PART 10: Memory Forensics
Artifact-Malware and its Primary and Secondary Effects
Once we saw an article in Facebook stream about trolling airline passengers. When they descend to an airport, they read a different city name written in large letters on the roof of some house.
An idea came to us to model this behavior for memory dump analysis: when we analyze crash dumps we usually rely on the output of some commands that redirect or reformat the contents of memory. For example, lmv WinDbg command shows module resource information such as its product name, copyright information, etc. What if that information were deliberately crafted to deceive and disturb software diagnostics and debugging process, and ultimately to explore possible vulnerabilities ...