Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Finding stealth injected DLLs SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Finding stealth injected DLLs

I've mentioned Volatility here before and I use it in my day job doing malware analysis.  The problem is, I know it is capable of doing a lot more than I am currently using it for, but I rarely have the time to sit down and play with it and learn how to use it better.  So, I was very pleased when I noticed that Michael Hale Ligh has written 2 pieces on how to use Volatility to find DLLs that have been stealthily injected into running processes.  The first is Locating Hidden Clampi DLLs and the second is entitled Recovering Coreflood Binaries with Volatility.  Does anyone else out there have any other tools/methods they use for trying to detect and analyze these DLL injections (or even non-stealthy ones)?  Let me know via the contact page and I'll update this story.

I will be teaching next: Reverse-Engineering Malware: Malware Analysis Tools and Techniques - SANS Tokyo Autumn 2021


423 Posts
ISC Handler
Nov 17th 2008

Sign Up for Free or Log In to start participating in the conversation!