The eif tool is designed to help you find evil injected malware. Malware injected directly into a process using reflective dll injection typically will not exist on disk. This tool is designed to help you find those evil injections! Administrative rights are currently necessary to adequately examine the memory of running processes. Some memory pages will be unreadable if marked as protected processes by the OS.
The latest binaries can be found in: https://github.com/psmitty7373/eif/tree/master/binaries
Evil Injection Finder (EIF)
Helping you find evil injections since 2017.
USAGE: example [options]
Options:
-h Print usage and exit.
-b Only show matches without file backing.
-c Compare in-memory code segment with on-disk code segment.
-C Only show processes with non-matching code segments.
-d Use kernel driver to access protected process memory.
-f <format> Output format (CSV,).
-i Search pages with specific permissions. Default is
EXECUTE_READWRITE.
-s <sigfile.txt> Use a signature file.
-S Only show memory pages with signature matches.
-p Specify a single PID.
-w <c:\outdir\> Write matching pages to disk.
Available Permissions: EXECUTE, EXECUTE_READ, EXECUTE_READWRITE,
EXECUTE_WRITECOPY, NOACCESS, READWRITE, WRITECOPY, READONLY
With the -w option, eif can write matching memory pages to disk. This is useful because it will allow your antivirus product an opportuntity to analyze the potentially malicious code. This is especially useful if your AV product does not suppport in-memory checking.
With the -c and -C option you can use eif to verify that the data in the code or text segment of the program matches the text segment in the file on disk. While some differences are fairly common, this can be used to find a process that has been hollowed. Combine the -c or -C option with -w to take a closer look at the mismatched memory pages.
This example demonstrates using eif with a signatures file to find injects in all processes on the system. A meterpreter has been loaded into MicrosoftEdge using reflective injection. Signatures are simple plaintext strings and an example signatures file is included.
C:\Users\IEUser\Desktop>EvilInjectFinder.exe -s sigs.txt -S
Analysing PID: 3908 : MicrosoftEdgeCP.exe
+---------------------------------------------------------------------------------------------------------------------------------------------------------+
| Address | Permissions | Size | Module | MZ | DOS | Nops | Sigs | MD5 |
+---------------------------------------------------------------------------------------------------------------------------------------------------------+
| 480000 | EXECUTE_READWRITE | 1.14MB | | No | Yes | 0% | 5 | 6CE6C24391C37E0D4883DBA14F04EA31 |
| 1dc06950000 | EXECUTE_READWRITE | 156.00KB | | Yes | Yes | 0% | 3 | AC46BC374B6CD85D3564A3F5F62B92C1 |
| 1dc06990000 | EXECUTE_READWRITE | 436.00KB | | Yes | Yes | 0% | 8 | 13CA507C4B0A15775ABCE144B7D8C4C4 |
| 1dc07590000 | EXECUTE_READWRITE | 1.18MB | | Yes | Yes | 0% | 5 | A81939E4335F18FF2213032100411659 |
+---------------------------------------------------------------------------------------------------------------------------------------------------------+
Eif can search memory pages based on a signatures file. Currently, this is a very simplistic string match search but is effective. An example signatures file is below:
WSASTARTUP
WSADuplicateSocketA
WSACreateEvent
WSAEventSelect
WSASocketA
URLDownloadToCacheFileW
InternetCrackUrlA
InternetOpenA
InternetQueryOptionA
RevertToSelf
OpenProcessToken
CheckTokenMembership
GetTokenInformation
AdjustTokenPrivileges
HttpOpenRequestA
HttpSendRequestA
HttpQueryInfoA
ShellExecuteExW
ReflectiveLoader
AesCryptoServiceProvider
Invoke-Empire
RSACryptoServiceProvider
Thanks to Nikos Laleas, much of the initial python project was based on his project at:
https://github.com/nccgroup/memaddressanalysis
Based on ideas presented by aking1012
https://github.com/aking1012/dc20