Extending on the already-existing hooks inside of SR71.dll it would be beneficial to add kernel-level instrumentation using the Windows Filtering Platform;
This would introduce a lower level of observability & also allow traffic sinkholes, redirection and analysis. For example, a launch parameter on the Analysis Interface which would toggle a "network sinkhole", then dropping all traffic from the malicious process & child processes while still returning a 0 (success) to the software being analyzed.
Could further extend with "Quarantine", or "Redirection", where traffic could be re-routed to a local-analysis server on the LAN for operators to analyze, and Quarantine for simply blocking all traffic.
Extending on the already-existing hooks inside of SR71.dll it would be beneficial to add kernel-level instrumentation using the Windows Filtering Platform;
This would introduce a lower level of observability & also allow traffic sinkholes, redirection and analysis. For example, a launch parameter on the Analysis Interface which would toggle a "network sinkhole", then dropping all traffic from the malicious process & child processes while still returning a 0 (success) to the software being analyzed.
Could further extend with "Quarantine", or "Redirection", where traffic could be re-routed to a local-analysis server on the LAN for operators to analyze, and Quarantine for simply blocking all traffic.