RAM - Code injectio...
 
Notifications
Clear all

RAM - Code injection

4 Posts
3 Users
0 Likes
358 Views
 tg92
(@tg92)
Posts: 13
Active Member
Topic starter
 

Hi,

First many thanks for reading me.

I want to identify a process which injects code into another in RAM (XP).

In case the code was injected via a dll, the dlllist function of volatility will give me usefull informations to identify the harmful dll linked to the victim process. In case the injection was detected via the malfind function how can I identify the process that initially inject the code in the victim process memory ?

I tried to boot the machine in a VM and wanted to monitor specific functions (openProcess(), CreateRemoteThread(), LoadLibraryA()…) but i didn't find the right tool to do so. It seems that ProcMon doesn't monitor these functions calls.

I would be grateful for any advice, clue to help me tracking down this harmfull process.

I'm not a memory expert, please give details )

Have a nice day !

Thierry

 
Posted : 15/03/2014 1:13 pm
(@yogeshkhatri)
Posts: 26
Eminent Member
 

If you need to go any deeper into tracing the functions, you need to use a real disassembler/debugger like Ollydbg or IDAPro. At this point we are talking assembly level debugging/tracing.

Or it that seems too technical, try API Monitor (www.rohitab.com/apimonitor‎). I believe you can hook LoadLibrary with it.

 
Posted : 03/04/2014 2:56 pm
 tg92
(@tg92)
Posts: 13
Active Member
Topic starter
 

Hi,

Thanks a lot for your answer.

I'll try API Monitor to see if the returned informations are usefull in this case.

I must admit that I am not too comfortable with disassembler/debugger…i'll have to work on this !

Finally I tried other ways to collect informations

- I virtualised the system and used GMER to detect abnormalities. This confirmed the dll was malicious and let me find a suspect driver.
- using the log on boot option of autoruns, i found that the dll was charged as a service which loaded the driver…
- analysis of these files will certainly give me more clues !

Have a nice day

Thierry

 
Posted : 04/04/2014 2:02 am
(@ultrain)
Posts: 16
Active Member
 

here is a list of monitor tools

API Monitormonitor file/socket/regedit/process/thread
SandBoxIEyou can trace a file how to execute
TotalUninstallBefore & After in file,regidit,service change

WildPackets&WireSharkmonitor socket and session with lan.

if the session is encrypted,then you have to use IDA & OllyDBG.

 
Posted : 05/04/2014 9:49 pm
Share: