Injection vs Extraction

[tsarpaul]

Hi, I couldn't find documentation regarding those two modules but from reading source it seems that Injection tracks injected code (duh, e.g. WriteProcessMemory) and Extraction seems to track interesting regions (e.g. NtProtectVirtualMemory).
I want to be able to extract as much malicious code as possible so I'm wondering whether it's possible to merge both modules and perhaps hear the considerations why these modules were developed into separate branches in the monitor.

To this end I'm weighing on using the old procmem feature (which I'm patching to meet ends) to just dump the whole process's code.

[kevoreilly]

I've recently been combining these two modules into the base capemon - I'm still testing them but I've attached them in case you would like to try too. You can enable injection with the option injection=1 and extraction is just extraction=1. The distinction between them is basically inter-process vs 'intra-process' but the real reason they have been separated until now is that extraction uses debugger breakpoints and so was much more complex and error-prone to develop.

I am hoping soon to make the default to have all these enabled so as to minimise the need for multiple executions - I just need to see that they are stable enough to rely upon to work on the majority of samples without hindering the baseline analysis.

I wouldn't recommend the procmemdump feature as it's so crude but it's worth noting that this has been reimplemented and is now done in-monitor as opposed to by a separate process as in spender. I'd therefore be interested to know what you are patching to improve it.

There is a lot of power in the new 'DumpInterestingRegions' function, a lot of which can be tested with the option: verbose-dumping=1, so give that a try too.
capemon.zip

[tsarpaul]

I actually noticed at DumpInterestingRegions (https://github.com/kevoreilly/capemonv2/blob/master/CAPE/CAPE.c#L1657) the verbose_dumping check is done incorrectly:

 else if (!g_config.verbose_dumping && MemInfo.BaseAddress == CallerBase)
      {
          DoOutputDebugString("DumpInterestingRegions: Dumping calling region at 0x%p.\n", MemInfo.BaseA  ddress);

The condition should be "g_config.verbose_dumping && .." instead no?

[kevoreilly]

Ah this is intended as it's assumed that if verbose_dumping is set the calling region will already have been dumped with the first api call originating there, in hooking.c.

[kevoreilly]

The injection and extraction features have now been integrated into capemon and can be switched on with injection=1 and extraction=1 options respectively, and of course simultaneously. This should take care of this issue.