Code Injection
use the -forensics 1 flag and check the M:\forensics\forensic
Including a pagefile.sys can help reduce False positives
Common process irregularities:
PROC_NOLINK
A process that is not present in the EPROCESS doubly-linked list. could be due to process termination, memory image issue or indicate of maliciously unlinked process
PROC_PARENT Checks for deviations from the commonly expected parents of some system processes
PROC_USER Checks for processes named as system components running with the wrong account token
Unusual properties of memory pages:
PE_INJECT
Memory location with a PE header (EXE/DLL) not present in image mapped memory similar to looking for MZ header in HEX data.
NOIMAGE_RWX
Memory sections with READWRITE_EXECUTE outside of mapped memory
NOIMAGE_RX
Memory sections with READ_EXECUTE outside of mapped memory
PRIVATE_RWX
Memory sections with READWRITE_EXECUTE in private memory
PRIVATE_RX
Memory sections with READ_EXECUTE in private memory
Manipulated Memory Structures:
PEB_MASQ targets Process Environment Block (PEB) masquerade attacks where the PEB is modified to change name and/or file path of orignal loaded code. Accomplished by comparing information between the PEB and VAD tree for same image memory section
PE_NOLINK indicates a DLL with a PE header (MZ) is present in memory section tracked by VAD tree, but is not present in PEB lists. can identify many different types of process injection.
PE_PATCHED locate executable pages that have been 'patched' or modified after executable code is loaded (targets more advanced hollowing techniques). This technique patches itself to legitimate processes. Page Table Entries (PTE) track modified pages via structures called prototype PTEs. checks for each active image memory page within the VAD tree with any PTEs indicating modification.
Common false positives
PE_PATCHED:
.NET code often uses JIT (Just-In-Time) libraries so code can be legitimately loaded and changed. Also loading of 32-bit code via SysWOW64
Types of memory pages:
A = Active page
T= Transient page (non-active but still in memory)
Z = Zero page
C = Compressed Page (may or may not be backed by memory or paged out to the pagefile)
Pf = PageFile
Last updated