Hey all,
I used to use Process Explorer exclusively, but I now use Process Hacker. It has a lot of features that Process Explorer doesn't have. One such feature is the ability to highlight a process and have the executable sent to VirusTotal.. Process Hacker - http://processhacker.sourceforge.net/ From: [email protected] [mailto:[email protected]] On Behalf Of Josh Ciceraro Sent: Friday, February 12, 2010 9:59 PM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] Sysinternals Yes, process explorer actually is one of those tools. It shows processes that have packed images in them. Packed images are highlighted purple. There are some cool features in process explorer. Check out that link that was posted earlier in the thread by Tim ( http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=359 ). The video is an hour and twelve minutes which may seem long but its got some really good information in it and Mark Russinovich (the author of these tools) goes over some of the sysinternals tools he uses along with his methodology for detecting and neutralizing malware (and even rootkit detection). On Fri, Feb 12, 2010 at 8:46 PM, Peter Fisher <[email protected]> wrote: Are any of the tools listed in this thread good for processes and services that aren't playing by the rules and are attempting to hide themselves? They seem like they are using all the Windows APIs that are used by task manager. On Fri, Feb 12, 2010 at 10:47 AM, craig bowser <[email protected]> wrote: don't forget that you can change the output on some of those tools and dump into a csv (i.e. psloglist). you also can pipe the output into find or findstr to look for specific items. You can create some great batch files to automate some tasks as well. reswob On Fri, Feb 12, 2010 at 8:28 AM, Josh Ciceraro <[email protected]> wrote: Another tool I like is streams. You can use this to scan for alternate data streams. I found netcat on a box with this once. On another note, has anyone ever looked at any of the Windows Internals Books? I am thinking about buying the 4th ( http://www.amazon.com/Microsoft-Windows-Internals-4th-Server/dp/0735619174/r ef=sr_1_2?ie=UTF8 <http://www.amazon.com/Microsoft-Windows-Internals-4th-Server/dp/0735619174/ ref=sr_1_2?ie=UTF8&s=books&qid=1265909914&sr=1-2> &s=books&qid=1265909914&sr=1-2 ) and 5th ( http://www.amazon.com/Windows%C2%AE-Internals-Including-Windows-PRO-Develope r/dp/0735625301/ref=sr_1_1?ie=UTF8 <http://www.amazon.com/Windows%C2%AE-Internals-Including-Windows-PRO-Develop er/dp/0735625301/ref=sr_1_1?ie=UTF8&s=books&qid=1265909914&sr=1-1> &s=books&qid=1265909914&sr=1-1 ) editions Thanks for the link to the malware analysis video. I started watching it last night and what little I saw I liked. Gonna finish it today at work. On Thu, Feb 11, 2010 at 8:52 PM, Tim Mugherini <[email protected]> wrote: For those who forget your USB drive of tools while on the job http://live.sysinternals.com/ Also if you like the tools - I came across this Malware Analysis video from Mark Russinovich (author of the sysinternals suite) a couple of years back. For those not familiar with the tools , its definitely worth a watch. My personal Fav tool/feature would be the dumping of strings from volatile memory using process explorer Here's the video http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=359 On Thu, Feb 11, 2010 at 7:32 PM, Matthew Lye <[email protected]> wrote: > I went a cached the site, especially all the source code. > Never know if MS is going to let a good thing keep going. > -Matthew Lye > > You can do anything you set your mind to when you have vision, > determination, and and endless supply of expendable labor. > <No trees were harmed during this transmission. However, a great number of > electrons were terribly inconvenienced> > > > On Fri, Feb 12, 2010 at 6:41 AM, Jack Daniel <[email protected]> wrote: >> >> One thing MS did right when they bought Sysinternals was bundle all of >> the tools in a single compressed file for easier download. >> >> So, who else dropped everything a few years ago when the MS >> acquisition of Sysinternals was announced and downloaded copies of >> everything they could find? >> >> Jack >> >> >> On Thu, Feb 11, 2010 at 2:23 PM, Josh Ciceraro <[email protected]> >> wrote: >> > I always put process explorer on all of my machines. It puts the task >> > manager to shame. Microsoft should be embarrassed. Psexec is another >> > awesome tool. I have just recently started using process monitor and >> > the >> > information you can get from it is just awesome. >> > >> > On Thu, Feb 11, 2010 at 1:34 PM, Butturini, Russell >> > <[email protected]> wrote: >> >> >> >> Absolutely. Sysinternals tools are the BEST for forensics, >> >> troubleshooting, systems management.Anything under the sun! I use >> >> psinfo, >> >> psloggedon, pslist,listdlls, and logonsessions in my forensics toolkit, >> >> and >> >> use process explorer as well when investigating malware. >> >> >> >> >> >> >> >> ________________________________ >> >> >> >> From: [email protected] >> >> [mailto:[email protected]] On Behalf Of Tyler >> >> Robinson >> >> Sent: Thursday, February 11, 2010 12:27 PM >> >> To: PaulDotCom Security Weekly Mailing List >> >> Subject: Re: [Pauldotcom] Sysinternals >> >> >> >> >> >> >> >> From both a white and grey hat perspective I love erd commander and >> >> pstools especially psexec I would be lost without psexec. >> >> >> >> On Feb 11, 2010 11:23 AM, "Josh Ciceraro" <[email protected]> >> >> wrote: >> >> >> >> Hello, >> >> >> >> I was wondering if anyone here in the group uses any of the >> >> sysinternals >> >> tools and what are some favorites. I really like autoruns, process >> >> explorer, and process monitor. Disk2Vhd seems pretty promising, though >> >> I >> >> haven't played with it yet. >> >> >> >> -- >> >> kaizoku Josh >> >> >> >> _______________________________________________ >> >> Pauldotcom mailing list >> >> [email protected] >> >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> >> Main Web Site: http://pauldotcom.com >> >> >> >> >> >> >> >> **************************************************************************** ** >> >> This email contains confidential and proprietary information and is not >> >> to >> >> be used or disclosed to anyone other than the named recipient of this >> >> email, >> >> and is to be used only for the intended purpose of this communication. >> >> >> >> >> >> **************************************************************************** ** >> >> >> >> _______________________________________________ >> >> Pauldotcom mailing list >> >> [email protected] >> >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> >> Main Web Site: http://pauldotcom.com >> > >> > >> > >> > -- >> > kaizoku Josh >> > >> > _______________________________________________ >> > Pauldotcom mailing list >> > [email protected] >> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> > Main Web Site: http://pauldotcom.com >> > >> >> >> >> -- >> ______________________________________ >> Jack Daniel, Reluctant CISSP >> http://twitter.com/jack_daniel >> http://www.linkedin.com/in/jackadaniel >> http://blog.uncommonsensesecurity.com >> _______________________________________________ >> Pauldotcom mailing list >> [email protected] >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom >> Main Web Site: http://pauldotcom.com > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com -- kaizoku Josh _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com _______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com -- kaizoku Josh
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
