O'Reilly logo

Memory Dump Analysis Anthology, Volume 7 by Dmitry Vostokov

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

Fake Module

We started cataloguing elemental malware detection and analysis patterns. The first such a pattern is called Deviant Module (page 133). In Fake Module pattern one of the loaded modules masquerades as a legitimate system DLL or a widely known value adding DLL from some popular 3rd-party product. To illustrate this pattern we modeled it as Victimware: a process crashed after loading a malware module:

 0:000> k *** Stack trace for last set context - .thread/.cxr resets it Child-SP RetAddr Call Site 00000000`0026f978 00000001`3f89103a 0x0 00000000`0026f980 00000001`3f8911c4 FakeModule!wmain+0x3a 00000000`0026f9c0 00000000`76e3652d FakeModule!__tmainCRTStartup+0x144 00000000`0026fa00 00000000`7752c521 kernel32!BaseThreadInitThunk+0xd ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required