Enumerate the DLLs loaded by a running process. It includes hash value and certificate information.
name: Windows.System.DLLs
description: |
Enumerate the DLLs loaded by a running process. It includes hash value
and certificate information.
parameters:
- name: ProcessRegex
description: A regex applied to process names.
default: .
type: regex
- name: PidRegex
default: .
type: regex
- name: ExePathRegex
default: .
type: regex
- name: CommandLineRegex
default: .
type: regex
- name: DllRegex
description: A regex applied to the full dll path (e.g. whitelist all system dlls)
default: .
type: regex
- name: Calculate_Hash
default: N
type: bool
- name: CertificateInfo
default: N
type: bool
- name: DISABLE_DANGEROUS_API_CALLS
type: bool
description: |
Enable this to disable potentially flakey APIs which may cause
crashes.
sources:
- query: |
-- first find processes in scope
LET processes = SELECT Pid, Name,Exe,CommandLine
FROM pslist()
WHERE Name =~ ProcessRegex
AND Pid =~ PidRegex
AND Exe =~ ExePathRegex
AND CommandLine =~ CommandLineRegex
-- find modules
LET results = SELECT * FROM foreach(
row=processes,
query={
SELECT Pid, Name,Exe as _Exe,CommandLine as _CommandLine ,
format(format='%x-%x', args=[ModuleBaseAddress,
ModuleBaseAddress+ModuleBaseSize]) AS Range,
ModuleName, ExePath as ModulePath
FROM modules(pid=Pid)
WHERE ModulePath =~ DllRegex
})
-- add additional enrichment usecases
LET cert_hash = SELECT *,
hash(path=expand(path=ModulePath)) AS Hash,
authenticode(filename=ModulePath) AS Certinfo
FROM results
LET cert_nohash = SELECT *, authenticode(filename=ModulePath) AS Certinfo
FROM results
LET nocert_hash = SELECT *, hash(path=expand(path=ModulePath)) AS Hash
FROM results
-- output rows
SELECT * FROM if(condition= Calculate_Hash AND CertificateInfo,
then= cert_hash,
else= if(condition= Calculate_Hash,
then= nocert_hash,
else= if(condition= CertificateInfo,
then= cert_nohash,
else= results )))