diff --git a/mspaint_logs/LOG_MEMORY.txt b/mspaint_logs/LOG_MEMORY.txt new file mode 100644 index 0000000..05ec791 --- /dev/null +++ b/mspaint_logs/LOG_MEMORY.txt @@ -0,0 +1,11 @@ + +----------intercepted call to WriteProcessMemory---------- + + +A pointer to the base address in the specified process to which data is written is 00290000 +A pointer to the buffer that contains data to be written in the address space of the specified process is E:\Cyber\YB_CYBER\project\FinalProject\ExeFiles\ExeFiles\evil.dll +The number of bytes to be written to the specified process is 67 + +----------Done intercepting call to WriteProcessMemory---------- + + diff --git a/mspaint_logs/output_handles.txt b/mspaint_logs/output_handles.txt new file mode 100644 index 0000000..214abc2 --- /dev/null +++ b/mspaint_logs/output_handles.txt @@ -0,0 +1,83 @@ + +Nthandle v5.0 - Handle viewer +Copyright (C) 1997-2022 Mark Russinovich +Sysinternals - www.sysinternals.com + + 4: File (---) \Device\ConDrv\Reference + 8: File (---) \Device\ConDrv\Input + C: File (---) \Device\ConDrv\Output + 10: File (---) \Device\ConDrv\Output + 14: Event + 18: Event + 1C: WaitCompletionPacket + 20: IoCompletion + 24: TpWorkerFactory + 28: IRTimer + 2C: WaitCompletionPacket + 30: IRTimer + 34: WaitCompletionPacket + 38: EtwRegistration + 3C: EtwRegistration + 40: EtwRegistration + 44: Directory \KnownDlls + 48: Event + 4C: Event + 50: File (RW-) C:\Windows + 54: Event + 58: Directory \KnownDlls32 + 5C: Event + 60: WaitCompletionPacket + 64: IoCompletion + 68: TpWorkerFactory + 6C: IRTimer + 70: WaitCompletionPacket + 74: IRTimer + 78: WaitCompletionPacket + 7C: EtwRegistration + 80: EtwRegistration + 84: EtwRegistration + 88: Directory \KnownDlls32 + 8C: Event + 90: Event + 94: File (RW-) \Device\Mup\;Z:000000000003750e\vmware-host\Shared Folders\E\Cyber\YB_CYBER\project\FinalProject\poc_start\poc_start + 98: Key HKLM\SOFTWARE\Policies\Microsoft\Windows Defender + 9C: Key HKLM\SOFTWARE\Policies\Microsoft\Windows Defender\Real-Time Protection + A0: ALPC Port + A4: File (---) \Device\ConDrv\Connect + A8: EtwRegistration + AC: Mutant \Sessions\1\BaseNamedObjects\SM0:6164:168:WilStaging_02 + B0: Directory \Sessions\1\BaseNamedObjects + B4: Semaphore \Sessions\1\BaseNamedObjects\SM0:6164:168:WilStaging_02_p0 + B8: EtwRegistration + BC: EtwRegistration + C0: EtwRegistration + C4: IoCompletion + C8: TpWorkerFactory + CC: IRTimer + D0: WaitCompletionPacket + D4: IRTimer + D8: WaitCompletionPacket + DC: Key HKLM\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions + E0: Key HKLM + E4: Key HKLM\SYSTEM\ControlSet001\Control\Session Manager + E8: EtwRegistration + EC: EtwRegistration + F0: EtwRegistration + F4: EtwRegistration + F8: EtwRegistration + FC: EtwRegistration + 100: EtwRegistration + 104: EtwRegistration + 108: Key HKCU + 10C: Key HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run + 110: Thread virus.exe(6164): 6312 + 114: Event + 118: Key HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9 + 11C: Event + 120: Key HKLM\SYSTEM\ControlSet001\Services\WinSock2\Parameters\NameSpace_Catalog5 + 124: EtwRegistration + 128: Event + 12C: File (---) \Device\Afd + 130: File (---) \Device\Afd + 134: File (---) \Device\Afd + 138: File (---) \Device\Afd