When you select that option then the main windows will onlys show events that related to regsrv32 like below image.īecause we are looking for an event that is related to file write, then basically, we can again filter out events that are not related to file system operation by clicking on the following. Since we use regsvr32 to load our dll then we can filter based on this application name by following the image below It will give you tools like a task manager which listing all the application that is running and also application that has stop
There is another way that is also easy to approach is by using process tree We can filter out the events gathered by the procmon by using the filtering functionĪnd adjust the filter parameter in this window But let us assume we don’t know the path and how big it is. In the malware code, we found the first step is basically will write a file. When the procmon is in capturing mode then you can run the malware sample. I will start my dll loading using below commandīefore you run the riomalware.dll, you need to have the procmon be ready by clicking the capture button. it can also track how many bytes read and write. Procmon allows you to analyze file operation such as file read, write, open and close. MessageBox(nullptr, "Rio Malware cannot find file", "Loaded", MB_OK)
MessageBox(nullptr, "Rio Malware Loaded", "Loaded", MB_OK) įprintf(fp, "This is testing for fprintf.\n") įputs("This is testing for fputs.\n", fp) dllmain.cpp : Defines the entry point for the DLL application.
0 kommentar(er)
