Learn Cyber Security

THE MALICIOUS INTELLIGENCE FROM BEHIND THE INSTRUCTION CODES AND THE ARTIFACTS IN MEMORY Classical Windows attack vector     ➡ Exploiting Registry keys, hijacking autorun properties of the system even          without user clicking on “autostart”.     ➡ Exploiting DLL injection     ➡ Exploiting services     ➡ Exploiting .exe (lsass.exe, explorer.exe)     ➡ Exploiting ATOMS TABLES     ➡ Creating names using ASLR Windows Graphical User Interface     ➡ The Windows system has memory usage control features handled through a process. This                     methodological approach is called synchronization object .     ➡ When a new process is created (threads and handles) the allocation of memory property of a               mutant object is negotiated to give access to available memory.     ➡ This is crucial for Windows to run and is also crucial so that malware can be persistent in the               system without attracting attention. An example is the Advanced malw

NEFARIOUS ACTIONS UNDER THE WINDOWS ARCHITECTURE Dlllist plugin Considering that a malware can unlink, change the name, or substitute libraries of a system  (Windows, for example), we are interested in investigating a malware infection in the libraries (dll). The initial task is the analysis of suspicious dlls because malware can be a hidden process. We can use the command vol.exe dlllist --profile=WinXPSP3x86 -f stuxnet.vmem Dlllist plugin -p flag The output shows us all dlls loaded by the process in the machine. Since this is difficult, our task is to investigate a specific process. We will use this command: vol.exe dlllist --profile=WinXPSP3x86 -p 1928 -f stuxnet.vmem And we can see the output for this specific process. We can obtain the same output using the command vol.exe dlllist --profile=WinXPSP3x86 --offset=0x01e47c00 -f stuxnet.vmem Malfind plugin Another Volatility plugin that we can use when we are searching for MZ signature is malfind. If you want to a