Detect strange memory regions and DLLs

Overview

MalMemDetect

Detect strange memory regions and DLLs

Compile as a DLL and inject into a process to identify hollowed DLLs and unmapped memory region calls.

Sleep hook seems to break a few things so I left it in but commented, as well as a few other things that are left more as "Demos" and commented out.

Results by default will output to a file in C:\ drive.

Sample Output

Suspicious Malloc() from thread with id:12780 LPVOID:000002C38082B1D0 Heap Handle:000002C380790000 Size: 32
Suspicious InternetConnectA() from thread with id:12780 Name: 10.0.0.129 Creds: (null)[(null)]
Suspicious Malloc() from thread with id:12780 LPVOID:000002C3807EBA20 Heap Handle:000002C380790000 Size: 24
Suspicious Malloc() from thread with id:12780 LPVOID:000002C383988550 Heap Handle:000002C380790000 Size: 27648
Suspicious Malloc() from thread with id:12780 LPVOID:000002C382882650 Heap Handle:000002C380790000 Size: 5543
Suspicious Malloc() from thread with id:12780 LPVOID:000002C38082B1D0 Heap Handle:000002C380790000 Size: 32
Suspicious InternetConnectA() from thread with id:12780 Name: 10.0.0.129 Creds: (null)[(null)]
Suspicious Malloc() from thread with id:12780 LPVOID:000002C3807EB400 Heap Handle:000002C380790000 Size: 24
Suspicious Malloc() from thread with id:12780 LPVOID:000002C383988550 Heap Handle:000002C380790000 Size: 27648
Suspicious Malloc() from thread with id:12780 LPVOID:000002C382882650 Heap Handle:000002C380790000 Size: 5543
Suspicious Malloc() from thread with id:12780 LPVOID:000002C38082B1D0 Heap Handle:000002C380790000 Size: 32
Suspicious InternetConnectA() from thread with id:12780 Name: 10.0.0.129 Creds: (null)[(null)]
Suspicious Malloc() from thread with id:12780 LPVOID:000002C3807EB940 Heap Handle:000002C380790000 Size: 24
Suspicious Malloc() from thread with id:12780 LPVOID:000002C383988550 Heap Handle:000002C380790000 Size: 27648
Suspicious Malloc() from thread with id:12780 LPVOID:000002C382882650 Heap Handle:000002C380790000 Size: 5543
Suspicious Malloc() from thread with id:12780 LPVOID:000002C38082B1D0 Heap Handle:000002C380790000 Size: 32
Suspicious InternetConnectA() from thread with id:12780 Name: 10.0.0.129 Creds: (null)[(null)]
Found more than 5 bytes altered, there's potentially hooks here: C:\Windows\system32\xpsservices.dll Bytes Altered: 307094.000000
FOUND DLL HOLLOW.
NOW MONITORING: C:\Windows\system32\xpsservices.dll with 307094.000000 changes found. 15.442662% Overall

Suspicious Malloc() from module with name:c:\windows\system32\xpsservices.dll LPVOID:000001DCB9D0EA40 Heap Handle:000001DCB9C80000  Size: 32
Suspicious InternetConnectA() from module with name: c:\windows\system32\xpsservices.dll, Name: 10.0.0.129 Creds: (null)[(null)]
Suspicious Malloc() from module with name:c:\windows\system32\xpsservices.dll LPVOID:000001DCB9CD3C20 Heap Handle:000001DCB9C80000  Size: 24
Suspicious Malloc() from module with name:c:\windows\system32\xpsservices.dll LPVOID:000001DCB9D143F0 Heap Handle:000001DCB9C80000  Size: 27648
Suspicious Malloc() from module with name:c:\windows\system32\xpsservices.dll LPVOID:000001DCBBE52650 Heap Handle:000001DCB9C80000  Size: 5543
Suspicious Malloc() from module with name:c:\windows\system32\xpsservices.dll LPVOID:000001DCB9D0EA40 Heap Handle:000001DCB9C80000  Size: 32
Suspicious InternetConnectA() from module with name: c:\windows\system32\xpsservices.dll, Name: 10.0.0.129 Creds: (null)[(null)]
Suspicious Malloc() from module with name:c:\windows\system32\xpsservices.dll LPVOID:000001DCB9CD3AA0 Heap Handle:000001DCB9C80000  Size: 24
Suspicious Malloc() from module with name:c:\windows\system32\xpsservices.dll LPVOID:000001DCB9D143F0 Heap Handle:000001DCB9C80000  Size: 27648
Suspicious Malloc() from module with name:c:\windows\system32\xpsservices.dll LPVOID:000001DCBBE52650 Heap Handle:000001DCB9C80000  Size: 5543
Suspicious Malloc() from module with name:c:\windows\system32\xpsservices.dll LPVOID:000001DCB9D0EA40 Heap Handle:000001DCB9C80000  Size: 32
Suspicious InternetConnectA() from module with name: c:\windows\system32\xpsservices.dll, Name: 10.0.0.129 Creds: (null)[(null)]
Owner
Just a guy made of green pixels.
null
MMCTX (Memory Management ConTeXualizer), is a tiny (< 300 lines), single header C99 library that allows for easier memory management by implementing contexts that remember allocations for you and provide freeall()-like functionality.

