[go: up one dir, main page]

Skip to content

Highly useful Volatility-Malfind output parser for detecting Code/Process Injection patterns

Notifications You must be signed in to change notification settings

piralla/Malfind-Parser

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

4 Commits
 
 
 
 
 
 

Repository files navigation

############# INTRODUCTION #############

What is Volatility and the malfind plugin? Volatility is an open-source memory forensics framework for incident response and malware analysis. It allows you to extract digital artifacts from volatile memory (RAM) dumps. The malfind plugin is specifically designed to find hidden and injected code. It works by identifying suspicious Virtual Address Descriptor (VAD) memory regions that have PAGE_EXECUTE_READWRITE memory protection in a process.

How does this script relate to Volatility and malfind? This script is inspired by the functionality of the malfind plugin in Volatility. Just like malfind, our script is designed to identify patterns that are indicative of code injection in files. These patterns are indicative of various techniques used in code injection, such as NOP slides, shellcode, and return-oriented programming among others. While Volatility and its malfind plugin operate on memory dumps, our script operates on files. This makes our script a complementary tool to Volatility and malfind, allowing you to detect code injection not just in memory, but also in files on disk.

So, are you ready to uncover the hidden secrets of your files and memory? Give our script a try and let us know what you find!

############# USAGE #############

→ Process Code Injection Identifier

Ever wondered how to identify unusual executable memory locations in your system? Are you curious about what's happening under the hood of your computer? If so, this script is for you!

→ What does it do?

This script is designed to identify patterns that are indicative of Process code injection in malfind txt output files. Code injection is a technique used by malicious actors to insert or inject code into a process without the user's knowledge. This can lead to unauthorized actions being performed on the user's system. This script searches for specific patterns in a file or a directory of files. These patterns are indicative of various techniques used in code injection, such as MZ Headers, NOP slides, shellcode, and return-oriented programming among others.

→ How does it work?

The script works by opening a file and reading its contents. It then uses regular expressions to search for the predefined patterns. If a pattern is found, it is added to the results along with the number of times it was found. The script can handle both text and binary files. If the file is a text file, the script will decode the patterns (which are in bytes) to strings. If the file is a binary file, the script will encode the patterns (which are in strings) to bytes. Once all the files have been analyzed, the script writes the results to a CSV file. The CSV file contains the name of the file, the pattern that was found, and the count of how many times the pattern was found.

→ Usage

To use the script, simply pass the path to the file or directory you want to analyze as a command line argument. For example:

python malpar.py /path/to/file-or-directory

#############
REFERENCES
#############

https://attack.mitre.org/techniques/T1055/
https://www.hexacorn.com/blog/2013/05/16/uvwatauavawh-meet-the-pushy-string/

Releases

No releases published

Packages

No packages published

Languages