Get-InjectedThread Script source address

Preface

How to detect malware in memory

Get-InjectedThread.ps1 Is a script that can scan the suspicious starting address of active threads on the system . Users can use it to scan hosts in their network , And quickly identify many memory resident malware technologies . The script uses NtQueryInformationThread Function queries each active thread to retrieve its starting address . then , Use VirtualQueryEx Function to query the starting address , To determine the relevant node attributes . If the memory area started by the thread is not called back and is executable , That is, it is not an image type and has an execution bit setting , Then the thread is considered injected .

Get-InjectedThread principle

Defenders are also thinking about Visualization （ One ）

• Use ProcessId by 0（ All processes ） And will Flag Parameter set to 4（TH32CS_SNAPTHREAD） call Create Toolhelp Snapshot. This will return a snapshot of all currently running threads .
• Use Thread32First and Thread32Next Process all threads in the snapshot .

Each of the following steps will be performed on each thread ：

• call OpenThread To receive... In the kernel Thread Object handle .
• Use Thread Handle , by ThreadInformationClass The specified value of the parameter is 9（ThreadQuerySetWin32StartAddress） Of NtQueryInformationThread. This will return the memory starting address of the thread .
• call OpenProcess To receive the handle of the process owned by the current thread .
• Pass the process handle and thread start address to VirtualQueryEx To query the target memory page . This will return to a MEMORY_BASIC_INFORMATION structure .
• Check the... In the return structure State and Type Field .
• The status of all threads should be MEM_COMMIT
• All threads should be of type MEM_IMAGE
• If Type It's not equal to MEM_IMAGE, So you have a thread running code , This thread will not be used by files on the disk （ Also known as injection ） Supported by the .

Environment building

win10 1903
powershell 5.1
powershell PackageManagement
PowershellGet

PowershellGet install

Installing PowerShellGet on Windows

PowershellGet Installation of is very important Otherwise, the following script will throw exceptions ：

Set script running permission

Set-ExecutionPolicy RemoteSigned

PowerShellGet and NuGet install

Install-Module PowerShellGet -AllowClobber -Force
Install-PackageProvider -Name NuGet -Force

PSReflect-Functions Module installation

Install-Module PowerShellGet -AllowClobber -Force
Install-Module -Name PSReflect-Functions

TLS Version settings

[Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12

Set up PSGallery The warehouse can be trusted

Set-PSRepository -Name PSGallery -InstallationPolicy Trusted

Script Download

https://gist.github.com/jaredcatkinson/23905d34537ce4b5b1818c3e6405c1d2

Set up Powershell jurisdiction

Set-ExecutionPolicy RemoteSigned

The import module

Import-Module .\Get-InjectedThread.ps1
Import-Module .\Get-MemorySectionContent.ps1
Import-Module .\New-InjectedThread.ps1
Import-Module .\Stop-Thread.ps1

Create an injected thread -New-InjectedThread

Ps>New-InjectedThread

Ps>.\New-InjectedThread.ps1 

Be careful ： This execution script needs to be executed in ps Add The execution content is Add a line at the end of the file Executed function

Perform the test -Get-InjectedThread

Ps>Get-InjectedThread

Be careful ： This execution script needs to be executed in ps Add The execution content is Add a line at the end of the file Executed function