The memory will be dumped to the working directory. In this example the memory is dumped to a file named 0.0x00140000.bin. Usually the first item in the file name is the PID but since we created a dummy process it is 0. If we wanted to scan a specific PID we would pass the integer (non-hexadecimal) value as an argument. If we had a machine infected with Poison Ivy that is injected into iexplore.exe with a PID of 3268 we would pass that integer as an argument.
If we were to open these dumps up in bintext we would see some common strings related to Poison Ivy.
In the last scan were kind of lucky in the results. Since we are dumping all memory marked as RWX we can dump non-malicious memory. iexplore.exe likes memory sizes of 4096 while firefox loves memory sizes of 65,536. The last scan option takes no arguments. It will scan processes that are commonly injected into. If we had a machine infected with Citadel, Ramnit, Poison Ivy and Tilon we would see the following results. No need to look at it all...
C:\Documents and Settings\Administrator\Desktop\xxx>bkdump.exe bkdump - simple RWX process dumper for commonly injected processes bkdump.exe 0 - to open a dummy iexplorer.exe bkdump.exe PID - to dump RWX Memory in a process bkdump.exe - to dump RWX memory of running firefox.exe, ie, explorer.exe, chrome.exe created by alexander.hanel Dumping Process IEXPLORE.EXE with PID 3356 Suspicious Memory Block: Addr: 0x20030000 Size:4096 Dumping Memory at 0x20030000 to 3356.0x20030000.bin Suspicious Memory Block: Addr: 0x20010000 Size:4096 Dumping Memory at 0x20010000 to 3356.0x20010000.bin Suspicious Memory Block: Addr: 0x00aa0000 Size:4096 Dumping Memory at 0x00aa0000 to 3356.0x00aa0000.bin Suspicious Memory Block: Addr: 0x00a90000 Size:4096 Dumping Memory at 0x00a90000 to 3356.0x00a90000.bin Suspicious Memory Block: Addr: 0x00210000 Size:4096 Dumping Memory at 0x00210000 to 3356.0x00210000.bin Suspicious Memory Block: Addr: 0x00200000 Size:4096 Dumping Memory at 0x00200000 to 3356.0x00200000.bin Suspicious Memory Block: Addr: 0x001f0000 Size:4096 Dumping Memory at 0x001f0000 to 3356.0x001f0000.bin Suspicious Memory Block: Addr: 0x001e0000 Size:4096 Dumping Memory at 0x001e0000 to 3356.0x001e0000.bin Suspicious Memory Block: Addr: 0x00180000 Size:270336 Dumping Memory at 0x00180000 to 3356.0x00180000.bin Suspicious Memory Block: Addr: 0x00050000 Size:4096 Dumping Memory at 0x00050000 to 3356.0x00050000.bin Suspicious Memory Block: Addr: 0x00040000 Size:4096 Dumping Memory at 0x00040000 to 3356.0x00040000.bin Suspicious Memory Block: Addr: 0x00030000 Size:4096 Dumping Memory at 0x00030000 to 3356.0x00030000.bin Suspicious Memory Block: Addr: 0x00020000 Size:4096 Dumping Memory at 0x00020000 to 3356.0x00020000.bin Dumping Process IEXPLORE.EXE with PID 3268 Suspicious Memory Block: Addr: 0x20020000 Size:4096 Dumping Memory at 0x20020000 to 3268.0x20020000.bin Suspicious Memory Block: Addr: 0x00c30000 Size:4096 Dumping Memory at 0x00c30000 to 3268.0x00c30000.bin Suspicious Memory Block: Addr: 0x00c20000 Size:4096 Dumping Memory at 0x00c20000 to 3268.0x00c20000.bin Suspicious Memory Block: Addr: 0x00aa0000 Size:4096 Dumping Memory at 0x00aa0000 to 3268.0x00aa0000.bin Suspicious Memory Block: Addr: 0x00a90000 Size:4096 Dumping Memory at 0x00a90000 to 3268.0x00a90000.bin Suspicious Memory Block: Addr: 0x00a40000 Size:270336 Dumping Memory at 0x00a40000 to 3268.0x00a40000.bin Suspicious Memory Block: Addr: 0x00160000 Size:4096 Dumping Memory at 0x00160000 to 3268.0x00160000.bin Suspicious Memory Block: Addr: 0x00150000 Size:4096 Dumping Memory at 0x00150000 to 3268.0x00150000.bin Dumping Process explorer.exe with PID 1688 Suspicious Memory Block: Addr: 0x20020000 Size:4096 Dumping Memory at 0x20020000 to 1688.0x20020000.bin Suspicious Memory Block: Addr: 0x02af0000 Size:4096 Dumping Memory at 0x02af0000 to 1688.0x02af0000.bin Suspicious Memory Block: Addr: 0x02ac0000 Size:4096 Dumping Memory at 0x02ac0000 to 1688.0x02ac0000.bin Suspicious Memory Block: Addr: 0x02560000 Size:270336 Dumping Memory at 0x02560000 to 1688.0x02560000.bin Suspicious Memory Block: Addr: 0x02420000 Size:4096 Dumping Memory at 0x02420000 to 1688.0x02420000.bin Suspicious Memory Block: Addr: 0x01d90000 Size:4096 Dumping Memory at 0x01d90000 to 1688.0x01d90000.bin Suspicious Memory Block: Addr: 0x01750000 Size:4096 Dumping Memory at 0x01750000 to 1688.0x01750000.bin Suspicious Memory Block: Addr: 0x016b0000 Size:4096 Dumping Memory at 0x016b0000 to 1688.0x016b0000.bin Suspicious Memory Block: Addr: 0x016a0000 Size:4096 Dumping Memory at 0x016a0000 to 1688.0x016a0000.bin Suspicious Memory Block: Addr: 0x01620000 Size:4096 Dumping Memory at 0x01620000 to 1688.0x01620000.bin Suspicious Memory Block: Addr: 0x01600000 Size:4096 Dumping Memory at 0x01600000 to 1688.0x01600000.bin Suspicious Memory Block: Addr: 0x01500000 Size:4096 Dumping Memory at 0x01500000 to 1688.0x01500000.bin Suspicious Memory Block: Addr: 0x01470000 Size:4096 Dumping Memory at 0x01470000 to 1688.0x01470000.bin Suspicious Memory Block: Addr: 0x01460000 Size:4096 Dumping Memory at 0x01460000 to 1688.0x01460000.bin
Yes, a lot of files have been dumped but a lot of things can be done to parse out the good and the bad. The simplest would be checking for strings and MZ headers. The next version will have features to flag the bad ones. I have come up with some good ideas and found interesting anomalies during my research. I don't know exactly how longit will take until I get the next version out. Odds are I will have to do a rewrite of the current code. I'm still learning C but I have learned that static type languages are much more difficult to modify than Python. Now I understand why teachers discussed program design so much; well that and linked list. The source code can be found here. The repo contains a compiled executable.
bypass process explorer ?
ReplyDelete