parsing output from tools

[H C <keydet89 () yahoo com>]

I recently had the opportunity to review some data
from a supposedly "hacked" box.  One of the things I
ran into was the difficulty of parsing through data
from various tools.  For example, to get a good
picture of what's going on on an NT/2K system, I'd run
handle.exe, pslist.exe, listdlls.exe, fport.exe and
'netstat -an'.  But how to parse through all that?  I
found that printing it out and going back and forth
between pages could be tedious.

What I did was write a script called 'procdmp.pl'. 
It's located here:

http://patriot.net/~carvdawg/perl.html

You use it like this...you run each tool, redirecting
the output to a file.  When you run handle.exe, the
command looks like this:

handle > handle.log

(NOTE: In this iteration of the script, file names are
hard coded.)

When you launch the script, it will parse through the
data and return an HTML file containing tables for
each process.  The tables contain the process name and
PID, the commandline for the process, the user
context, and (if any) open ports and connections.

I'm providing for those who want to use it.  I thought
that after reading many of the posts here that it
might be useful.

__________________________________________________
Do You Yahoo!?
Yahoo! - Official partner of 2002 FIFA World Cup
http://fifaworldcup.yahoo.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com