tobias
f3ccc09c3d
Build comprehensive malware analysis knowledge base from 3 sources: - SANS FOR610 course: 120 tools, 47 labs, 15 workflows, 27 recipes - REMnux salt-states: 340 packages parsed from GitHub - REMnux docs: 280+ tools scraped from docs.remnux.org Master inventory merges all sources into 447 tools with help tiers (rich/standard/basic). Pipeline generates: tools.db (397 entries), 397 cheatsheets with multi-tool recipes, 15 workflow guides, 224 TLDR pages, and coverage reports. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
84 lines
2.7 KiB
Plaintext
84 lines
2.7 KiB
Plaintext
============================================================
|
|
Code Injection Analysis
|
|
============================================================
|
|
|
|
Identify and analyze process injection techniques including DLL injection, process hollowing, and reflective loading.
|
|
|
|
Related FOR610 Labs: 4.9, 5.4
|
|
|
|
────────────────────────────────────────────────────────────
|
|
|
|
Step 1: Capability Detection
|
|
Tools: capa
|
|
Run capa to identify injection techniques. Look for:
|
|
'inject code', 'create suspended process', 'allocate
|
|
RWX memory'. Note MITRE ATT&CK technique IDs.
|
|
|
|
$ capa specimen.exe
|
|
|
|
Step 2: Injection Type Classification
|
|
Tools: ghidra, cutter
|
|
Identify which technique: Classic DLL injection
|
|
(LoadLibrary), Process Hollowing (CreateProcess
|
|
SUSPENDED + NtUnmapViewOfSection), Reflective DLL
|
|
(manual PE loading), APC injection (QueueUserAPC).
|
|
|
|
$ ghidra
|
|
$ cutter specimen.exe
|
|
|
|
Step 3: Target Process Analysis
|
|
Tools: ghidra
|
|
How does malware choose its target? Look for:
|
|
CreateToolhelp32Snapshot + Process32First/Next
|
|
(enumeration), hardcoded process names (svchost.exe,
|
|
explorer.exe), OpenProcess calls.
|
|
|
|
$ ghidra
|
|
|
|
Step 4: Payload Identification
|
|
Tools: ghidra
|
|
What gets injected? Trace data flow to
|
|
WriteProcessMemory or NtWriteVirtualMemory. Is it:
|
|
embedded PE, shellcode, encrypted blob? Check size and
|
|
content.
|
|
|
|
$ ghidra
|
|
|
|
Step 5: Memory Allocation Analysis
|
|
Tools: ghidra
|
|
Examine VirtualAllocEx parameters: size (hints at
|
|
payload type), protection flags
|
|
(PAGE_EXECUTE_READWRITE = 0x40 = suspicious).
|
|
Allocation address for base relocation.
|
|
|
|
$ ghidra
|
|
|
|
Step 6: Injection Verification [W]
|
|
Tools: x32dbg, x64dbg
|
|
Set breakpoint on WriteProcessMemory. When hit:
|
|
examine lpBuffer (injected data), nSize (payload
|
|
size). Dump the buffer to file for separate analysis.
|
|
|
|
$ x32dbg.exe specimen.exe
|
|
$ x64dbg.exe specimen.exe
|
|
|
|
Step 7: Extracted Payload Analysis
|
|
Tools: peframe, capa, strings
|
|
Analyze the injected payload as standalone file. Route
|
|
to: Static Analysis Workflow (if PE), Shellcode
|
|
Workflow (if shellcode), .NET Workflow (if .NET
|
|
assembly).
|
|
|
|
$ peframe specimen.exe
|
|
$ capa specimen.exe
|
|
$ strings binary.exe
|
|
|
|
Step 8: Document Technique
|
|
Record: injection technique, target process criteria,
|
|
payload type and hash, API call sequence, memory
|
|
protection flags. Map to MITRE ATT&CK (T1055.x).
|
|
|
|
────────────────────────────────────────────────────────────
|
|
Tip: 'fhelp cheat <tool>' for full examples
|
|
'Ctrl+G' for interactive cheatsheet browser
|