Req: -closemon2: detection for new modules loaded after loading pd64.exe -closemon

[rugabunda]

An option to dump closed modules that were loaded AFTER -closemon was initiated would be great for detecting and dumping modules... it seems this program only hooks and dumps modules that were loaded at the time closemon was initiated.

what do you think, should this be most effective for detecting malware if it only dumped unhashed modules?

Great little program! This thing is very useful.

[rugabunda]

Batch file:

@echo off
FOR /f %%a IN ('WMIC OS GET LocalDateTime ^| FIND "."') DO SET DTS=%%a
SET DateTime=%DTS:~0,4%-%DTS:~4,2%-%DTS:~6,2%_%DTS:~8,2%.%DTS:~10,2%.%DTS:~12,2%
echo %DateTime%

MD "X:\path\to\process dump v2_1\%DateTime:/=%
copy "X:\path\to\process dump v2_1\pd64.exe" "X:\path\to\process dump v2_1\%DateTime:/=%
copy "X:\path\to\process dump v2_1\clean.hashes" "X:\path\to\process dump v2_1\%DateTime:/=%
cd X:\path\to\process dump v2_1\%DateTime:/
d: (or whatever drive letter)
pd64.exe -closemon

::set a scheduled task to run this after 30-60 minutes of idle until idle stops, process dump is copied to date-time generated directory, and will automatically dump any PID that is closed/terminated, out from memory and into the folder. ZeroDay malware catcher. Would work a lot better if it was able to dump new (closed) processes that are not hashed.

[glmcdona]

Thanks Rugabunda.

When process dump runs in the "-closemon" mode it only dumps processes as they close. This includes all processes it has privilege level to hook, which includes processes that were running before ProcessDump started running.

Generally, the recommended sandbox usage of ProcessDump to make sure you dump everything is:

1. Do everything running pd64.exe from high integrity (run as administrator)
2. Build the clean-hash database.
3. Start the close-monitor (pd.exe -closemon) to dump all malware as they try to close.
4. Start the malware you wish to detonate.
5. Wait 2 minutes (or however long you'd like to wait)
6. Now run process dump to dump all malware from processes that are still running (pd.exe -system).

I think this last step is what you're missing! So your scheduled task should also run "pd64.exe -system" at the end of the detonation to dump all malware components from currently running processes..

[rugabunda]

Thank you glmcdona, the problem is that -system is a one time only run, and -closemon does not hook newly created processes nor dump based on cleanhash. What I am suggesting is consider creating another commandline that allows system like dumping that constantly dumps unhashed processes in realtime, until it is closed. This is more of a transparent honeytrap for unknown zero day malware, rather than personal testing. This could be incredibly useful for dumping non persistent and zero day malware that usually don't leave a trace. Can you do that?

[glmcdona]

Thanks rugabunda.

RE: -closemon does not hook newly created processes nor dump based on cleanhash.

The '-closemon' flag searches frequently for any new processes and does hook their process terminate too :)

RE: What I am suggesting is consider creating another commandline that allows system like dumping that constantly dumps unhashed processes in realtime, until it is closed. This is more of a transparent honeytrap for unknown zero day malware, rather than personal testing. This could be incredibly useful for dumping non persistent and zero day malware that usually don't leave a trace. Can you do that?

That's a great idea and an interesting way of running the tool that I hadn't considered. I think adding another command-line flag to periodically run a full system dump of unknown modules, and adding any new modules automatically to the known hashes (so it doesn't repeatedly dump the same module over and over) would be a fairly easy change!

I'll see what I can do, or if you like I can point to the parts of the code I'd recommend changing to implement this, and maybe you could create a pull request?

[rugabunda]

I have never coded before, but I would be interested in looking at it and see what I can learn in the process. There is a first time for everything. Would not adding any new modules automatically constitute a security risk? Could you clarify for me. Would it not be better to create a second hash file for that purpose just for this particular command line? Along side a periodic dump, a realtime dump of unknown modules would be even more powerful. If you used similar method as closemon, though only dumping unknown modules, that would be most effective for locating zero day malware, don't you think?

This is really an amazing little program you have here, it should be part of the sysinternals suite. Have you found anything else out there like it?