Skip to content

Commit

Permalink
Merge pull request #1300 from Abyss-W4tcher/dirty_ioc_windows_malfind
Browse files Browse the repository at this point in the history 
[plugin] Add dirty state IoC detection to malfind
  • Loading branch information
@ikelos
ikelos authored Nov 7, 2024
2 parents 130d118 + a5253ac commit efa4959
Showing 1 changed file with 27 additions and 2 deletions.
29 changes: 27 additions & 2 deletions volatility3/framework/plugins/windows/malfind.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -122,10 +122,30 @@ def list_injections(
vadinfo.winnt_protections,
)
write_exec = "EXECUTE" in protection_string and "WRITE" in protection_string
dirty_page_check = False

# the write/exec check applies to everything
if not write_exec:
continue
"""
# Inspect "PAGE_EXECUTE_READ" VAD pages to detect
# non writable memory regions having been injected
# using elevated WriteProcessMemory().
"""
if "EXECUTE" in protection_string:
for page in range(
vad.get_start(), vad.get_end(), proc_layer.page_size
):
try:
# If we have a dirty page in a non writable "EXECUTE" region, it is suspicious.
if proc_layer.is_dirty(page):
dirty_page_check = True
break
except exceptions.InvalidAddressException:
# Abort as it is likely that other addresses in the same range will also fail.
break
if not dirty_page_check:
continue
else:
continue

if (vad.get_private_memory() == 1 and vad.get_tag() == "VadS") or (
vad.get_private_memory() == 0
Expand All @@ -134,6 +154,11 @@ def list_injections(
if cls.is_vad_empty(proc_layer, vad):
continue

if dirty_page_check:
# Useful information to investigate the page content with volshell afterwards.
vollog.warning(
f"[proc_id {proc_id}] Found suspicious DIRTY + {protection_string} page at {hex(page)}",
)
data = proc_layer.read(vad.get_start(), 64, pad=True)
yield vad, data

Expand Down

0 comments on commit efa4959

Please sign in to comment.