Module

module

The Module object describes the load attributes of a module.

Contents

Attributes

Caption Name Type Is Array Default Description
Base Address base_address String The memory address where the module was loaded.
File file File The module file object.
Function Name function_name String The entry-point function of the module. The system calls the entry-point function whenever a process or thread loads or unloads the module.
Load Type load_type String The load type, normalized to the caption of the load_type_id value. In the case of 'Other', it is defined by the event source. It describes how the module was loaded in memory.
Load Type ID load_type_id Integer The normalized identifier of the load type. It identifies how the module was loaded in memory.
0
Unknown
1
Standard
2
Non Standard
3
ShellCode
4
Mapped
5
NonStandard Backed
99
Other
Raw Data raw_data JSON The event data as received from the event source.
Record ID record_id String Unique identifier for the object
Start Address start_address String The start address of the execution.
Type type String The module type.
Unmapped Data unmapped Unmapped The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.

References

Context

Module

JSON

            
{
  "caption": "Module",
  "description": "The Module object describes the load attributes of a module.",
  "extends": "object",
  "name": "module",
  "attributes": {
    "base_address": {
      "requirement": "recommended",
      "caption": "Base Address",
      "description": "The memory address where the module was loaded.",
      "type": "string_t"
    },
    "file": {
      "description": "The module file object.",
      "requirement": "recommended",
      "caption": "File",
      "type": "file"
    },
    "function_name": {
      "requirement": "optional",
      "caption": "Function Name",
      "description": "The entry-point function of the module. The system calls the entry-point function whenever a process or thread loads or unloads the module.",
      "type": "string_t"
    },
    "load_type": {
      "requirement": "optional",
      "caption": "Load Type",
      "description": "The load type, normalized to the caption of the load_type_id value. In the case of 'Other', it is defined by the event source. It describes how the module was loaded in memory.",
      "type": "string_t"
    },
    "load_type_id": {
      "requirement": "required",
      "enum": {
        "0": {
          "caption": "Unknown"
        },
        "1": {
          "caption": "Standard",
          "description": "A normal module loaded by the normal windows loading mechanism i.e. LoadLibrary."
        },
        "2": {
          "caption": "Non Standard",
          "description": "A module loaded in a way avoidant of normal windows procedures. i.e. Bootstrapped Loading/Manual Dll Loading."
        },
        "3": {
          "caption": "ShellCode",
          "description": "A raw module in process memory that is READWRITE_EXECUTE and had a thread started in its range."
        },
        "4": {
          "caption": "Mapped",
          "description": "A memory mapped file, typically created with CreatefileMapping/MapViewOfFile."
        },
        "5": {
          "caption": "NonStandard Backed",
          "description": "A module loaded in a non standard way. However, GetModuleFileName succeeds on this allocation."
        },
        "99": {
          "caption": "Other"
        }
      },
      "caption": "Load Type ID",
      "description": "The normalized identifier of the load type. It identifies how the module was loaded in memory.",
      "sibling": "load_type",
      "type": "integer_t"
    },
    "start_address": {
      "requirement": "recommended",
      "caption": "Start Address",
      "description": "The start address of the execution.",
      "type": "string_t"
    },
    "type": {
      "description": "The module type.",
      "requirement": "recommended",
      "caption": "Type",
      "type": "string_t"
    },
    "raw_data": {
      "group": "context",
      "caption": "Raw Data",
      "description": "The event data as received from the event source.",
      "type": "json_t"
    },
    "record_id": {
      "description": "Unique identifier for the object",
      "group": "primary",
      "requirement": "required",
      "caption": "Record ID",
      "type": "string_t"
    },
    "unmapped": {
      "caption": "Unmapped Data",
      "description": "The attributes that are not mapped to the event schema. The names and values of those attributes are specific to the event source.",
      "type": "unmapped",
      "is_array": true
    }
  }
}