[Vol-users] Identifying HIPS process injection

I've got a suspect process running on a system. 0x0703fcb8 8880792.tmp 5940 1504 0x0b353000 2011-05-27 07:00:12 %Windir%\Temp\8880792.tmp It's 64K on disk and looks like it's packed with Armadillo: File Name: 8880792.tmp File Size: 65536 File Type: PE32 executable for MS Windows (GUI) Intel 80386 32-bit MD5 Hash: fec737234a47ae90ee79af44d3081a4d SHA1 Hash: 4fb9abf6aba05ec1232b98ab39073c7635f7b9aa Cymru MHR: Not listed Packer ID(s): => Armadillo v1.71 Number of sections: 3 -------------------- ('.text\x00\x00\x00', '0x1000', '0xb446', 49152) ('.rdata\x00\x00', '0xd000', '0x15d2', 8192) ('.data\x00\x00\x00', '0xf000', '0x20c0', 4096) I dump process memory (procmemdump) and end up with strings not much different than what I get for the file on disk. The procmemdump output is about 10K larger. The memdump output is 245M and going through the addressable memory contents I get loads of suspicious data that looks like it's related to malware. Samples: are\EES\BIFROST //sharedfreehosting.c USER remote hello keypublic WEBCAM Ekran.png Ekran.bmp 60.167.78.224 www.proxyserverlist.biz proxy_checker/index.php ClientSocket www.66444.com open ww4.tmdqq.net/51lin www3.57185.com/is686_.h 1.hao591.net/is6 exefile=cdb.exe dllfile=test.dll regedits=stubpath tp://bravor.net w.ya.ru whatismyip.co Welcom to BackDor serv by emPyte Fan666` . tem\lsass.ex ion\Run *sniff* sad yo, PRIVMSG Splinter ddos v1.0 INFECT Plus! terra.com.mx send.aspx?id= Windll22.exe !reboot !reconnect !join !pwl !connection !switch !chatslaves Connected to NetShadow v1.2 Server ID: F:\Work\TEST MyFunlove \calc.ex LAgPCfAGCxoRI CwgMCA8JERAO9x Chat-Fenster pcinfo Resolution: tmdqq.net 57185.com szfocus.net cool-pic.com dcomScaner Vortex1 mazafaka GONNA BE AN IRCF HTTP://WWW.ASEXVIDEO HACKTOOLZ ?ACTION=LOGIN&SEND= ICQBETA I suppose though that this is data from the HIPS application that has been injected into this executable's process space. The same strings are present in the memory space of all processes. I want to confirm this by finding an indicator in the process memory that attributes this data to the HIPS application. What is the best way to do this? My initial suspicion is that the VAD table could show me that. Is this right? How could this analysis proceed in Volatility? The 'modules' plugin shows me a couple of entries that I suspect relate to it. 0x8a3c01e8 mfehidk.sys 0x00f70a9000 0x052000 mfehidk.sys 0x89030a20 \SystemRoot\system32\drivers\mfetdik.sys 0x00f7697000 0x00e000 mfetdik.sys 0x89237e68 \Device\mfehidk01.sys 0x00b7f38000 0x053000 mfehidk01.sys -- Darren Spruell phatbuckett(a)gmail.com