Standard Handles & Suspicious DLLs Flashcards
ws2_32.dll
Used for networking. What context are you seeing this used?
crypt32.dll
Used for cryptography. What context are you seeing this used?
hnetcfg.dll
Used for firewall maintenance. What context are you seeing this used?
pstorec.dll
Used for access to protected storage. What context are you seeing this used?
Standard Handles
By analyzing a process’ standard handles you can determine where it gets input and where it sends output and error messages. This is especially helpful when investigating breaches by remote attackers.
SE_DEBUG_PRIVILEGE
Gives DLL the right to read and write other process’ memory as if it were a debugger.
Remote DLL Injection
A malicious process forces the target process to load a specified DLL from disk by calling LoadLibrary or the native LdrLoadDll. By definition, the DLL must exist on disk prior to being injected.
Reflective DLL Injection
A malicious process writes a DLL (as a sequence of bytes) into the memory space of a target process. The DLL handles its own initialization without the help of the Windows loader. The DLL does not need to exist on disk prior to being injected.
Remote Code Injection
A malicious process writes code into the memory space of a target process and forces it to execute. The code can be a block of shellcode (i.e. not a PE file) or it can be a PE file whose import table is preemptively configured for the target process.
Hollow Process Injection
A malicious process starts a new instance of a legitimate process (such as lsass.exe) in suspended mode. Before resuming it, the executable section(s) are freed and reallocated with malicious code.
procdump
PE Extraction Plugin - Dump a process executable. You can identify the process by PID (–pid) or the physical offset of its _EPROCESS(–offset). The latter option enables you to dump processes hidden from the active process list. Requires output directory (–dump-dir).
dlldump
PE Extraction Plugin - Dump a DLL. You can identify the host process by PID (–pid) or the physical offset of its _EPROCESS (–offset). If the DLLs are in the load order list, you can identify them using a regex (–regex/–ignore-case) on their name. Otherwise, you can refer to them by their base address in process memory (–base). The latter option enables you to dump hidden or injected PE files. Requires output directory (–dump-dir).
moddump
PE Extraction Plugin - Dump a kernel module. Similar to dlldump, if the modules you want are in the loaded modules list, you can identify them with regexs. Otherwise, to dump a PE file from anywhere in kernel memory, use the –base parameter. Requires output directory (–dump-dir).
