BAM parser
Description: A parser for the Background Activity Moderator (BAM) registry keys, designed with ScreenSharing use cases in mind. While the core parsing logic is partly visible (semi-open-source), many of the built-in generic detection rules are proprietary.
Features:
Parses BAM entries from the registry, correcting paths from
\Device\HarddiskVolumeformat to standard drive letters.Retrieves the last run time of the file and indicates if it occurred within the current user logon session.
Performs digital signature checks (Authenticode/Catalog) for each existing executable file found in BAM entries.
Applies numerous generic detection rules (heuristics) to flag potentially suspicious entries based on characteristics common to cheats and malware.
Checks for file replacement patterns using USN Journal data for each file path.
Provides filtering options within the GUI (e.g., show only unsigned, only flagged, only in-instance).
Highlights entries associated with file replacements in red.
Usage Notes & Caveats:
Flags from 1-3 generics hitting a single file should not lead to immediate conclusions; manual verification is recommended.
The developer notes that some generics (A2, F-series) might have occasional false positives but are kept to maximize detection.
Allows copying the path of a selected cell using
Ctrl + Left Click.
Usage: Useful for analyzing program execution evidence stored in the BAM keys, providing context like execution time, signature status, and heuristic flags for suspicious patterns, aiding in quick identification of potentially malicious executables.
Link: https://github.com/spokwn/BAM-parser
Last updated