Hi,
First many thanks for reading me.
I want to identify a process which injects code into another in RAM (XP).
In case the code was injected via a dll, the dlllist function of volatility will give me usefull informations to identify the harmful dll linked to the victim process. In case the injection was detected via the malfind function how can I identify the process that initially inject the code in the victim process memory ?
I tried to boot the machine in a VM and wanted to monitor specific functions (openProcess(), CreateRemoteThread(), LoadLibraryA()…) but i didn't find the right tool to do so. It seems that ProcMon doesn't monitor these functions calls.
I would be grateful for any advice, clue to help me tracking down this harmfull process.
I'm not a memory expert, please give details )
Have a nice day !
Thierry
If you need to go any deeper into tracing the functions, you need to use a real disassembler/debugger like Ollydbg or IDAPro. At this point we are talking assembly level debugging/tracing.
Or it that seems too technical, try API Monitor (
Hi,
Thanks a lot for your answer.
I'll try API Monitor to see if the returned informations are usefull in this case.
I must admit that I am not too comfortable with disassembler/debugger…i'll have to work on this !
Finally I tried other ways to collect informations
- I virtualised the system and used GMER to detect abnormalities. This confirmed the dll was malicious and let me find a suspect driver.
- using the log on boot option of autoruns, i found that the dll was charged as a service which loaded the driver…
- analysis of these files will certainly give me more clues !
Have a nice day
Thierry
here is a list of monitor tools
API Monitormonitor file/socket/regedit/process/thread
SandBoxIEyou can trace a file how to execute
TotalUninstallBefore & After in file,regidit,service change
WildPackets&WireSharkmonitor socket and session with lan.
if the session is encrypted,then you have to use IDA & OllyDBG.