injdmp is a tool for dumping injected processes and dumping process memory that is marked as RWX. The tool can detect most malware that uses process injection. As of this writing it can dump processes related to Zeus/Citadel, Cridex, Ramnit, Poison Ivy and a number of other families of malware.
injdmp has six command line argument. The first is -c, this will scan commonly running injected processes such as firefox.exe, iexplore.exe, chrome.exe, and explorer.exe. The second is -pPID, this will scan a PID specified by the user. There can not be a space between the -p and the integer. An example of a valid argument is -p330. The third argument -d will open a dummy process of iexplore.exe and scan the process space. The fourth argument is -a, this will run the -c and -d scans. The fifth argument -s, will run the scan but not dump the memory to disk. This can be useful for testing. This argument needs to be the last argument. The last argument is -h. It will display the help menu as illustrated above.
injdump does three types of scans. The first one if dumping processes that are injected via registry keys AppInit_DLLs and APPCERTDLLs. The second scan searches for executables that are in private memory spaces. The last will dump all memory blocks that are marked as RWX. Future version will contain yara scanning and a couple of other features.
As of now I will not be releasing the source code but I plan to in the future. I'd like to use my research for a talk or a paper before releasing the code. Until then I hope the tool will be of use to other researchers.
Disclamier:
This project is for me to learn C. Odds are my code has memory leaks or other quirks that a C newbie adds to a 1k line project. Most of my testing has been on Windows XP. The code does run on Windows 7. Due to it being a 32 executable it will not dump 64 bit memory. All 64 bit pids are skipped. Please check below for updates. Thanks to b0ne and 0xdabbad00 for advice and pointing out bugs.
Release 1.0 - 6/07/2013 - download
Release 1.5 - 6/12/2013 - download - Fixed infinite loop caused by scanning 64 bit processes. Added stalker mode requested by Dan.
Good stuff brah. Now if I could only get the mother fucker to compile with VS or pelles, I'd be rockin.
ReplyDelete