TraceHook v0.0.1 release
 j00ru <j00ru vx gmailcom> |
Sunday, August 30 2009 07:19.09 CDT |
I have recently released a small project called TraceHook.
It is supposed to control the CreateProcess/TerminateProcess events and dump the desired processes if marked as malware, from kernel-mode.
There is still really much to do, but still I wanted to share the current piece of code - any comments are very welcome!
You can read more about it on my blog ;>
Comments
 djnemo |
Posted: Monday, August 31 2009 08:06.43 CDT |
|
mybe its basic question but :-p How to open .bin file ? |
|
 j00ru |
Posted: Monday, August 31 2009 13:57.13 CDT |
|
@djnemo - Double click and select your favourite hex editor ;> No, seriously, the memory dumping mechanism is currently as straightfoward as it's only possible - no internal file format is implemented by now. The dump contents are simply all the readable memory pages written down to a file, without any further processing. My plans include adding an option like MiniDumpWriteDump, but the original idea was to produce raw, complete dumps to perform some "behavioral" analysis on - i.e. ripping suspicious image files present in the malware memory etc. |
|