– What is ROMAD Analyzer (RA)?
RA is a memory forensic tool that can reliably detect various injected and hidden modules in the user-mode applications. It can also show you the hooks within the user-mode process address space and most likely trace them up to the destination point(s).
– What operating systems does RA support?
RA works under 32/64-bit Windows 7, 8.1 and 10.
– How does RA work?
The main idea is to use the cross-view search: between the file on disk and its projection in memory; between VAD and PEB and some others.
– Does RA require internet connection?
Yes and no. No is the case when you do not update your OS. As long as Windows Update is turned on, RA also needs to have internet connection for its os-specific updates.
INJECTS AND HOOKS
– What are the injects types RA detects?
We do not care about the method malware is using to get into the desired process. Be it APC or CreateRemoteThread + WriteProcessMemory or SetThreadContext or even the newest AtomBombing technique, we only care about the post-factum results:
- RWX regions that are not present in VAD with respect to false positives (Zeus, Gozi malware)
- Shareable regions with respect to false positives (GAPZ malware)
- User-mode threads that have the origin within the shareable/RWX regions (Havex malware)
RA is also capable (to a certain degree) to detect the wiped PE headers.
– What are the hooks types RA detects?
RA most likely will be able to trace those up to their destination points. This can be useful when analyzing the malware that performs the inject and sets up the hooks to an already injected region.
– What is a pseudohook?
There are certain types of the hooks that are naturally performed by the legitimate software. These include:
- Microsoft hotpatching technology
- Various JIT-ing techniques
- NOP/LOCK/INT 3 padding
- GS cookies
- .NET .extjmps
- Many-many others…
RA tries to detect these in an intelligent manner with the proper commenting. This allows you to concentrate on what really matters.
One good example to verify the ability to distinguish meaningless pseudohooks out of real hooks is KMPlayer
– What are the known cases of false positives?
We have done our best to make RA as less false positives prone as possible. However, nothing is perfect. RA is known to have false positives in the cases when the software behaves in a similar to malware manner. This is known for:
- portable applications created with VMware ThinApp
- portable applications created with Turbo Studio
- some anti-viruses such as NOD ESET, Bull Guard Internet Security, Emsisoft Anti Malware, G-Data Internet Security, Quick Heal Total Security and Panda Security Protection
– How do you recommend me to analyze malware?
RA is designed with the performance in mind. We have put many efforts to make it as fast as possible. RA uses extensive caching and clever low-level tricks to make polling happen in real time. However, this sometimes leads to the lost hooks within the certain VMs such as VMWare. This is because of VMWare’s behavior with PFN’s. If you use RA to analyze a malware within VMware and you feel some of the hooks are lost, please switch to the real hardware.
– I want some new features! Now!
Really? Inform us.
– How do I know the new version of RA is issued?
You have used your valid email address to fill the form, haven’t you? We will send you the link to the updated version.
We are also working on the fully automatic updater for RA. Coming Q3 2017.