-
Notifications
You must be signed in to change notification settings - Fork 1
Capture windows PE files from memory
This program from NoVirusThanks captures Windows PE files (executables, DLL, drivers) loaded in the system and saves a copy of the file in a specific directory (the file name is the MD5 hash). It also logs the executables names, MD5 hashes and the execution timestamp in a flat file.
Download from here- http://www.novirusthanks.org/products/pe-capture-service/
It's Windows GUI version is available here - http://www.novirusthanks.org/products/pe-capture/
Make a dump of the infected computer memory using volatility and then analyze it.
Download Volatility from here - https://github.com/volatilityfoundation/volatility
This is another useful utility from sysinternals but it doesn't have the possibility to make a copy of the executable or DLL. The events are logged to the Windows event log.
Tracking malware using OSSEC - https://blog.rootshell.be/2014/02/10/tracking-processesmalwares-using-ossec/