dll!*invalid*                
   0x0 0x77f1a8cb (GDI32.dll)
TOTALCMD.EXE[1976]@totalcmd.exe  iat      user32.dll!*invalid*                  
   0x0 0x77dd79db (advapi32.dll)
TOTALCMD.EXE[1976]@totalcmd.exe  iat      user32.dll!*invalid*                  
   0x0 0x77dd7328 (advapi32.dll)

Finished after 558.667999983 seconds

>What version of the product are you using? On what operating system?

Latest volatility + malware.py (r93). Operating system is Windows 7 64-bit.

If it should take this long, this issue can be removed.

Original issue reported on code.google.com by marko.th...@gmail.com on 26 Jul 2011 at 10:14

GoogleCodeExporter commented 9 years ago
Unfortunately it does usually take that long. Apihooks is probably the most 
labor intensive plugin around. It has to disassemble code in every exported 
function of every dll of every process (plus then do checks of the iat, eat, 
syscall, etc). So despite saying that, I'm going to keep this issue open 
because I think some improvements can still be made...and will update the 
ticket here when possible. 

Original comment by michael.hale@gmail.com on 26 Jul 2011 at 1:53