You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Could be an idea to to have an option, for example, "allfunctions", and if the DLL package is triggered, to run all exported functions present (as opposed to the "function" option, which allows you to set a specific function yourself).
In the Behavior Analysis, the Process Tree would then allow to determine which function is real or being used.
The text was updated successfully, but these errors were encountered:
This is a great idea and something I have looked at - I realised it would require pefile to be installed in the guest in order to enumerate the exports. I also considered the likelihood of crashing the process if an exported function was called with bad args, so decided it would be best done with a new process for every export. Other than that it should be straightforward. I will try and get this done, thanks for the suggestion.
Certain implants that perform DLL sideloading include dummy functions to throw off analysis systems or researchers. For example, in the RedLeaves sample seen here on page 5:
https://www.accenture.com/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf#zoom=50
Could be an idea to to have an option, for example, "allfunctions", and if the DLL package is triggered, to run all exported functions present (as opposed to the "function" option, which allows you to set a specific function yourself).
In the Behavior Analysis, the Process Tree would then allow to determine which function is real or being used.
The text was updated successfully, but these errors were encountered: