A small POC of a technique to defend a webserver from malicious code execution originating from planted webshells
- Using winappdbg we look for a running IIS process (w3wp.exe)
- A breakpoint is set on
CreateProcessW - The
lpCommandLineparameter is examined, and if it looks malicious, we can null the pointer and execution will be prevented!
- Currently the way I'm checking if the process to be created is really naive, but it can be extended easily to include additional checks, for example a whitelist of file hashes permitted to execute from
w3wp.exe, a check against VT, etc...
