Last active
September 18, 2022 21:44
-
-
Save rhotav/fbe662fb45d91c6133fb885c626c1f7f to your computer and use it in GitHub Desktop.
Rekall automatization
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
""" | |
Classic DLL Injection technique detector rekall plugin | |
by Utku Corbaci ~ Malwation | |
Twitter: @rhotav | |
GitHub : @polynomen | |
""" | |
suspiciousPids = [] | |
def detect(pid): | |
threads = session.plugins.threads(pid) | |
for threadx in threads: | |
if("kernel32!LoadLibraryW" in str(threadx["win32_start_symb"])): | |
suspiciousPids.append((pid, threadx["Process"])) | |
break | |
try: | |
pslist = session.plugins.pslist() | |
for task in pslist.filter_processes(): | |
if(task.name == "lsass.exe"): # for Windows11 OS Version Errors | |
continue | |
detect(task.UniqueProcessId) | |
if(len(suspiciousPids) > 0): | |
print(" ") | |
print("\nSuspicious PIDs:\n") | |
for pid, addressThread in suspiciousPids: | |
print("PID: %d Process: %s" % (pid, addressThread)) | |
else: | |
print("No suspicious PIDs found.") | |
except Exception as e: | |
print(e) |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment