PE Capture is a Windows software application useful mainly to capture PE files, such as executables, DLLs and drivers, loaded in the system. It saves a copy of the loaded PE file (renamed as its file hash) on the “Intercepted” folder for further analysis, moreover it logs the execution events to easily find a specific PE file previously captured.
There are two versions of this tool, a completely free version and a second one that runs as a Windows service called PE Capture Service. The service offering is free for personal use but a license is required for deployments in corporate environments.
http://www.novirusthanks.org/products/pe-capture/
http://www.novirusthanks.org/products/pe-capture-service/
https://isc.sans.edu/diary/Hunting+for+Executable+Code+in+Windows+Environments/20745
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.