设为首页收藏本站

DecoyMini 技术交流社区

 找回密码
 立即注册

QQ登录

只需一步,快速开始

搜索
DecoyMini 技术交流社区 (吉沃科技)»论坛 技术区 技术分享 检测 strange 内存区域和 dll - MalMemDetect
返回列表 发新帖
查看: 5099|回复: 0

[工具] 检测 strange 内存区域和 dll - MalMemDetect

[复制链接]
吉沃运营专员

188

主题

35

回帖

30

荣誉

Rank: 9Rank: 9Rank: 9

UID
2
积分
354
精华
1
沃币
2 枚
注册时间
2021-6-24

论坛管理
发表于 2022-4-29 16:15:15 | 显示全部楼层 |阅读模式
项目地址:https://github.com/waldo-irc/MalMemDetect

检测 strange 内存区域和 DLL

编译为 DLL 并注入进程以识别空心 DLL 和未映射的内存区域调用。

Sleep 钩子似乎破坏了一些东西,所以我把它留在里面,还有一些其他的东西更多地被留下作为 "Demo" 并被注释掉。

默认情况下,结果将输出到 C:\drive 中的文件。

样本输出

  1. Suspicious Malloc() from thread with id:12780 LPVOID:000002C38082B1D0 Heap Handle:000002C380790000 Size: 32
  2. Suspicious InternetConnectA() from thread with id:12780 Name: 10.0.0.129 Creds: (null)[(null)]
  3. Suspicious Malloc() from thread with id:12780 LPVOID:000002C3807EBA20 Heap Handle:000002C380790000 Size: 24
  4. Suspicious Malloc() from thread with id:12780 LPVOID:000002C383988550 Heap Handle:000002C380790000 Size: 27648
  5. Suspicious Malloc() from thread with id:12780 LPVOID:000002C382882650 Heap Handle:000002C380790000 Size: 5543
  6. Suspicious Malloc() from thread with id:12780 LPVOID:000002C38082B1D0 Heap Handle:000002C380790000 Size: 32
  7. Suspicious InternetConnectA() from thread with id:12780 Name: 10.0.0.129 Creds: (null)[(null)]
  8. Suspicious Malloc() from thread with id:12780 LPVOID:000002C3807EB400 Heap Handle:000002C380790000 Size: 24
  9. Suspicious Malloc() from thread with id:12780 LPVOID:000002C383988550 Heap Handle:000002C380790000 Size: 27648
  10. Suspicious Malloc() from thread with id:12780 LPVOID:000002C382882650 Heap Handle:000002C380790000 Size: 5543
  11. Suspicious Malloc() from thread with id:12780 LPVOID:000002C38082B1D0 Heap Handle:000002C380790000 Size: 32
  12. Suspicious InternetConnectA() from thread with id:12780 Name: 10.0.0.129 Creds: (null)[(null)]
  13. Suspicious Malloc() from thread with id:12780 LPVOID:000002C3807EB940 Heap Handle:000002C380790000 Size: 24
  14. Suspicious Malloc() from thread with id:12780 LPVOID:000002C383988550 Heap Handle:000002C380790000 Size: 27648
  15. Suspicious Malloc() from thread with id:12780 LPVOID:000002C382882650 Heap Handle:000002C380790000 Size: 5543
  16. Suspicious Malloc() from thread with id:12780 LPVOID:000002C38082B1D0 Heap Handle:000002C380790000 Size: 32
  17. Suspicious InternetConnectA() from thread with id:12780 Name: 10.0.0.129 Creds: (null)[(null)]
复制代码

  1. Found more than 5 bytes altered, there's potentially hooks here: C:\Windows\system32\xpsservices.dll Bytes Altered: 307094.000000
  2. FOUND DLL HOLLOW.
  3. NOW MONITORING: C:\Windows\system32\xpsservices.dll with 307094.000000 changes found. 15.442662% Overall

  5. Suspicious Malloc() from module with name:c:\windows\system32\xpsservices.dll LPVOID:000001DCB9D0EA40 Heap Handle:000001DCB9C80000  Size: 32
  6. Suspicious InternetConnectA() from module with name: c:\windows\system32\xpsservices.dll, Name: 10.0.0.129 Creds: (null)[(null)]
  7. Suspicious Malloc() from module with name:c:\windows\system32\xpsservices.dll LPVOID:000001DCB9CD3C20 Heap Handle:000001DCB9C80000  Size: 24
  8. Suspicious Malloc() from module with name:c:\windows\system32\xpsservices.dll LPVOID:000001DCB9D143F0 Heap Handle:000001DCB9C80000  Size: 27648
  9. Suspicious Malloc() from module with name:c:\windows\system32\xpsservices.dll LPVOID:000001DCBBE52650 Heap Handle:000001DCB9C80000  Size: 5543
  10. Suspicious Malloc() from module with name:c:\windows\system32\xpsservices.dll LPVOID:000001DCB9D0EA40 Heap Handle:000001DCB9C80000  Size: 32
  11. Suspicious InternetConnectA() from module with name: c:\windows\system32\xpsservices.dll, Name: 10.0.0.129 Creds: (null)[(null)]
  12. Suspicious Malloc() from module with name:c:\windows\system32\xpsservices.dll LPVOID:000001DCB9CD3AA0 Heap Handle:000001DCB9C80000  Size: 24
  13. Suspicious Malloc() from module with name:c:\windows\system32\xpsservices.dll LPVOID:000001DCB9D143F0 Heap Handle:000001DCB9C80000  Size: 27648
  14. Suspicious Malloc() from module with name:c:\windows\system32\xpsservices.dll LPVOID:000001DCBBE52650 Heap Handle:000001DCB9C80000  Size: 5543
  15. Suspicious Malloc() from module with name:c:\windows\system32\xpsservices.dll LPVOID:000001DCB9D0EA40 Heap Handle:000001DCB9C80000  Size: 32
  16. Suspicious InternetConnectA() from module with name: c:\windows\system32\xpsservices.dll, Name: 10.0.0.129 Creds: (null)[(null)]
复制代码
DecoyMini·吉星 —— 高可扩展、安全、免费的企业级蜜罐系统
回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

Archiver|小黑屋|DecoyMini 技术交流社区 (吉沃科技) ( 京ICP备2021005070号 )

GMT+8, 2024-11-22 03:57 , Processed in 0.059326 second(s), 22 queries .

Powered by Discuz! X3.4

Copyright © 2001-2023, Tencent Cloud.

快速回复 返回顶部 返回列表