This post will contain all information I was not aware of concerning mentioned SysInternals tools or I simply found some of them very useful to refresh the knowledge about.
Malware Hunting with the Sysinternals Tools
Following Tools are interesting all will be described later when time allows.
Following example allow to get the verbose list of unsigned DLLs loaded in the process virus.exe.
listdlls -vu virus.exe
Note: ListDlls can as well show processes that have loaded the specified DLL.
Following example allow to search in virus.exe file for strings containing “http” string.
strings virus.exe | findstr -i http
____________ Process Explorer (http://technet.microsoft.com/pl-pl/sysinternals/bb896653)
Allows to check the strings of packed processes (Strings > Memory option) as they are only visible after they get unpacked in the memory.
Violet color represents packed processes
____ ctrl + D – dll view – you may use it with signature verification and watch strings of
particular dlls loaded into the process
Use suspend processes if they are running in buddy way (one looking after another, if one gets killed another one restart it automatically ) … if they are sleeping they will not monitor for each other and you will be able to stop them.
____________ Autoruns (http://technet.microsoft.com/pl-pl/sysinternals/bb963902)
Filter – you can hide MS and verified processes !
You can filter by Users which started the processes
____________Process Monitor (http://technet.microsoft.com/pl-pl/sysinternals/bb896645)
Filter – Category is Write … (very useful in virus troubleshooting)
Process Tree – especially Life Time
Check Command Line which got executed …
_________________________ additional tools and tips
Use the tool called Desktops … sometimes malwares monitors strings on main desktop only. So you should be able to start applications from second desktop.
You can have only 1 lsass.exe process …
P.S More details and comments will come when time allows.
Witold Lawacz (Ławacz)