Hi,
First many thanks for reading me.
I want to identify a process which injects code into another in RAM (XP).
In case the code was injected via a dll, the dlllist function of volatility will give me usefull informations to identify the harmful dll linked to the victim process. In case the injection was detected via the malfind function how can I identify the process that initially inject the code in the victim process memory ?
I tried to boot the machine in a VM and wanted to monitor specific functions (openProcess(), CreateRemoteThread(), LoadLibraryA()...) but i didn't find the right tool to do so. It seems that ProcMon don't monitor these functions calls.
I would be grateful for any advice, clue tu help me tracking down this harmfull process.
I'm not a memory expert, please give details
Have a nice day !
↧