From e419b67581e6d31d7959480d5904e283fa2929a1 Mon Sep 17 00:00:00 2001 From: Abyss Watcher Date: Tue, 8 Oct 2024 02:06:04 +0200 Subject: [PATCH 1/2] introduce dirty state ioc --- .../framework/plugins/windows/malfind.py | 29 +++++++++++++++++-- 1 file changed, 27 insertions(+), 2 deletions(-) diff --git a/volatility3/framework/plugins/windows/malfind.py b/volatility3/framework/plugins/windows/malfind.py index 079274d698..5ce2279ccb 100644 --- a/volatility3/framework/plugins/windows/malfind.py +++ b/volatility3/framework/plugins/windows/malfind.py @@ -122,10 +122,30 @@ def list_injections( vadinfo.winnt_protections, ) write_exec = "EXECUTE" in protection_string and "WRITE" in protection_string + dirty_page_check = False - # the write/exec check applies to everything if not write_exec: - continue + """ + # Inspect "PAGE_EXECUTE_READ" VAD pages to detect + # non writable memory regions having been injected + # using elevated WriteProcessMemory(). + """ + if "EXECUTE" in protection_string: + for page in range( + vad.get_start(), vad.get_end(), proc_layer.page_size + ): + try: + # If we have a dirty page in a non writable "EXECUTE" region, it is suspicious. + if proc_layer.is_dirty(page): + dirty_page_check = True + break + except exceptions.InvalidAddressException: + # Abort as it is likely that other addresses in the same range will also fail + break + if not dirty_page_check: + continue + else: + continue if (vad.get_private_memory() == 1 and vad.get_tag() == "VadS") or ( vad.get_private_memory() == 0 @@ -134,6 +154,11 @@ def list_injections( if cls.is_vad_empty(proc_layer, vad): continue + if dirty_page_check: + # Useful information to investigate the page content with volshell afterwards. + vollog.warning( + f"[proc_id {proc_id}] Found suspicious DIRTY + {protection_string} page at {hex(page)}", + ) data = proc_layer.read(vad.get_start(), 64, pad=True) yield vad, data From a5253ac2767ca3e0051dcc3a78de7d9b6a7589b8 Mon Sep 17 00:00:00 2001 From: Abyss Watcher Date: Thu, 7 Nov 2024 13:40:18 +0100 Subject: [PATCH 2/2] re-trigger black --- volatility3/framework/plugins/windows/malfind.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/volatility3/framework/plugins/windows/malfind.py b/volatility3/framework/plugins/windows/malfind.py index 5ce2279ccb..1df090b5b4 100644 --- a/volatility3/framework/plugins/windows/malfind.py +++ b/volatility3/framework/plugins/windows/malfind.py @@ -140,7 +140,7 @@ def list_injections( dirty_page_check = True break except exceptions.InvalidAddressException: - # Abort as it is likely that other addresses in the same range will also fail + # Abort as it is likely that other addresses in the same range will also fail. break if not dirty_page_check: continue