I placed this in General Discussion, because it is only a suggestive idea.
What I thought of, is that for those that are somewhat beginner to intermediate malware fighters, having a rootkit parser would be a great tool.
Simply paste the ARK log in to the parser, and it will describe for the malware fighter what is going on in that line.
For example, in an RKU log, this: [1968]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]
Would translate to this in the parser: Import Address Table modification, {fileA} is hooked by {fileB}/{fileC}, with the read GetProcAddress.
Just an idea. :)
What I thought of, is that for those that are somewhat beginner to intermediate malware fighters, having a rootkit parser would be a great tool.
Simply paste the ARK log in to the parser, and it will describe for the malware fighter what is going on in that line.
For example, in an RKU log, this: [1968]explorer.exe-->advapi32.dll-->kernel32.dll-->GetProcAddress, Type: IAT modification 0x77DD1218-->00000000 [shimeng.dll]
Would translate to this in the parser: Import Address Table modification, {fileA} is hooked by {fileB}/{fileC}, with the read GetProcAddress.
Just an idea. :)
Jay
seCURE Connexion Consultant
seCURE Connexion Consultant
