Standard Handles & Suspicious DLLs

Question 1

ws2_32.dll

Answer 1

Used for networking. What context are you seeing this used?

Question 2

crypt32.dll

Answer 2

Used for cryptography. What context are you seeing this used?

Question 3

hnetcfg.dll

Answer 3

Used for firewall maintenance. What context are you seeing this used?

Question 4

pstorec.dll

Answer 4

Used for access to protected storage. What context are you seeing this used?

Question 5

Standard Handles

Answer 5

By analyzing a process’ standard handles you can determine where it gets input and where it sends output and error messages. This is especially helpful when investigating breaches by remote attackers.

Question 6

SE_DEBUG_PRIVILEGE

Answer 6

Gives DLL the right to read and write other process’ memory as if it were a debugger.

Question 7

Remote DLL Injection

Answer 7

A malicious process forces the target process to load a specified DLL from disk by calling LoadLibrary or the native LdrLoadDll. By definition, the DLL must exist on disk prior to being injected.

Question 8

Reflective DLL Injection

Answer 8

A malicious process writes a DLL (as a sequence of bytes) into the memory space of a target process. The DLL handles its own initialization without the help of the Windows loader. The DLL does not need to exist on disk prior to being injected.

Question 9

Remote Code Injection

Answer 9

A malicious process writes code into the memory space of a target process and forces it to execute. The code can be a block of shellcode (i.e. not a PE file) or it can be a PE file whose import table is preemptively configured for the target process.

Question 10

Hollow Process Injection

Answer 10

A malicious process starts a new instance of a legitimate process (such as lsass.exe) in suspended mode. Before resuming it, the executable section(s) are freed and reallocated with malicious code.

Question 11

procdump

Answer 11

PE Extraction Plugin - Dump a process executable. You can identify the process by PID (–pid) or the physical offset of its _EPROCESS(–offset). The latter option enables you to dump processes hidden from the active process list. Requires output directory (–dump-dir).

Question 12

dlldump

Answer 12

PE Extraction Plugin - Dump a DLL. You can identify the host process by PID (–pid) or the physical offset of its _EPROCESS (–offset). If the DLLs are in the load order list, you can identify them using a regex (–regex/–ignore-case) on their name. Otherwise, you can refer to them by their base address in process memory (–base). The latter option enables you to dump hidden or injected PE files. Requires output directory (–dump-dir).

Question 13

moddump

Answer 13

PE Extraction Plugin - Dump a kernel module. Similar to dlldump, if the modules you want are in the loaded modules list, you can identify them with regexs. Otherwise, to dump a PE file from anywhere in kernel memory, use the –base parameter. Requires output directory (–dump-dir).