Use Cases

Automated Rootkit Detection with ThreatSCOPE
1024 503 WindowsSCOPE

This article will show how you can use the ThreatSCOPE feature of WindowsSCOPE to detect rootkits installed on a system. One of the difficulties in detecting rootkits and other advanced malware is that they’re often packed, encrypted, or injected by other means than being run from an executable file on the disk. This means they…

read more
Reverse Engineering the Vanquish Rootkit – Part 2
1024 538 WindowsSCOPE

If you followed our prior post on the Vanquish rootkit, you might remember how we identified anomalies in a system that led us to finding a Vanquish rootkit infection. You can go back to Part 1 and review it on your own, but here is a quick summary of how we discovered the rootkit: Found…

read more
Reverse Engineering the Vanquish Rootkit – Part 1
502 703 WindowsSCOPE

The first warning sign that we noticed in this snapshot was in the process for cmd.exe (this is for a Windows command line window). See below for a screenshot of the contents of this process:

read more
Check Open Registry Keys in Memory
1024 786 WindowsSCOPE

To view the registry keys being used by Windows at the time of a snapshot, on the left panel go to Memory View → Summary of System Activity → Open Registry Keys. Open registry keys can be viewed per process as well by going to Memory View → Processes →  Open Registry Keys.   From…

read more
Virtual Memory and Address Translating for x64
1024 819 WindowsSCOPE

Pages are represented by Page Table Entries. A Page Table Entry is part of a virtual memory hierarchy. This hierarchy gives virtual to physical address mappings at the page granularity. From highest level to lowest, the hierarchy looks like this: Page Map Level →Page Directory Pointers → Page Directories →Page Tables →Page Table Entries Every…

read more
Virtual Memory and Address Translating for x86 and x86 PAE
150 150 WindowsSCOPE

When a process starts on an x86 (32-bit) system, it is given 4GB (232 = 4GB) of virtual memory. 4GB is a lot of memory and most processes don’t utilize the entire virtual memory space. Memory is broken up into pages of 4KB (212 = 4KB). This gives each process access to 220 pages (232…

read more
Comparing Open Network Sockets
1024 786 WindowsSCOPE

As an example, the FTP client FileZilla was used to create a local FTP server. Then, a computer on the same network attempted to connect to the server. A snapshot was taken on the host computer once the server was up and running, but before any connections were made to the server. Another snapshot was…

read more
How to Compare Multiple Memory Snapshots
1024 786 WindowsSCOPE

In this screen shot, the example snapshot ‘Before Installing Antivirus’ is selected. The view is on Memory View → Summary of System Activity → Open Files, which is showing the Open Files for just the current snapshot. To compare this list to a list from another snapshot, check the box for the snapshots that are…

read more
Review all Open Files Accessed by Processes in Memory
1024 785 WindowsSCOPE

‘Process’ is the process that is using a selected entry, ‘File Name’ is the file or folder being used, and ‘Access Rights’ is what permissions the process has. One thing to note is that the starting directory is assumed to be the main drive on the computer, typically ‘Local Disk (C:)’. From the example snapshot,…

read more
How to Capture/Analyze Network Activities from Memory
1024 786 WindowsSCOPE

  Any network connection can then be examined. For example, take a closer look at the Firefox connection in the example snapshot that has a ‘Destination’ 74.125.93.105:80. This means that the process is accessing the IP Address 74.125.93.105 using Port 80 by means of TCP. In addition to viewing a summary of the network activity,…

read more
  • 1
  • 2