Closed rakovskij-stanislav closed 4 years ago
Hello, yes this is currently supported in a couple ways. If executing from run_speakeasy.py script you can supply a directory name containing the decoy modules with the "-l" flag. If you are supplying your own configuration file, the fields module_directory_x86 and module_directory_x64 allow you to specify this same directory for each architecture (see here: https://github.com/fireeye/speakeasy/blob/master/speakeasy/configs/default.json#L238).
When the emulator detects malware attempting to manually access the memory for ntoskrnl.exe, the configured module directory will be searched for a matching module name (in this case, ntoskrnl.exe).
The image will then be lazily mapped into memory so the malware can resolve exported functions like normal.
Hope that helps.
Hi. Some malware drivers reads memory of mapped ntoskrnl.exe to find desired kernel methods. Are there any possibilities to load my decoy ntoskrnl.exe, hal.dll, etc to the memory before the malware start? Like it looks in miasm sandbox with param
-i