In this third post in our blog series on process snapshotting (see previous posts on PlugX and Shiz’ code injection), we will show how to dissect exploit payloads using the LLama full-process snapshot functionality.
Document exploits are particularly tedious to analyze using traditional analysis tools, as the vast majority of code (and/or data) located in the exploited process’ memory are benign (that is, are unrelated to the actual exploit). Lastline’s high-resolution malware analysis engine is able to track all data generated as part of opening/rendering a document, and, in turn, limits the process snapshots exported for analysis to those parts relevant to the exploit (and subsequent shellcode and payload).
more here.............http://labs.lastline.com/exploit-analysis-via-process-snapshotting
Document exploits are particularly tedious to analyze using traditional analysis tools, as the vast majority of code (and/or data) located in the exploited process’ memory are benign (that is, are unrelated to the actual exploit). Lastline’s high-resolution malware analysis engine is able to track all data generated as part of opening/rendering a document, and, in turn, limits the process snapshots exported for analysis to those parts relevant to the exploit (and subsequent shellcode and payload).
more here.............http://labs.lastline.com/exploit-analysis-via-process-snapshotting