MMCTX (Memory Management ConTeXualizer), is a tiny (< 300 lines), single header C99 library that allows for easier memory management by implementing contexts that remember allocations for you and provide freeall()-like functionality.

A.P. Jo. 4 Oct 2, 2021
Custom memory allocators in C++ to improve the performance of dynamic memory allocation

Table of Contents Introduction Build instructions What's wrong with Malloc? Custom allocators Linear Allocator Stack Allocator Pool Allocator Free lis

Mariano Trebino 1.2k May 9, 2022
Memory-dumper - A tool for dumping files from processes memory

What is memory-dumper memory-dumper is a tool for dumping files from process's memory. The main purpose is to find patterns inside the process's memor

Alexander Nestorov 29 Feb 5, 2022
Mesh - A memory allocator that automatically reduces the memory footprint of C/C++ applications.

Mesh: Compacting Memory Management for C/C++ Mesh is a drop in replacement for malloc(3) that can transparently recover from memory fragmentation with

PLASMA @ UMass 1.4k May 7, 2022
STL compatible C++ memory allocator library using a new RawAllocator concept that is similar to an Allocator but easier to use and write.

memory The C++ STL allocator model has various flaws. For example, they are fixed to a certain type, because they are almost necessarily required to b

Jonathan Müller 1.1k May 9, 2022
OpenXenium JTAG and Flash Memory programmer

OpenXenium JTAG and Flash Memory programmer * Read: "Home Brew" on ORIGINAL XBOX - a detailed article on why and how * The tools in this repo will all

Koos du Preez 25 Feb 14, 2022
A simple windows driver that can read and write to process memory from kernel mode

ReadWriteProcessMemoryDriver A simple windows driver that can read and write to process memory from kernel mode This was just a small project for me t

Hypervisor 6 Mar 30, 2022
Tool for profiling heap usage and memory management

vizzy > ./build/vizzytrace /tmp/heapinfo.trace /bin/find /home/zznop -name vizzy _ _ ____ ____ ____ _ _ ( \/ )(_ _)(_ )(_ )( \/ ) \ /

Brandon Miller 29 Mar 19, 2022
STL compatible C++ memory allocator library using a new RawAllocator concept that is similar to an Allocator but easier to use and write.

STL compatible C++ memory allocator library using a new RawAllocator concept that is similar to an Allocator but easier to use and write.

Jonathan Müller 1k Dec 2, 2021
Test cpu and memory speed at linux-vps

Тест скорости процессора и памяти на linux-vps. Занимается бессмысленным перемножением массивов случайных чисел, для определения скорости процессора и

Anton 3 Nov 30, 2021
Using shared memory to communicate between two executables or processes, for Windows, Linux and MacOS (posix). Can also be useful for remote visualization/debugging.

shared-memory-example Using shared memory to communicate between two executables or processes, for Windows, Linux and MacOS (posix). Can also be usefu

null 8 Mar 18, 2022
A simple C++ library for creating and managing bitstreams in memory.

ezbitstream (v0.001) A simple C++ library for creating and managing bitstreams in memory. API & Implementation ezbitstream implements bitstreams with

Unsal Ozturk 2 Feb 4, 2022
Public domain cross platform lock free thread caching 16-byte aligned memory allocator implemented in C

rpmalloc - General Purpose Memory Allocator This library provides a public domain cross platform lock free thread caching 16-byte aligned memory alloc

Mattias Jansson 1.5k May 10, 2022
manually map driver for a signed driver memory space

smap manually map driver for a signed driver memory space credits https://github.com/btbd/umap tested system Windows 10 Education 20H2 UEFI installati

ekknod 71 Apr 9, 2022
Memory instrumentation tool for android app&game developers.

Overview LoliProfiler is a C/C++ memory profiling tool for Android games and applications. LoliProfiler supports profiling debuggable applications out

Tencent 416 May 13, 2022
A single file drop-in memory leak tracking solution for C++ on Windows

MemLeakTracker A single file drop-in memory leak tracking solution for C++ on Windows This small piece of code allows for global memory leak tracking

null 22 Apr 23, 2022
Dump the memory of a PPL with a userland exploit

PPLdump This tool implements a userland exploit that was initially discussed by James Forshaw (a.k.a. @tiraniddo) - in this blog post - for dumping th

Clément Labro 546 May 14, 2022
Implementation of System V shared memory (a type of inter process communication) in xv6 operating system.

NOTE: we have stopped maintaining the x86 version of xv6, and switched our efforts to the RISC-V version (https://github.com/mit-pdos/xv6-riscv.git)

Viraj Jadhav 5 Feb 21, 2022
An In-memory Embedding of CPython

An In-memory Embedding of CPython This repository contains all the build artifacts necessary to build an embedding of CPython 3.8.2 that can be run en

null 100 Apr 26, 2022