finding malware with kernel memory dump

finding malware with kernel memory dump

Postby pav » Mon Apr 28, 2008 3:08 pm

I try to retrieve information about machine, all running processes, threads, loaded drivers and dlls with full path from dump.
is it possible to find (reveal) hidden processes and injected threads (by rootkits or malware) which was hidden from explorer and AV?

I have small collection of old rootkits, some of them dont have own process - how it is possible to find symptoms of infection, like hooks and injected threads/code?

Currently I am using these commands and extensions to get information:
!process 0 0 , !process 0 7 or !sprocess -4 7
lm kv
!dml_proc
vertarget
!cpuid and !cpuinfo
!lmi
!handle (how to get list of all open files? like handle.exe -a do?)

can somebody suggest other ways to complete this task?

thanks

pav
pav
 
Posts: 4
Joined: Thu Apr 24, 2008 1:28 pm

Re: finding malware with kernel memory dump

Postby VDO » Wed Aug 13, 2008 12:29 am

.imgscan should work in kernel mode I believe.
also !chkimg should find deviations. This extension command has many options like -nospec although I haven't checked this
VDO
Site Admin
 
Posts: 552
Joined: Mon May 01, 2006 10:34 am
Location: Dublin, Ireland


Return to Kernel and Complete memory dumps

Who is online

Users browsing this forum: No registered users and 1 guest

cron