Skip to content

Capture windows PE files from memory

Pradyumna Joshi edited this page Feb 26, 2016 · 2 revisions

PE capture service

This program from NoVirusThanks captures Windows PE files (executables, DLL, drivers) loaded in the system and saves a copy of the file in a specific directory (the file name is the MD5 hash). It also logs the executables names, MD5 hashes and the execution timestamp in a flat file.

Download from here- http://www.novirusthanks.org/products/pe-capture-service/

It's Windows GUI version is available here - http://www.novirusthanks.org/products/pe-capture/

Take Memory dump using Volatility

Make a dump of the infected computer memory using volatility and then analyze it.

Download Volatility from here - https://github.com/volatilityfoundation/volatility

Sysmon utility from sysinternals

This is another useful utility from sysinternals but it doesn't have the possibility to make a copy of the executable or DLL. The events are logged to the Windows event log.

Interesting link based on OSSEC HIDS

Tracking malware using OSSEC - https://blog.rootshell.be/2014/02/10/tracking-processesmalwares-using-ossec/