Skip to content

Add impscan plugin#2000

Open
thunderstornX wants to merge 1 commit into
volatilityfoundation:developfrom
thunderstornX:impscan-plugin
Open

Add impscan plugin#2000
thunderstornX wants to merge 1 commit into
volatilityfoundation:developfrom
thunderstornX:impscan-plugin

Conversation

@thunderstornX

@thunderstornX thunderstornX commented Jun 25, 2026

Copy link
Copy Markdown

Summary

Closes #748.

This ports the Volatility 2 impscan plugin (originally by Michael Ligh) to Volatility 3, the last of the malware plugins still missing from the Vol2 feature-parity effort. impscan disassembles a process's executable region, finds CALL/JMP instructions that reference the import address table (IAT), and resolves each IAT entry to the exported function it points at. This reconstructs a process's imports even when the PE headers are damaged or the code was injected, which is why it is useful for malware analysis.

Implementation

volatility3/framework/plugins/windows/malware/impscan.py:

  • Iterates processes via pslist.PsList.list_processes (with an optional --pid filter) and reads the main module (or a --base/--size region).
  • Builds an {export_address: (module, function)} map for every loaded module by reusing the existing pe_symbols.PESymbols.get_pefile_obj / pefile export machinery.
  • Disassembles with capstone, handling both x86 absolute (CALL DWORD [0x...]) and x64 RIP-relative (CALL QWORD [RIP+0x...]) IAT references. Because capstone stops at the first byte it cannot decode, the module image (headers and data included) is swept linearly with a one-byte resynchronisation.
  • Resolves each IAT entry against the export map, then runs the Vol2 forward/backward vicinity scan to recover imports present in the table but never called, and remaps forwarded Rtl* imports to their kernel32 names.

Testing

  • test/test_impscan.py: 10 unit tests covering the IAT-target decoding (real capstone-disassembled x86 absolute and x64 RIP-relative CALL/JMP, register-call and non-branch rejection), the capstone resynchronisation, the vicinity scan, the forwarded-import remap and the pointer read. No image required.
  • Verified end-to-end against a real Windows 10 x64 memory image: scanning services.exe reconstructed 414 imports, e.g.
PID   IAT              Call             Module        Function
640   0x7ff7835346c8   0x7ffb65936780   DEVOBJ.dll    DevObjOpenDevRegKey
640   0x7ff7835346d0   0x7ffb659313c0   DEVOBJ.dll    DevObjCreateDeviceInfoList
640   0x7ff783534728   0x7ffb65992370   DPAPI.dll     CryptResetMachineCredentials
...
  • ruff format and ruff check are clean.

I have only been able to test against an x64 image; I would appreciate validation against the project's x86/WoW64 sample images as part of review.

@thunderstornX
Add impscan plugin
fdd5371 
Ports the Volatility 2 impscan plugin (by Michael Ligh) to Volatility 3. It disassembles a process's executable region, finds CALL/JMP instructions that reference the import address table, and resolves each IAT entry to the exported function it points at, reconstructing imports even when the PE headers are damaged or the code was injected.

Export enumeration reuses the existing pe_symbols machinery, disassembly uses capstone, and a linear sweep with resynchronisation handles the non-code bytes in a mapped module image. Adds unit tests for the IAT-detection, resynchronisation and vicinity-scan logic.

Closes volatilityfoundation#748
@thunderstornX thunderstornX mentioned this pull request Jun 25, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Missing plugin impscan

1 participant

@thunderstornX