The Module object describes the attributes of a module.
Attributes
Section titled “Attributes”base_address
- Type:
string_t - Requirement: recommended
The memory address where the module was loaded.
file
- Type:
file - Requirement: recommended
The module file object.
function_name
- Type:
string_t - Requirement: recommended
The invoked function in the module. For load and unload events, this is the entry-point function of the module. The system calls the entry-point function whenever a process or thread loads or unloads the module.
load_type_id
- Type:
integer_t - Requirement: recommended
- Values:
0-Unknown: The load type is unknown.1-Standard: A normal module loaded by the normal windows loading mechanism i.e. LoadLibrary.2-Non Standard: A module loaded in a way avoidant of normal windows procedures. i.e. Bootstrapped Loading/Manual Dll Loading.3-ShellCode: A raw module in process memory that is READWRITE_EXECUTE and had a thread started in its range.4-Mapped: A memory mapped file, typically created with CreatefileMapping/MapViewOfFile.5-NonStandard Backed: A module loaded in a non standard way. However, GetModuleFileName succeeds on this allocation.99-Other: The load type is not mapped. See theload_typeattribute, which contains a data source specific value.
The normalized identifier for how the module was loaded in memory.
start_address
- Type:
string_t - Requirement: recommended
The start address of the execution.
type
- Type:
string_t - Requirement: recommended
The module type.
function_invocation
- Type:
function_invocation - Requirement: optional
Details about the invocation of the function given in function_name.
load_type
- Type:
string_t - Requirement: optional
The load type, normalized to the caption of the load_type_id value. In the case of ‘Other’, it is defined by the event source.
Constraints
Section titled “Constraints”At least one of: load_type_id, function_name