-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathDLLProcessDetector.py
More file actions
50 lines (35 loc) · 1.22 KB
/
Copy pathDLLProcessDetector.py
File metadata and controls
50 lines (35 loc) · 1.22 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
dll_inject = []
def process():
procs = session.plugins.pslist()
for eprocess in procs.filter_processes():
if(eprocess.name == "lsass.exe"):
continue
if(eprocess.name == "Notepad.exe"):
if(vad(eprocess)):
thread(eprocess.UniqueProcessId)
def vad(sample):
a = True
b = False
vad_list = session.plugins.vad().collect_vadroot(sample.RealVadRoot, sample)
if(len(vad_list) < 0):
return b
for s in vad_list:
if(s['type'] == "Mapped" and s['protect'] == "EXECUTE_WRITECOPY" and s['filename'] != None):
return a
def thread(pid):
t = session.plugins.threads(pid)
for k in t:
if("kernel32!LoadLibraryW" in str(k["win32_start_symb"])):
dll_inject.append(pid)
break
try:
if(len(dll_inject) > 0):
print("\t")
for pid in dll_inject:
print("Notepad has been infected (PID: %d) " % (pid))
else:
print("Notepad has not been infected")
except Exception as p:
print(p)
if __name__ == "__main__":
process()