MProcDetect and The Memory Cruncher (free programs)

Discussion in 'other anti-malware software' started by MrBrian, Oct 2, 2014.

  1. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    From https://www.virusbtn.com/conference/vb2014/abstracts/LM5-MacAulay.xml:
    1. MProcDetect:
    2. The Memory Cruncher:
    From the manual:
    Downloads: http://blockwatch.ioactive.com/.
     
  2. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    Different/longer version of slides: hxxp://www.defcon.org/images/defcon-22/dc-22-presentations/Macaulay/DEFCON-22-Shane-Macaulay-Weird-Machine-Motivated-Practical-Page-Table-Shellcode-UPDATED.pdf .
     
  3. MrBrian

    MrBrian Registered Member

    Joined:
    Feb 24, 2008
    Posts:
    6,032
    Location:
    USA
    I tried both of these programs in a virtual machine with a memory dump file produced by the free version of MoonSols Windows Memory Toolkit.

    MProcDetect (v1.0.5323.27086) output:
    Code:
    Possible Directory Base Register Value = [00187000]  File Offset = [00127000], Diff = [00060000], mode = [2]
    Possible Directory Base Register Value = [0B35B000]  File Offset = [0B2FB000], Diff = [00060000], mode = [2]
    Possible Directory Base Register Value = [0B82F000]  File Offset = [0B7CF000], Diff = [00060000], mode = [2]
    Possible Directory Base Register Value = [0CE23000]  File Offset = [0CDC3000], Diff = [00060000], mode = [2]
    Possible Directory Base Register Value = [0CEC3000]  File Offset = [0CE63000], Diff = [00060000], mode = [2]
    Possible Directory Base Register Value = [0DD30000]  File Offset = [0DCD0000], Diff = [00060000], mode = [2]
    Possible Directory Base Register Value = [129BE000]  File Offset = [1295E000], Diff = [00060000], mode = [2]
    Possible Directory Base Register Value = [141DD000]  File Offset = [1417D000], Diff = [00060000], mode = [2]
    Possible Directory Base Register Value = [14C2D000]  File Offset = [14BCD000], Diff = [00060000], mode = [2]
    Possible Directory Base Register Value = [15BF8000]  File Offset = [15B98000], Diff = [00060000], mode = [2]
    Possible Directory Base Register Value = [17FEA000]  File Offset = [17F8A000], Diff = [00060000], mode = [2]
    Possible Directory Base Register Value = [18754000]  File Offset = [186F4000], Diff = [00060000], mode = [2]
    Possible Directory Base Register Value = [18849000]  File Offset = [187E9000], Diff = [00060000], mode = [2]
    Possible Directory Base Register Value = [1974D000]  File Offset = [196ED000], Diff = [00060000], mode = [2]
    Possible Directory Base Register Value = [1A9FD000]  File Offset = [1A99D000], Diff = [00060000], mode = [2]
    Possible Directory Base Register Value = [1AA35000]  File Offset = [1A9D5000], Diff = [00060000], mode = [2]
    Possible Directory Base Register Value = [1B764000]  File Offset = [1B704000], Diff = [00060000], mode = [2]
    Possible Directory Base Register Value = [1BB7C000]  File Offset = [1BB1C000], Diff = [00060000], mode = [2]
    Possible Directory Base Register Value = [1C590000]  File Offset = [1C530000], Diff = [00060000], mode = [2]
    Possible Directory Base Register Value = [1C6EF000]  File Offset = [1C68F000], Diff = [00060000], mode = [2]
    Possible Directory Base Register Value = [1CDDD000]  File Offset = [1CD7D000], Diff = [00060000], mode = [2]
    Possible Directory Base Register Value = [1D0D7000]  File Offset = [1D077000], Diff = [00060000], mode = [2]
    Possible Directory Base Register Value = [1D158000]  File Offset = [1D0F8000], Diff = [00060000], mode = [2]
    Possible Directory Base Register Value = [1D5B2000]  File Offset = [1D552000], Diff = [00060000], mode = [2]
    Possible Directory Base Register Value = [1D7EC000]  File Offset = [1D78C000], Diff = [00060000], mode = [2]
    Possible Directory Base Register Value = [20E34000]  File Offset = [20DD4000], Diff = [00060000], mode = [2]
    Possible Directory Base Register Value = [25583000]  File Offset = [25523000], Diff = [00060000], mode = [2]
    Possible Directory Base Register Value = [28848000]  File Offset = [287E8000], Diff = [00060000], mode = [2]
    Possible Directory Base Register Value = [2EB40000]  File Offset = [2EAE0000], Diff = [00060000], mode = [2]
    Possible Directory Base Register Value = [309B7000]  File Offset = [30957000], Diff = [00060000], mode = [2]
    30 candiate process page tables
    
    The Memory Cruncher (v0.9.1.55) crashed a few seconds after I clicked the "Generate Archive" button.
     
Loading...