MalMemDetect
Detect strange memory regions and DLLs
Compile as a DLL and inject into a process to identify hollowed DLLs and unmapped memory region calls.
Sleep hook seems to break a few things so I left it in but commented, as well as a few other things that are left more as "Demos" and commented out.
Results by default will output to a file in C:\ drive.
Sample Output
Suspicious Malloc() from thread with id:12780 LPVOID:000002C38082B1D0 Heap Handle:000002C380790000 Size: 32
Suspicious InternetConnectA() from thread with id:12780 Name: 10.0.0.129 Creds: (null)[(null)]
Suspicious Malloc() from thread with id:12780 LPVOID:000002C3807EBA20 Heap Handle:000002C380790000 Size: 24
Suspicious Malloc() from thread with id:12780 LPVOID:000002C383988550 Heap Handle:000002C380790000 Size: 27648
Suspicious Malloc() from thread with id:12780 LPVOID:000002C382882650 Heap Handle:000002C380790000 Size: 5543
Suspicious Malloc() from thread with id:12780 LPVOID:000002C38082B1D0 Heap Handle:000002C380790000 Size: 32
Suspicious InternetConnectA() from thread with id:12780 Name: 10.0.0.129 Creds: (null)[(null)]
Suspicious Malloc() from thread with id:12780 LPVOID:000002C3807EB400 Heap Handle:000002C380790000 Size: 24
Suspicious Malloc() from thread with id:12780 LPVOID:000002C383988550 Heap Handle:000002C380790000 Size: 27648
Suspicious Malloc() from thread with id:12780 LPVOID:000002C382882650 Heap Handle:000002C380790000 Size: 5543
Suspicious Malloc() from thread with id:12780 LPVOID:000002C38082B1D0 Heap Handle:000002C380790000 Size: 32
Suspicious InternetConnectA() from thread with id:12780 Name: 10.0.0.129 Creds: (null)[(null)]
Suspicious Malloc() from thread with id:12780 LPVOID:000002C3807EB940 Heap Handle:000002C380790000 Size: 24
Suspicious Malloc() from thread with id:12780 LPVOID:000002C383988550 Heap Handle:000002C380790000 Size: 27648
Suspicious Malloc() from thread with id:12780 LPVOID:000002C382882650 Heap Handle:000002C380790000 Size: 5543
Suspicious Malloc() from thread with id:12780 LPVOID:000002C38082B1D0 Heap Handle:000002C380790000 Size: 32
Suspicious InternetConnectA() from thread with id:12780 Name: 10.0.0.129 Creds: (null)[(null)]
Found more than 5 bytes altered, there's potentially hooks here: C:\Windows\system32\xpsservices.dll Bytes Altered: 307094.000000
FOUND DLL HOLLOW.
NOW MONITORING: C:\Windows\system32\xpsservices.dll with 307094.000000 changes found. 15.442662% Overall
Suspicious Malloc() from module with name:c:\windows\system32\xpsservices.dll LPVOID:000001DCB9D0EA40 Heap Handle:000001DCB9C80000 Size: 32
Suspicious InternetConnectA() from module with name: c:\windows\system32\xpsservices.dll, Name: 10.0.0.129 Creds: (null)[(null)]
Suspicious Malloc() from module with name:c:\windows\system32\xpsservices.dll LPVOID:000001DCB9CD3C20 Heap Handle:000001DCB9C80000 Size: 24
Suspicious Malloc() from module with name:c:\windows\system32\xpsservices.dll LPVOID:000001DCB9D143F0 Heap Handle:000001DCB9C80000 Size: 27648
Suspicious Malloc() from module with name:c:\windows\system32\xpsservices.dll LPVOID:000001DCBBE52650 Heap Handle:000001DCB9C80000 Size: 5543
Suspicious Malloc() from module with name:c:\windows\system32\xpsservices.dll LPVOID:000001DCB9D0EA40 Heap Handle:000001DCB9C80000 Size: 32
Suspicious InternetConnectA() from module with name: c:\windows\system32\xpsservices.dll, Name: 10.0.0.129 Creds: (null)[(null)]
Suspicious Malloc() from module with name:c:\windows\system32\xpsservices.dll LPVOID:000001DCB9CD3AA0 Heap Handle:000001DCB9C80000 Size: 24
Suspicious Malloc() from module with name:c:\windows\system32\xpsservices.dll LPVOID:000001DCB9D143F0 Heap Handle:000001DCB9C80000 Size: 27648
Suspicious Malloc() from module with name:c:\windows\system32\xpsservices.dll LPVOID:000001DCBBE52650 Heap Handle:000001DCB9C80000 Size: 5543
Suspicious Malloc() from module with name:c:\windows\system32\xpsservices.dll LPVOID:000001DCB9D0EA40 Heap Handle:000001DCB9C80000 Size: 32
Suspicious InternetConnectA() from module with name: c:\windows\system32\xpsservices.dll, Name: 10.0.0.129 Creds: (null)[(null)]
9 Aug 17, 2022
2 Feb 4, 2022
1.7k Dec 28, 2022
89 Dec 17, 2022
491 Jan 6, 2023
22 Jul 18, 2022
707 Dec 29, 2022
5 Feb 21, 2022
105 Dec 5, 2022
4 Oct 2, 2021
1.4k Jan 2, 2023
31 Nov 9, 2022
1.5k Dec 30, 2022
1.2k Dec 26, 2022
29 Oct 23, 2022
8 Dec 7, 2022
28 Jul 22, 2022
3 Nov 30, 2021