I've been playing with this issue for awhile, and apologies for the lengthy delay. It's an issue of the backing file being encrypted, but Procmon does have the ability to use virtual memory for the live data. Do you have a sample that you can test against, or provide hash for so I can test?

[oasec1]

I've been playing with this issue for awhile, and apologies for the lengthy delay. It's an issue of the backing file being encrypted, but Procmon does have the ability to use virtual memory for the live data. Do you have a sample that you can test against, or provide hash for so I can test?

In Procmon if you enable File > Backing File... > Virtual Memory, that may be able to get around this issue. However, I can not guess the performance issues, or ultimate memory usage, of that.

Then one small edit to the script, within "launch_procmon_capture()" to force this:

Change:
cmdline = '"{}" /BackingFile "{}" /Quiet /Minimized'.format(procmonexe, pml_file)

To:
cmdline = '"{}" /PagingFile /Quiet /Minimized'.format(procmonexe)

Originally posted by @Rurik in #42 (comment)

[oasec1]

I tried this but it was unsuccessful. An added twist is that the ransomware is encrypting the noriben.py, therefore the procmon log file is not closing cleanly. Using your recommended changes above didn't help. When you configure procmon to save the output to the virtual file, and the noriben.py file gets encrypted the procmon program closes and no output file is generated. I was thinking, can the noriben.py file be compiled as a a python executable? Executable files are not encrypted, this would allow noriben to close when requested, either by control c or using the time commandline switch. It would also help to allow the procmon log file extension to be controlled with a commandline switch if the user desired that functionality. Another option here would be to save the output file from noriben as one of the other formats, ie, xml, csv. The procmon program doesn't currently allow this, the pml file has to be generated by procmon, the the conversion takes place.

If you would like to work on this remotely, I'd be glad to help.

Thanks
Robert

[Rurik]

I've tried it as an executable. This is working for me normally, but can you try it against your specific malware to test?

The EXE is hosted: https://github.com/Rurik/Noriben/blob/exe_test/Noriben.exe?raw=true

[oasec1]

Oddly enough this was flagged as a virus by MS defender, Wacatac.B!ml I can get it on the vm to run it. Thoughts? Robert

…

On Sun, May 30, 2021 at 2:33 PM Brian Baskin ***@***.***> wrote: I've tried it as an executable. This is working for me normally, but can you try it against your specific malware to test? The EXE is hosted: https://github.com/Rurik/Noriben/blob/exe_test/Noriben.exe?raw=true — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#45 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AA7UFOV73SXE5P5QWQDJTALTQKAJBANCNFSM43LP7GMQ> .

[oasec1]

Is this a test executable or an executable version of Noriben?

…

On Sun, May 30, 2021 at 2:33 PM Brian Baskin ***@***.***> wrote: I've tried it as an executable. This is working for me normally, but can you try it against your specific malware to test? The EXE is hosted: https://github.com/Rurik/Noriben/blob/exe_test/Noriben.exe?raw=true — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#45 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AA7UFOV73SXE5P5QWQDJTALTQKAJBANCNFSM43LP7GMQ> .

[oasec1]

OK, running the noriben executable from within a folder on the desktop executes but generates the output txt file and csv file but they are empty. Moving the procmon.configuration.pmc file into that same folder executes properly and does create the output text and csv files with data. Now I'll try to run the ransomware/malware and see what happens.

…

On Sun, May 30, 2021 at 2:33 PM Brian Baskin ***@***.***> wrote: I've tried it as an executable. This is working for me normally, but can you try it against your specific malware to test? The EXE is hosted: https://github.com/Rurik/Noriben/blob/exe_test/Noriben.exe?raw=true — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#45 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AA7UFOV73SXE5P5QWQDJTALTQKAJBANCNFSM43LP7GMQ> .

[Rurik]

This exe is the actual noriben.py just compiled to .exe. AV may be hitting on that aspect, but I'll have to do more testing to prevent that if I start making these. This is the first time I've made one.

Python can do very weird things when compiled as .exe, especially in regards to command line arguments. If having it compiled fixes the ransomware issue, I'll look into the issues more and make a release with each version.

Thank you!

[oasec1]

It does not appear to have worked, the output files were encrypted

…

On Sun, May 30, 2021 at 4:00 PM Brian Baskin ***@***.***> wrote: This exe is the actual noriben.py just compiled to .exe. AV may be hitting on that aspect, but I'll have to do more testing to prevent that if I start making these. This is the first time I've made one. Python can do very weird things when compiled as .exe, especially in regards to command line arguments. If having it compiled fixes the ransomware issue, I'll look into the issues more and make a release with each version. Thank you! — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#45 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AA7UFOUORR5FSTKAJOS7T63TQKKL7ANCNFSM43LP7GMQ> .

[oasec1]

If you have some time and want to, we can work on this remotely. Maybe seeing it you'll think of another possibility.

…

On Sun, May 30, 2021 at 4:00 PM Brian Baskin ***@***.***> wrote: This exe is the actual noriben.py just compiled to .exe. AV may be hitting on that aspect, but I'll have to do more testing to prevent that if I start making these. This is the first time I've made one. Python can do very weird things when compiled as .exe, especially in regards to command line arguments. If having it compiled fixes the ransomware issue, I'll look into the issues more and make a release with each version. Thank you! — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#45 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AA7UFOUORR5FSTKAJOS7T63TQKKL7ANCNFSM43LP7GMQ> .

[Rurik]

Can you provide hash of malware? Here or private (brian@thebaskins.com)?

[oasec1]

Sure I'll send it over. I'll send the password in a separate email. It is definitely ransomware.

…

On Sun, May 30, 2021 at 4:05 PM Brian Baskin ***@***.***> wrote: Can you provide hash of malware? Here or private ***@***.***)? — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#45 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AA7UFOWWTVI5TULAVDRFYLLTQKLCFANCNFSM43LP7GMQ> .