RemoteWriteMonitor – A tool to help malware analysts tell that the sample is injecting code into other process.
RemoteWriteMonitor is a tool to help malware analysts tell that the sample is injecting code to another process. This tool is designed to find a possible remote code injection and execution without use of NtCreateThread/Ex(), APC or thread context manipulation.
Supported Platform(s) :
– Windows 7 SP1 and 8.1 (x86/x64)
Latest version v-1.2:
– Use default certificate
– Fixed build config error on the Win8.1 x64 target
Once you have installed it, you may execute the sample and see output from the driver if any.
The driver reports when any process newly created after the installation called NtWriteVirtualMemory() or NtMapViewOfSection() against another process and saves what was written or mapped into the remote process. Output can be seen with DebugView and are all saved under the C:\Windows\RemoteWriteMonitor\ directory. Written and mapped data is stored as <SHA1>.bin apart from a log file.
‘injector’ could be used to test the driver’s function. Injecting and executing code into notepad.exe can be done by the following commands:
>notepad && tasklist | findstr notepad
notepad.exe 3368 Console 1 4,564 K
>injector 3368 section context
Remote Address : 00180000
Waiting for the thread get executed.
Remote Thread ID : 1912
>injector 3368 alloc context
Remote Address : 001B0000
Remote Thread ID : 2156
+ It reports all those API calls regardless of its memory protection, contents being written and whether it gets executed. Thus, you should only focus on output related to the sample you are analyzing as it reports a lot of legit activities too.
— It was designed so because it is far more difficult to track all written regions and reports only when it is executed.
+ It does not monitor any of processes existed when the driver was installed. Thus, the second injection will not be reported if the sample injects code into explorer.exe, and then the injected code in the explorer.exe injects code into another process.
+ Saved memory contents may or may not be the same as what was executed because the driver only takes dump at occurrence of those API calls. This is particularly true in the case of ZwMapViewOfSection().
— These are limitations but will be fine for letting analysts know injection may be happening.