pi-2r / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

Plugin for automatically detecting windows that monitor USB insertions #443

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago
Attached is a plugin to detect stuxnet and other malware samples that use the 
window messaging subsystem to detect USB insertions. 

Example:

$ python vol.py -f stuxnet.vmem usbwindows
Volatile Systems Volatility Framework 2.3_alpha
Context                        Process              Window               
Procedure
------------------------------ -------------------- -------------------- 
----------
0\Service-0x0-3e7$\Default     services.exe         AFX64c313            
0x013fe695
0\Service-0x0-3e5$\Default     services.exe         AFX64c313            
0x013fe695
0\SAWinSta\SADesktop           services.exe         AFX64c313            
0x013fe695
0\Service-0x0-3e4$\Default     services.exe         AFX64c313            
0x013fe695

Original issue reported on code.google.com by michael.hale@gmail.com on 5 Sep 2013 at 11:45

Attachments: