This post will contain all information I was not aware of concerning mentioned SysInternals tools or I simply found some of them very useful to refresh the knowledge about.

Reference:

Malware Hunting with the Sysinternals Tools
http://channel9.msdn.com/Events/TechEd/NorthAmerica/2012/SIA302

Quick Notes:

Following Tools are interesting all will be described later when time allows.

 

listdlls (http://technet.microsoft.com/pl-pl/sysinternals/bb896656)

Following example allow to get the verbose list of unsigned DLLs loaded in the process virus.exe.

listdlls -vu virus.exe

Note: ListDlls can as well show processes that have loaded the specified DLL.

 

strings (http://technet.microsoft.com/pl-pl/sysinternals/bb897439)

Following example allow to search in virus.exe file for strings containing “http” string.

Example usage:

strings virus.exe | findstr -i http

sigcheck (http://technet.microsoft.com/pl-pl/sysinternals/bb897441)

____________ Process Explorer (http://technet.microsoft.com/pl-pl/sysinternals/bb896653)

Allows to check the strings of packed processes (Strings > Memory option) as they are only visible after they get unpacked in the memory.

AutoStart Location
Violet color represents packed processes
Process TimeLine

____ ctrl + D – dll view – you may use it with signature verification and watch strings of
particular dlls loaded into the process

Use suspend processes if they are running in buddy way (one looking after another, if one gets killed another one restart it automatically ) … if they are sleeping they will not monitor for each other and you will be able to stop them.

____________ Autoruns (http://technet.microsoft.com/pl-pl/sysinternals/bb963902)

Filter – you can hide MS and verified processes !
You can filter by Users which started the processes

____________Process Monitor (http://technet.microsoft.com/pl-pl/sysinternals/bb896645)

Filter – Category is Write … (very useful in virus troubleshooting)
Process Tree – especially Life Time
Check Command Line which got executed …

_________________________ additional tools and tips

Use the tool called Desktops … sometimes malwares monitors strings on main desktop only. So you should be able to start applications from second desktop.
You can have only 1 lsass.exe process …

P.S More details and comments will come when time allows.

 

Kind Regards,

Witold Lawacz (Ławacz)