![]() ![]() Just so you know, I teach the malware analysis course at SANS Institute. Process Hacker as an Alternative to Process Explorer In addition, using the monitor process, you can make a snapshot of registry changes for later analysis or for creating a script of changes for other systems.Using Netsh for Easier Network Setup in a Malware Lab.Process Monitor Filters for Malware Analysis and Forensics.I consider them “second opinion” tools, and like having them as part of my malware analysis toolkit. However, they generally aren’t as comprehensive as Process Monitor, to some extent, Process Explorer. ProcessActivityView, RegFromApp and ProcessThreadsView are quick and easy to use to give you some visibility into registry and file system capabilities of malicious programs. When active, this tool displays information about the threads of the designated process, including strings found on the stack of each thread and much more: ProcessThreadsView is designed similarly to ProcessActivityView and RegFromApp, letting you monitor existing processes or trace new ones. Like with ProcessActivityView, you can point RegFromApp to an existing process or tell it to launch the specified executable and begin tracing it immediately. This can be a quick way to observe how a malicious program attempts to change the registry: RegFromApp monitors registry activities of the designated process, displaying a log file of registry changes. It also displays the DLL that made the last open-file call: In addition to displaying the file path, the tool displays tracks how many times the file was opened, how many bytes were read and written, etc. ProcessActivityView displays a real-time log of the file system activity associated with the monitored process. The tool also allow you to start a new process and begin tracing it immediately: By default this will look for Registry keys which have changed in the last hour, but that. It allows you to begin tracing an existing process by letting use select from an active process listing: Next, ensure Display only keys that their modified time is within the following range is checked. ProcessActivityView delineates which files and folders the designated process attempts to access. These programs can be a useful supplement to Microsoft’s Process Monitor and Process Explorer tools. ![]() This post takes a quick look at 3 of his tools- ProcessActivityView, RegFromApp and ProcessThreadsView-which can be handy when analyzing malware from a behavioral perspective. Nir Sofer makes a number of Windows utilities, which he distributes for free on the NirSoft website. ![]()
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |