Thanks for the tip about Process Hacker. I have never heard of it but after a little googling it sounds like it may be something worth looking into. I am always looking for more tools to add to the toolbox.
On Sun, Feb 14, 2010 at 7:48 PM, MattNels <[email protected]> wrote: > Hey all, > > > > I used to use Process Explorer exclusively, but I now use Process Hacker. > It has a lot of features that Process Explorer doesn’t have. One such > feature is the ability to highlight a process and have the executable sent > to VirusTotal…. > > > > Process Hacker - http://processhacker.sourceforge.net/ > > > > > > > > > > *From:* [email protected] [mailto: > [email protected]] *On Behalf Of *Josh Ciceraro > *Sent:* Friday, February 12, 2010 9:59 PM > > *To:* PaulDotCom Security Weekly Mailing List > *Subject:* Re: [Pauldotcom] Sysinternals > > > > Yes, process explorer actually is one of those tools. It shows processes > that have packed images in them. Packed images are highlighted purple. > There are some cool features in process explorer. Check out that link that > was posted earlier in the thread by Tim ( > http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=359 ). The > video is an hour and twelve minutes which may seem long but its got some > really good information in it and Mark Russinovich (the author of these > tools) goes over some of the sysinternals tools he uses along with his > methodology for detecting and neutralizing malware (and even rootkit > detection). > > On Fri, Feb 12, 2010 at 8:46 PM, Peter Fisher <[email protected]> wrote: > > Are any of the tools listed in this thread good for processes and services > that aren't playing by the rules and are attempting to hide themselves? They > seem like they are using all the Windows APIs that are used by task manager. > > > > On Fri, Feb 12, 2010 at 10:47 AM, craig bowser <[email protected]> wrote: > > don't forget that you can change the output on some of those tools and dump > into a csv (i.e. psloglist). you also can pipe the output into find or > findstr to look for specific items. > > You can create some great batch files to automate some tasks as well. > > reswob > > > > On Fri, Feb 12, 2010 at 8:28 AM, Josh Ciceraro <[email protected]> > wrote: > > Another tool I like is streams. You can use this to scan for alternate > data streams. I found netcat on a box with this once. On another note, has > anyone ever looked at any of the Windows Internals Books? I am thinking > about buying the 4th ( > http://www.amazon.com/Microsoft-Windows-Internals-4th-Server/dp/0735619174/ref=sr_1_2?ie=UTF8&s=books&qid=1265909914&sr=1-2) > and 5th ( > http://www.amazon.com/Windows%C2%AE-Internals-Including-Windows-PRO-Developer/dp/0735625301/ref=sr_1_1?ie=UTF8&s=books&qid=1265909914&sr=1-1) > editions > > Thanks for the link to the malware analysis video. I started watching it > last night and what little I saw I liked. Gonna finish it today at work. > > > > > On Thu, Feb 11, 2010 at 8:52 PM, Tim Mugherini <[email protected]> > wrote: > > For those who forget your USB drive of tools while on the job > > http://live.sysinternals.com/ > > Also if you like the tools - I came across this Malware Analysis video > from Mark Russinovich (author of the sysinternals suite) a couple of > years back. For those not familiar with the tools , its definitely > worth a watch. > > My personal Fav tool/feature would be the dumping of strings from > volatile memory using process explorer > > Here's the video > > http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=359 > > > > On Thu, Feb 11, 2010 at 7:32 PM, Matthew Lye <[email protected]> wrote: > > I went a cached the site, especially all the source code. > > Never know if MS is going to let a good thing keep going. > > -Matthew Lye > > > > You can do anything you set your mind to when you have vision, > > determination, and and endless supply of expendable labor. > > <No trees were harmed during this transmission. However, a great number > of > > electrons were terribly inconvenienced> > > > > > > On Fri, Feb 12, 2010 at 6:41 AM, Jack Daniel <[email protected]> > wrote: > >> > >> One thing MS did right when they bought Sysinternals was bundle all of > >> the tools in a single compressed file for easier download. > >> > >> So, who else dropped everything a few years ago when the MS > >> acquisition of Sysinternals was announced and downloaded copies of > >> everything they could find? > >> > >> Jack > >> > >> > >> On Thu, Feb 11, 2010 at 2:23 PM, Josh Ciceraro <[email protected] > > > >> wrote: > >> > I always put process explorer on all of my machines. It puts the task > >> > manager to shame. Microsoft should be embarrassed. Psexec is another > >> > awesome tool. I have just recently started using process monitor and > >> > the > >> > information you can get from it is just awesome. > >> > > >> > On Thu, Feb 11, 2010 at 1:34 PM, Butturini, Russell > >> > <[email protected]> wrote: > >> >> > >> >> Absolutely. Sysinternals tools are the BEST for forensics, > >> >> troubleshooting, systems management…Anything under the sun! I use > >> >> psinfo, > >> >> psloggedon, pslist,listdlls, and logonsessions in my forensics > toolkit, > >> >> and > >> >> use process explorer as well when investigating malware. > >> >> > >> >> > >> >> > >> >> ________________________________ > >> >> > >> >> From: [email protected] > >> >> [mailto:[email protected]] On Behalf Of Tyler > >> >> Robinson > >> >> Sent: Thursday, February 11, 2010 12:27 PM > >> >> To: PaulDotCom Security Weekly Mailing List > >> >> Subject: Re: [Pauldotcom] Sysinternals > >> >> > >> >> > >> >> > >> >> From both a white and grey hat perspective I love erd commander and > >> >> pstools especially psexec I would be lost without psexec. > >> >> > >> >> On Feb 11, 2010 11:23 AM, "Josh Ciceraro" <[email protected]> > >> >> wrote: > >> >> > >> >> Hello, > >> >> > >> >> I was wondering if anyone here in the group uses any of the > >> >> sysinternals > >> >> tools and what are some favorites. I really like autoruns, process > >> >> explorer, and process monitor. Disk2Vhd seems pretty promising, > though > >> >> I > >> >> haven't played with it yet. > >> >> > >> >> -- > >> >> kaizoku Josh > >> >> > >> >> _______________________________________________ > >> >> Pauldotcom mailing list > >> >> [email protected] > >> >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > >> >> Main Web Site: http://pauldotcom.com > >> >> > >> >> > >> >> > >> >> > ****************************************************************************** > >> >> This email contains confidential and proprietary information and is > not > >> >> to > >> >> be used or disclosed to anyone other than the named recipient of this > >> >> email, > >> >> and is to be used only for the intended purpose of this > communication. > >> >> > >> >> > >> >> > ****************************************************************************** > >> >> > >> >> _______________________________________________ > >> >> Pauldotcom mailing list > >> >> [email protected] > >> >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > >> >> Main Web Site: http://pauldotcom.com > >> > > >> > > >> > > >> > -- > >> > kaizoku Josh > >> > > >> > _______________________________________________ > >> > Pauldotcom mailing list > >> > [email protected] > >> > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > >> > Main Web Site: http://pauldotcom.com > >> > > >> > >> > >> > >> -- > >> ______________________________________ > >> Jack Daniel, Reluctant CISSP > >> http://twitter.com/jack_daniel > >> http://www.linkedin.com/in/jackadaniel > >> http://blog.uncommonsensesecurity.com > >> _______________________________________________ > >> Pauldotcom mailing list > >> [email protected] > >> http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > >> Main Web Site: http://pauldotcom.com > > > > > > _______________________________________________ > > Pauldotcom mailing list > > [email protected] > > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > > Main Web Site: http://pauldotcom.com > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > > > -- > kaizoku Josh > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > > > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > > > > > -- > kaizoku Josh > > _______________________________________________ > Pauldotcom mailing list > [email protected] > http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom > Main Web Site: http://pauldotcom.com > -- kaizoku Josh
_______________________________________________ Pauldotcom mailing list [email protected] http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
