HUNTER'S PLAYBOOK
Ghost in Memory: Post-Cleanup Hunting
Analyzing volatile memory to find malicious code that remains even after the attacker deletes their tools.
Mission Objective
Identify "Orphaned" threads and malicious VAD (Virtual Address Descriptor) nodes that point to injected shellcode.
Step 1: Identifying Injected Code
Hum malfind plugin use karenge taake "Read-Write-Execute" (RWX) memory regions dhoond saken jo common system processes mein hidden hain.
$ vol -f snapshot.vmem windows.malfind
[!] FINDING: Suspicious header at 0x2a0000 (Process: svchost.exe)
Step 2: Reconstructing the Attack
Malware memory mein "Stubs" chor deta hai. Memory strings ko scan karke C2 (Command & Control) IP addresses ka pata lagayen.
Pro-Tip: Process Hollowing ka pata lagane ke liye hamesha system process ka path check karein aur uske memory signature ko verify karein.
Step 3: Finding Persistence
Memory dump ke andar Registry hives check karein (jaise RunOnce keys) jo cleanup ke baad bhi survive kar gayi hain.