Andrey Bazhan, from Comae Technologies, just made a neat addition to SwishDbgExt which is the ability to use Yara rules to hunt process in memory via a new command called !ms_yarascan
!ms_yarascan
As part of improving our Incident Response and Digital Forensics SwishDbgExt [https://github.com/msuiche/SwishDbgExt] WinDbg Extension — here is a community challenge !
Recently, a lot of noise has been made about “AtomBombing” (available on github) which was communicated as an “unfixable” method to inject memory into a process, and “undetectable” from anti-virus because they only do…