Download
PsEntropyPEB EnScript calculates Entorpy value of runnning processes based on PEB (Process Environment Block) information.
Unfamiliar 5 executables has similar codes. Basically, the result is free of the influence of packing because the calculation is applied to unpacked code inside RAM.
PsEntropyVAD finds code-injected processes by checking flags of VAD (Virtual Address Descriptor) entries.
We can make sure Metasploit Meterpreter injected malicious code to some processes.
VadDump EnScript exports process memories by traversing VAD trees. For example, when one process is judged as injected process after executing PsEntropyVAD, you can use VadDump to export the suspicious memory pages.
You can specify one process or all processes to export, and if you check "Injected Memory Pages Only", the script exports only suspicious pages.
If you also check "Debug Mode", the exported pages are displayed on Console Tab.
One of exported pages has malicious code.
This is another example.
Is the result indicating the process is injected?
Eventually, you should analyze the code ;-)
P.S.
I've fixed a bug of VadSearch EnScript. The fixed version adds search-hit keywords to bookmark.
PsEntropyPEB EnScript calculates Entorpy value of runnning processes based on PEB (Process Environment Block) information.
Unfamiliar 5 executables has similar codes. Basically, the result is free of the influence of packing because the calculation is applied to unpacked code inside RAM.
PsEntropyVAD finds code-injected processes by checking flags of VAD (Virtual Address Descriptor) entries.
We can make sure Metasploit Meterpreter injected malicious code to some processes.
VadDump EnScript exports process memories by traversing VAD trees. For example, when one process is judged as injected process after executing PsEntropyVAD, you can use VadDump to export the suspicious memory pages.
You can specify one process or all processes to export, and if you check "Injected Memory Pages Only", the script exports only suspicious pages.
If you also check "Debug Mode", the exported pages are displayed on Console Tab.
One of exported pages has malicious code.
This is another example.
Is the result indicating the process is injected?
Eventually, you should analyze the code ;-)
P.S.
I've fixed a bug of VadSearch EnScript. The fixed version adds search-hit keywords to bookmark.
發表文章
0 意見: