fibratus icon indicating copy to clipboard operation
fibratus copied to clipboard
verified publisher icon rabbitstack

Detect memory hooks/implants

Open rabbitstack opened this issue 5 years ago • 0 comments

Description

Fibratus already knows how to parse the PE data and extract valuable insights from it. I've been peeking at pe-sieve, and I have a feeling it would be perfectly viable to port the techniques for detecting memory implants, shellcodes, hooks, Process Hollowing, Process Doppelgänging, Reflective DLL Injection to Fibratus. pe-sieve compares the on-disk PE representation with the PE memory layout to determine if the PE was hooked/implanted . We could start the implementation by porting some basic scanners, like the headers scanner, that simply checks whether the headers were modified. Hooks detection could be initiated when a new process is created and would probably trigger an alert that should be transported via alert senders. The user would be able to specify which hook detectors are active via the configuration file.

Prior art

https://github.com/hasherezade/pe-sieve https://github.com/marcosd4h/memhunter

rabbitstack avatar Jan 04 '21 15:01 rabbitstack