The memory will be dumped to the working directory. In this example the memory is dumped to a file named 0.0x00140000.bin. Usually the first item in the file name is the PID but since we created a dummy process it is 0. If we wanted to scan a specific PID we would pass the integer (non-hexadecimal) value as an argument. If we had a machine infected with Poison Ivy that is injected into iexplore.exe with a PID of 3268 we would pass that integer as an argument.
If we were to open these dumps up in bintext we would see some common strings related to Poison Ivy.
C:\Documents and Settings\Administrator\Desktop\xxx>bkdump.exe
bkdump - simple RWX process dumper for commonly injected processes
bkdump.exe 0 - to open a dummy iexplorer.exe
bkdump.exe PID - to dump RWX Memory in a process
bkdump.exe - to dump RWX memory of running firefox.exe, ie,
explorer.exe, chrome.exe
created by alexander.hanel
Dumping Process IEXPLORE.EXE with PID 3356
Suspicious Memory Block:
Addr: 0x20030000 Size:4096
Dumping Memory at 0x20030000 to 3356.0x20030000.bin
Suspicious Memory Block:
Addr: 0x20010000 Size:4096
Dumping Memory at 0x20010000 to 3356.0x20010000.bin
Suspicious Memory Block:
Addr: 0x00aa0000 Size:4096
Dumping Memory at 0x00aa0000 to 3356.0x00aa0000.bin
Suspicious Memory Block:
Addr: 0x00a90000 Size:4096
Dumping Memory at 0x00a90000 to 3356.0x00a90000.bin
Suspicious Memory Block:
Addr: 0x00210000 Size:4096
Dumping Memory at 0x00210000 to 3356.0x00210000.bin
Suspicious Memory Block:
Addr: 0x00200000 Size:4096
Dumping Memory at 0x00200000 to 3356.0x00200000.bin
Suspicious Memory Block:
Addr: 0x001f0000 Size:4096
Dumping Memory at 0x001f0000 to 3356.0x001f0000.bin
Suspicious Memory Block:
Addr: 0x001e0000 Size:4096
Dumping Memory at 0x001e0000 to 3356.0x001e0000.bin
Suspicious Memory Block:
Addr: 0x00180000 Size:270336
Dumping Memory at 0x00180000 to 3356.0x00180000.bin
Suspicious Memory Block:
Addr: 0x00050000 Size:4096
Dumping Memory at 0x00050000 to 3356.0x00050000.bin
Suspicious Memory Block:
Addr: 0x00040000 Size:4096
Dumping Memory at 0x00040000 to 3356.0x00040000.bin
Suspicious Memory Block:
Addr: 0x00030000 Size:4096
Dumping Memory at 0x00030000 to 3356.0x00030000.bin
Suspicious Memory Block:
Addr: 0x00020000 Size:4096
Dumping Memory at 0x00020000 to 3356.0x00020000.bin
Dumping Process IEXPLORE.EXE with PID 3268
Suspicious Memory Block:
Addr: 0x20020000 Size:4096
Dumping Memory at 0x20020000 to 3268.0x20020000.bin
Suspicious Memory Block:
Addr: 0x00c30000 Size:4096
Dumping Memory at 0x00c30000 to 3268.0x00c30000.bin
Suspicious Memory Block:
Addr: 0x00c20000 Size:4096
Dumping Memory at 0x00c20000 to 3268.0x00c20000.bin
Suspicious Memory Block:
Addr: 0x00aa0000 Size:4096
Dumping Memory at 0x00aa0000 to 3268.0x00aa0000.bin
Suspicious Memory Block:
Addr: 0x00a90000 Size:4096
Dumping Memory at 0x00a90000 to 3268.0x00a90000.bin
Suspicious Memory Block:
Addr: 0x00a40000 Size:270336
Dumping Memory at 0x00a40000 to 3268.0x00a40000.bin
Suspicious Memory Block:
Addr: 0x00160000 Size:4096
Dumping Memory at 0x00160000 to 3268.0x00160000.bin
Suspicious Memory Block:
Addr: 0x00150000 Size:4096
Dumping Memory at 0x00150000 to 3268.0x00150000.bin
Dumping Process explorer.exe with PID 1688
Suspicious Memory Block:
Addr: 0x20020000 Size:4096
Dumping Memory at 0x20020000 to 1688.0x20020000.bin
Suspicious Memory Block:
Addr: 0x02af0000 Size:4096
Dumping Memory at 0x02af0000 to 1688.0x02af0000.bin
Suspicious Memory Block:
Addr: 0x02ac0000 Size:4096
Dumping Memory at 0x02ac0000 to 1688.0x02ac0000.bin
Suspicious Memory Block:
Addr: 0x02560000 Size:270336
Dumping Memory at 0x02560000 to 1688.0x02560000.bin
Suspicious Memory Block:
Addr: 0x02420000 Size:4096
Dumping Memory at 0x02420000 to 1688.0x02420000.bin
Suspicious Memory Block:
Addr: 0x01d90000 Size:4096
Dumping Memory at 0x01d90000 to 1688.0x01d90000.bin
Suspicious Memory Block:
Addr: 0x01750000 Size:4096
Dumping Memory at 0x01750000 to 1688.0x01750000.bin
Suspicious Memory Block:
Addr: 0x016b0000 Size:4096
Dumping Memory at 0x016b0000 to 1688.0x016b0000.bin
Suspicious Memory Block:
Addr: 0x016a0000 Size:4096
Dumping Memory at 0x016a0000 to 1688.0x016a0000.bin
Suspicious Memory Block:
Addr: 0x01620000 Size:4096
Dumping Memory at 0x01620000 to 1688.0x01620000.bin
Suspicious Memory Block:
Addr: 0x01600000 Size:4096
Dumping Memory at 0x01600000 to 1688.0x01600000.bin
Suspicious Memory Block:
Addr: 0x01500000 Size:4096
Dumping Memory at 0x01500000 to 1688.0x01500000.bin
Suspicious Memory Block:
Addr: 0x01470000 Size:4096
Dumping Memory at 0x01470000 to 1688.0x01470000.bin
Suspicious Memory Block:
Addr: 0x01460000 Size:4096
Dumping Memory at 0x01460000 to 1688.0x01460000.bin
Yes, a lot of files have been dumped but a lot of things can be done to parse out the good and the bad. The simplest would be checking for strings and MZ headers. The next version will have features to flag the bad ones. I have come up with some good ideas and found interesting anomalies during my research. I don't know exactly how longit will take until I get the next version out. Odds are I will have to do a rewrite of the current code. I'm still learning C but I have learned that static type languages are much more difficult to modify than Python. Now I understand why teachers discussed program design so much; well that and linked list. The source code can be found here. The repo contains a compiled executable.
bypass process explorer ?
ReplyDelete