mirror of
https://github.com/nganhkhoa/malware.git
synced 2024-06-10 21:32:07 +07:00
Update malware-analysis_ref_and_memo.md
This commit is contained in:
parent
e7b47384ae
commit
51a200fe09
@ -102,6 +102,10 @@
|
||||
[Trickbot artifact decrypter](https://github.com/snemes/malware-analysis/tree/master/trickbot)
|
||||
- Injecition/Hollowingされたプロセスの自動検出<br>
|
||||
[Memhunter](https://github.com/marcosd4h/memhunter)<br>
|
||||
- **ref:**<br>
|
||||
- [Memhunter (Memory resident malware hunting at scale)](https://docs.google.com/presentation/d/1hgx2FTNIkry9Nt8LOJVz_rHNhcGfJChxZVGckv7VI8E/edit#slide=id.g5712e7065f_1_1)<br>
|
||||
- [Reflective DLL Injection Detection through Memhunte,youtube](https://www.youtube.com/watch?v=t_fR1sCENkc)<br>
|
||||
- [Process Hollowing Injection Detection through Memhunter,youtube](https://www.youtube.com/watch?v=QxCguP76uyg)<br>
|
||||
- メモリダンプが不要で,感染環境でメモリスキャンを行う
|
||||
- メモリスキャンのヒューリスティックトリガーにETWデータを利用している
|
||||
- ETWのSuspicious Eventsとして以下を定義
|
||||
@ -112,10 +116,6 @@
|
||||
> - Image Load Operations<br>
|
||||
> - Kernel Audit APIs usage<br>
|
||||
> - etc.<br>
|
||||
- **ref:**<br>
|
||||
- [Memhunter (Memory resident malware hunting at scale)](https://docs.google.com/presentation/d/1hgx2FTNIkry9Nt8LOJVz_rHNhcGfJChxZVGckv7VI8E/edit#slide=id.g5712e7065f_1_1)<br>
|
||||
- [Reflective DLL Injection Detection through Memhunte,youtube](https://www.youtube.com/watch?v=t_fR1sCENkc)<br>
|
||||
- [Process Hollowing Injection Detection through Memhunter,youtube](https://www.youtube.com/watch?v=QxCguP76uyg)<br>
|
||||
|
||||
|
||||
# Doc Analysis
|
||||
|
Loading…
Reference in New Issue
Block a user