you can see that services.exe is a child process of winlogon.exe, as indicated by the left curly bracket. opens when you double-click a process name. This window can provide some particularly useful information about your subject malware. The Threads tab shows all active threads, the TCP/IP tab displays active connections or ports on which the process is listening, and the Image tab (opened in the figure) shows the path on disk to the executable., the svchost.exe process is verified, yet it is actually malware. We’ll discuss process replacement in more detail in .. If the two string listings are drastically different, process replacement may have occurred. This string discrepancy is displayed in . For example, the string FAVORITES.DAT appears multiple times in the right half of the figure (svchost.exe in memory), but it cannot be found in the left half of the figure (svchost.exe on disk).
Process Explorer allows you to launch depends.exe (Dependency Walker) on a running process by right-clicking a process name and selecting Launch Depends. It also lets you search for a handle or DLL by choosing Find ▶ Find Handle or DLL.
The Find DLL option is particularly useful when you find a malicious DLL on disk and want to know if any running processes use that DLL. The Verify button verifies the EXE file on disk, but not every DLL loaded during runtime. To determine whether a DLL is loaded into a process after load time, you can compare the DLL list in Process Explorer to the imports shown in Dependency Walker.
You can also use Process Explorer to analyze malicious documents, such as PDFs and Word documents. A quick way to determine whether a document is malicious is to open Process Explorer and then open the suspected malicious document. If the document launches any processes, you should see them in Process Explorer, and be able to locate the malware on disk via the Image tab of the Properties window.
Note
Opening a malicious document while using monitoring tools can be a quick way to determine whether a document is malicious; however, you will have success running only vulnerable versions of the document viewer. In practice, it is best to use intentionally unpatched versions of the viewing application to ensure that the exploitation will be successful. The easiest way to do this is with multiple snapshots of your analysis virtual machine, each with old versions of document viewers such as Adobe Reader and Microsoft Word.
Войти в систему
Войти с помощью соц. сетей:
. If the two string listings are drastically different, process replacement may have occurred. This string discrepancy is displayed in . For example, the string FAVORITES.DAT appears multiple times in the right half of the figure (svchost.exe in memory), but it cannot be found in the left half of the figure (svchost.exe on disk).
Process Explorer allows you to launch depends.exe (Dependency Walker) on a running process by right-clicking a process name and selecting Launch Depends. It also lets you search for a handle or DLL by choosing Find ▶ Find Handle or DLL.
The Find DLL option is particularly useful when you find a malicious DLL on disk and want to know if any running processes use that DLL. The Verify button verifies the EXE file on disk, but not every DLL loaded during runtime. To determine whether a DLL is loaded into a process after load time, you can compare the DLL list in Process Explorer to the imports shown in Dependency Walker.
You can also use Process Explorer to analyze malicious documents, such as PDFs and Word documents. A quick way to determine whether a document is malicious is to open Process Explorer and then open the suspected malicious document. If the document launches any processes, you should see them in Process Explorer, and be able to locate the malware on disk via the Image tab of the Properties window.
Note
Opening a malicious document while using monitoring tools can be a quick way to determine whether a document is malicious; however, you will have success running only vulnerable versions of the document viewer. In practice, it is best to use intentionally unpatched versions of the viewing application to ensure that the exploitation will be successful. The easiest way to do this is with multiple snapshots of your analysis virtual machine, each with old versions of document viewers such as Adobe Reader and Microsoft Word.
Войти в систему
Войти с помощью соц. сетей: