Title
#windows
f

farfella

08/04/2020, 7:45 PM
Would it be beneficial for me to implement looking for pages that are executable but not backed by any files on disk or do we already have something like this? Example, let’s say a process is backed by notepad.exe, and it has an address in memory starting with MZ... but that address isn’t backed by any dll on disk, i.e., it’s not kernel32, user32.dll, etc. loaded from disk.
Mike Myers

Mike Myers

08/05/2020, 6:03 PM
Definitely sounds interesting; would this be accomplished as an extra column within, say, the
processes
table?
f

farfella

08/05/2020, 6:46 PM
Might be better as a join with processes since a single process would have many. Want to minimize performance hit for * query if we add to processes.
Mike Myers

Mike Myers

08/05/2020, 7:29 PM
yea good point
n3mes1s

n3mes1s

08/06/2020, 3:33 PM
I can say that it will be definitely interesting to have it. Mind that a lot of hit will be related to anti malware using this type of injection. But for sure you will be able to catch some malware as well. I can say meterpreter and cobaltstrike use this kind of injection as well.
f

farfella

08/06/2020, 3:39 PM
Yeah, pretty much the only three types of programs that would do this are: antivirus, malware, or JIT’d code.