nganhkhoa/mether049-malware
1
0
Fork 0
mirror of https://github.com/nganhkhoa/malware.git synced 2024-06-10 21:32:07 +07:00
Code Issues Projects Releases Wiki Activity

Update malware-analysis_ref_and_memo.md

Browse Source
This commit is contained in:
mether049 2020-01-28 01:50:45 +09:00 committed by GitHub
parent e7b47384ae
commit 51a200fe09
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
1 changed files with 4 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
malware-analysis_ref_and_memo.md
View File

@ -102,6 +102,10 @@
[Trickbot artifact decrypter](https://github.com/snemes/malware-analysis/tree/master/trickbot)
- Injecition/Hollowingされたプロセスの自動検出<br>
[Memhunter](https://github.com/marcosd4h/memhunter)<br>
- **ref:**<br>
- [Memhunter (Memory resident malware hunting at scale)](https://docs.google.com/presentation/d/1hgx2FTNIkry9Nt8LOJVz_rHNhcGfJChxZVGckv7VI8E/edit#slide=id.g5712e7065f_1_1)<br>
- [Reflective DLL Injection Detection through Memhunte,youtube](https://www.youtube.com/watch?v=t_fR1sCENkc)<br>
- [Process Hollowing Injection Detection through Memhunter,youtube](https://www.youtube.com/watch?v=QxCguP76uyg)<br>
- メモリダンプが不要で,感染環境でメモリスキャンを行う
- メモリスキャンのヒューリスティックトリガーにETWデータを利用している
- ETWのSuspicious Eventsとして以下を定義
@ -112,10 +116,6 @@
> - Image Load Operations<br>
> - Kernel Audit APIs usage<br>
> - etc.<br>
- **ref:**<br>
- [Memhunter (Memory resident malware hunting at scale)](https://docs.google.com/presentation/d/1hgx2FTNIkry9Nt8LOJVz_rHNhcGfJChxZVGckv7VI8E/edit#slide=id.g5712e7065f_1_1)<br>
- [Reflective DLL Injection Detection through Memhunte,youtube](https://www.youtube.com/watch?v=t_fR1sCENkc)<br>
- [Process Hollowing Injection Detection through Memhunter,youtube](https://www.youtube.com/watch?v=QxCguP76uyg)<br>
# Doc Analysis