|
https://github.com/glmcdona/Process-Dump anybody know of anything like that that works in-process instead of relying on debug apis i wrote a rudimentary in-process version of this thing a while back but i was wondering if there's an existing solution
|
# ? Feb 16, 2017 17:54 |
|
|
# ? May 17, 2024 18:04 |
|
Sapozhnik posted:https://github.com/glmcdona/Process-Dump sort of reminds me of ollydbg's method but you can just dump processes from the task manager
|
# ? Feb 16, 2017 18:19 |
|
actually a friend linked me to this https://github.com/volatilityfoundation/volatility looks like just what i need
|
# ? Feb 16, 2017 18:55 |
|
Sapozhnik posted:https://github.com/glmcdona/Process-Dump breakpad can dump from within the process I believe. depends on how much you trust your environment.
|
# ? Feb 16, 2017 19:25 |
|
Sapozhnik posted:actually a friend linked me to this are you sure? quote:Volatility does not provide memory sample acquisition capabilities. For acquisition, there are both free and commercial solutions available.
|
# ? Feb 16, 2017 19:37 |
|
All the discussion in media of file-less malware has got me interested in how this is actually accomplished. Does anyone have any links to decent write ups for how you can actually inject malicious code into memory without touching the filesystem at all? I'm not sure what the techniques for this are. e: i found this: https://securelist.com/blog/research/77403/fileless-attacks-against-enterprise-networks/ which is a decent primer, so far. Winkle-Daddy fucked around with this message at 19:47 on Feb 16, 2017 |
# ? Feb 16, 2017 19:39 |
|
if you're doing any sort of dfir work at your org, having software that can allow you to remotely dump memory, pull artifacts and whole disk images, and a ledger of activity over N days is super useful
|
# ? Feb 16, 2017 19:53 |
|
Winkle-Daddy posted:All the discussion in media of file-less malware has got me interested in how this is actually accomplished. Does anyone have any links to decent write ups for how you can actually inject malicious code into memory without touching the filesystem at all? I'm not sure what the techniques for this are. pretty much all modern malware which is spread via drive-by infects clients entirely in memory before ever touching the file system, usually through arbitrary code execution using buffer overflow exploits and then chained with a privilege escalation exploit to run as system. after that they'll usually touch the file system in some way to root the machine thus ensuring that they remain resident. however after i wrote the above i saw the link you posted which clarifies "file-less" malware as simply malware which covers its tracks when interacting with the file system. so yeah, same stuff applies i guess? edit: ive been making a lot of dumb posts recently so someone please call me out if im an idiot Pile Of Garbage fucked around with this message at 19:55 on Feb 16, 2017 |
# ? Feb 16, 2017 19:53 |
|
cheese-cube posted:pretty much all modern malware which is spread via drive-by infects clients entirely in memory before ever touching the file system, usually through arbitrary code execution using buffer overflow exploits and then chained with a privilege escalation exploit to run as system. after that they'll usually touch the file system in some way to root the machine thus ensuring that they remain resident. yeah, I heard a bunch of news articles talking about this new fileless malware and was trying to understand if this was some "new" technique. seems like a whole lotta nothin' new.
|
# ? Feb 16, 2017 19:56 |
|
hackbunny posted:are you sure? yeah i'm running the target process under qemu, using the emulator to set an undetectable breakpoint, then dumping a system memory image when it gets hit. unfortunately idk how to do import and relocation reconstruction and all that fun crap so i can either shovel through russian warez forums or i could just sit down and rewrite the old and lovely tool i did for this. can throw the results up on github if there is any interest in it. once that's done i can use qemu to make a spontaneous LoadLibrary function call from the start of the target code. from there the imploder dll can do the rest.
|
# ? Feb 16, 2017 21:18 |
|
Lutha Mahtin posted:nah but shaggz is talking about ones that don't chain to an authority. so the browser would then need zillions of certs for it to be useful, right? think of it like whitelisting javascript in something like noscript but instead of whitelisting a url you're whitelisting specific signers or files. The whitelists would be maintained by your organization to prevent unknown code from running. This might not be useful to most users but for companies looking to protect their users/data it would be. My original point was that there is no option to do this with javascript because javascript is bad and its proponents are/were bad. also lol @ using a browser that has its own internal trust list instead of the system trust list.
|
# ? Feb 16, 2017 21:28 |
|
Sapozhnik posted:yeah i'm running the target process under qemu, using the emulator to set an undetectable breakpoint, then dumping a system memory image when it gets hit. okay, your original post sounded like you needed to get the memory capture itself not parse one you got through qemu
|
# ? Feb 16, 2017 21:33 |
|
Shaggar posted:also lol @ using a browser that has its own internal trust list instead of the system trust list. IE doesn't have a way for users to add roots to their keychains?
|
# ? Feb 16, 2017 21:44 |
|
Subjunctive posted:IE doesn't have a way for users to add roots to their keychains?
|
# ? Feb 16, 2017 22:24 |
|
Sapozhnik posted:yeah i'm running the target process under qemu, using the emulator to set an undetectable breakpoint, then dumping a system memory image when it gets hit. sounds like volatility is your best bet. you can use malfind to find injected code and dump the binaries to disk (maybe even an intact PE if the headers aren't hosed) or use procdump to dump a PID to disk, depending on what you're analyzing. impscan will give you a list of imports. it's a pretty flexible framework though I'm still getting used to it myself.
