|
GrepExec: The Tool
Included with this paper is a proof-of-concept tool complete with
source which demonstrates scanning the pool for signatures to detect
executable objects. Objects detected are DRIVER_OBJECT,
DEVICE_OBJECT, EPROCESS, and ETHREAD.
The tool does nothing to determine if an object has been attempted
to be hidden in any way. Instead, it simply displays found objects to
standard output. At this time the author has no plans to continue
work with this specific tool, however, there are plans to integrate the
memory scanning technique into another project. The source code for
the tool can be easily modified to detect other signatures and/or
other objects.
Subsections
|