Lastline Labs

Building Static and Dynamic Analyses Using Lastline's Process Snapshotting

Posted by Arunpreet Singh on 9/16/16 12:57 PM

Learn how Lastline’s process snapshotting supports malware analysis by capturing snapshots at various points throughout a malware program’s execution, allowing for deeper manual malware analysis by security researchers.

Read More

Topics: Lastline Enterprise, Email Security, Process Snapshotting, Advanced Persistent Threats, Data Breach, malware, lastline, anti malware, deep manual analysis, static analysis, web security, dynamic analysis, malware protection

Dissecting Payload Injection Using LLama Process Snapshots

Posted by Roman Vasilenko on 6/17/14 6:00 AM

In our last blog-post on process snapshotting, we showed how process snapshots (or “dumps”) allow bridging the gap between dynamic and static analysis. In this post, we want to continue along this line and describe a related problem security analysts face: Analyzing code injections in analysis tools such as IDA Pro.

Injected code is particularly tedious to analyze when working on traditional program dumps. The reasons for this are manifold: The injected code is not part of the process image and thus hard to locate, parts of the memory used by the payload might no longer be resident in memory at the time of the snapshot, recognizing addresses of API functions is painful and error-prone, just to name a few.

Not when using LLama process dumps!

As we will show in this post, the high-resolution dynamic analysis engine automatically finds all code-regions related to injected code. It keeps track of memory blocks allocated by the untrusted code running in the target process, and includes them in the process dump for later analysis. Last, unrelated code-areas (for example unmodified, trusted code of the process that the malware injected into) are removed from the process dump, making it small and straight-forward to analyze.

Read More

Topics: Code Injection, Process Snapshotting

Subscribe to Email Updates