|
# ? Feb 16, 2017 22:46 |
|
cheese-cube posted:edit: ive been making a lot of dumb posts recently so someone please call me out if im an idiot ok, you're an idiot! modern "file-less" malware drive-by infects the machine and then never writes anything to disk at all, it relies on long uptimes and multiple machines on the network being infected to re-infect individual machines after they're rebooted and the malware instance is lost
|
# ? Feb 16, 2017 23:40 |
|
when kaspersky got owned, they couldn't fix it until all of their machines were turned off
|
# ? Feb 16, 2017 23:43 |
|
A good example to look into is dridex. Interesting note: Dridex has a very low footprint in countries like for example Pakistan, because frequent power outages means it can't stay active and it doesn't persist so it needs to be reinfected
|
# ? Feb 16, 2017 23:45 |
|
Deep Dish Fuckfest posted:power companies should start making inroads in infosec by triggering random power outages and charging customers for it
|
# ? Feb 16, 2017 23:49 |
|
power spike protection plan
|
# ? Feb 16, 2017 23:52 |
|
local secfuck: went to a local rogers reseller today to swap my cable modem, all their demo androids are signed in using the store's gmail account. google drive shows all the store's files, presumably backed up to the cloud, including store security, accounting, employee, and customer information. somehow no one seems to have noticed this. gg guys.
|
# ? Feb 17, 2017 00:36 |
|
Pendragon posted:my wife's hr department got phished and sent the entire company's W2s to someone. lol same
|
# ? Feb 17, 2017 00:37 |
i poop fire posted:lol same It's incredibly common this year. I know of a double digit number of small business it's happened to in my area.
|
|
# ? Feb 17, 2017 01:01 |
|
pseudorandom name posted:ok, you're an idiot! uhhhh there's also families being called fileless because they persist entirely in registry keys, using powershell. this is what the recent wave of news spam using the term has been about...
|
# ? Feb 17, 2017 07:00 |
|
Daman posted:uhhhh there's also families being called fileless because they persist entirely in registry keys, using powershell. this is what the recent wave of news spam using the term has been about... yep. even kovter/poweliks had a similar method of writing shellcode to registry for persistence. it dropped a loader or smth along the way so not 100% fileless tho
|
# ? Feb 17, 2017 14:35 |
|
infernal machines posted:local secfuck: went to a local rogers reseller today to swap my cable modem, all their demo androids are signed in using the store's gmail account. google drive shows all the store's files, presumably backed up to the cloud, including store security, accounting, employee, and customer information. good morning privacy commissioner, no i'd rather not hold thanks
|
# ? Feb 17, 2017 14:43 |
|
Subjunctive posted:IE doesn't have a way for users to add roots to their keychains? IE has one but it just pops the windows trust store. Edge does not, but it also uses the windows trust store. failfox I think is smart enough to use the windows trust store for some things, but idk about chome.
|
# ? Feb 17, 2017 16:31 |
|
anthonypants posted:windows update does that also AD which is why anything on windows should use the windows trust store.
|
# ? Feb 17, 2017 16:33 |
|
pseudorandom name posted:ok, you're an idiot! and this is why you configure the firewall at every endpoint and not just trust the zone to do the work
|
# ? Feb 17, 2017 18:44 |
|
https://twitter.com/wendynather/status/832284839789228032
|
# ? Feb 17, 2017 21:07 |
|
BangersInMyKnickers posted:and this is why you configure the firewall at every endpoint and not just trust the zone to do the work This. Deploying firewall rules at every endpoint as well as app whitelisting is two of the best things you can do in your organisation.
|
# ? Feb 17, 2017 21:17 |
|
https://twitter.com/taviso/status/832744397800214528
|
# ? Feb 18, 2017 01:15 |
|
lol https://twitter.com/taviso/status/832745012408381445
|
# ? Feb 18, 2017 01:21 |
|
reminder that nick sullivan told tavis that going after AV was a waste of his talents and that he should instead be looking at the security of critical internet infrastructure https://twitter.com/grittygrease/status/832746036149882880
|
# ? Feb 18, 2017 01:27 |
|
Rufus Ping posted:reminder that nick sullivan told tavis that going after AV was a waste of his talents and that he should instead be looking at the security of critical internet infrastructure
|
# ? Feb 18, 2017 01:36 |
|
the suspense is killing me
|
# ? Feb 18, 2017 02:04 |
|
Well, this is certainly a securifuck. lol cryptocurrencies. https://zcoin.io/language/en/important-announcement-zerocoin-implementation-bug/
|
# ? Feb 18, 2017 03:43 |
|
bad coin posted:We estimate the attacker has created about 370,000 Zcoins which has been almost completely sold except for about 20,000+ Zcoin and absorbed on the market with a profit of around 410 BTC. loving lomarf
|
# ? Feb 18, 2017 03:48 |
|
|
# ? Feb 18, 2017 04:19 |
|
|
# ? May 17, 2024 18:04 |
|
Lmao this should be gbs-level pants making GBS threads time for cloudflare
|
# ? Feb 18, 2017 05:43 |