The Module object describes the load attributes of a module.
Attributes
Section titled “Attributes”load_type_id
- Type:
integer_t - Requirement: required
- Values:
0-Unknown1-Standard: A normal module loaded by the normal windows loading mechanism i.e. LoadLibrary.2-Non Standard: A module loaded in a way avoidant of normal windows procedures. i.e. Bootstrapped Loading/Manual Dll Loading.3-ShellCode: A raw module in process memory that is READWRITE_EXECUTE and had a thread started in its range.4-Mapped: A memory mapped file, typically created with CreatefileMapping/MapViewOfFile.5-NonStandard Backed: A module loaded in a non standard way. However, GetModuleFileName succeeds on this allocation.99-Other
The normalized identifier of the load type. It identifies how the module was loaded in memory.
base_address
- Type:
string_t - Requirement: recommended
The memory address where the module was loaded.
file
- Type:
file - Requirement: recommended
The module file object.
start_address
- Type:
string_t - Requirement: recommended
The start address of the execution.
type
- Type:
string_t - Requirement: recommended
The module type.
function_name
- Type:
string_t - Requirement: optional
The entry-point function of the module. The system calls the entry-point function whenever a process or thread loads or unloads the module.
load_type
- Type:
string_t - Requirement: optional
The load type, normalized to the caption of the load_type_id value. In the case of ‘Other’, it is defined by the event source. It describes how the module was loaded in memory.