Add detection for Module Overloading

hasherezade / pe-sieve

Scans a given process. Recognizes and dumps a variety of potentially malicious implants (replaced/injected PEs, shellcodes, hooks, in-memory patches).

https://hshrzd.wordpress.com/pe-sieve/

BSD 2-Clause "Simplified" License

3.01k stars 421 forks source link

Add detection for Module Overloading #47

Closed hasherezade closed 4 years ago

hasherezade commented 4 years ago

Module Overloading is a new PE injection method that is currently not detected.

hasherezade commented 4 years ago

The added method of detections works, but give false positives. Example:

[!] 4b70000: mapped filename: C:\Windows\Microsoft.NET\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll; module_ name:

Must be improved/replaced.

hasherezade commented 4 years ago

Scan overloaded modules for hooks: https://github.com/hasherezade/pe-sieve/commit/d4651033049da3d091895bfed8a17ad2f6e586ea