Code Injection
Last updated
Last updated
use the -forensics 1 flag and check the M:\forensics\forensic
Including a pagefile.sys can help reduce False positives
PROC_NOLINK
A process that is not present in the EPROCESS doubly-linked list. could be due to process termination, memory image issue or indicate of maliciously unlinked process
PROC_PARENT Checks for deviations from the commonly expected parents of some system processes
PROC_USER Checks for processes named as system components running with the wrong account token
PE_INJECT
Memory location with a PE header (EXE/DLL) not present in similar to looking for MZ header in HEX data.
NOIMAGE_RWX
Memory sections with READWRITE_EXECUTE outside of
NOIMAGE_RX
Memory sections with READ_EXECUTE outside of
PRIVATE_RWX
Memory sections with READWRITE_EXECUTE in
PRIVATE_RX
Memory sections with READ_EXECUTE in
PEB_MASQ targets masquerade attacks where the PEB is modified to change name and/or file path of orignal loaded code. Accomplished by comparing information between the PEB and VAD tree for same image memory section
PE_NOLINK indicates a DLL with a PE header (MZ) is present in memory section tracked by VAD tree, but is not present in PEB lists. can identify many different types of process injection.
.NET code often uses JIT (Just-In-Time) libraries so code can be legitimately loaded and changed. Also loading of 32-bit code via SysWOW64
A = Active page
T= Transient page (non-active but still in memory)
Z = Zero page
C = Compressed Page (may or may not be backed by memory or paged out to the pagefile)
Pf = PageFile
PE_PATCHED locate executable pages that have been 'patched' or modified after executable code is loaded (targets more advanced hollowing techniques). This technique patches itself to legitimate processes. track modified pages via structures called prototype PTEs. checks for each active image memory page within the VAD tree with any PTEs indicating modification.