PaulDotCom mailing list archives
Sysinternals
From: josh.ciceraro at gmail.com (Josh Ciceraro)
Date: Fri, 12 Feb 2010 22:59:00 -0500
Yes, process explorer actually is one of those tools. It shows processes that have packed images in them. Packed images are highlighted purple. There are some cool features in process explorer. Check out that link that was posted earlier in the thread by Tim ( http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=359 ). The video is an hour and twelve minutes which may seem long but its got some really good information in it and Mark Russinovich (the author of these tools) goes over some of the sysinternals tools he uses along with his methodology for detecting and neutralizing malware (and even rootkit detection). On Fri, Feb 12, 2010 at 8:46 PM, Peter Fisher <peter at phyn3t.com> wrote:
Are any of the tools listed in this thread good for processes and services that aren't playing by the rules and are attempting to hide themselves? They seem like they are using all the Windows APIs that are used by task manager. On Fri, Feb 12, 2010 at 10:47 AM, craig bowser <reswob10 at gmail.com> wrote:don't forget that you can change the output on some of those tools and dump into a csv (i.e. psloglist). you also can pipe the output into find or findstr to look for specific items. You can create some great batch files to automate some tasks as well. reswob On Fri, Feb 12, 2010 at 8:28 AM, Josh Ciceraro <josh.ciceraro at gmail.com>wrote:Another tool I like is streams. You can use this to scan for alternate data streams. I found netcat on a box with this once. On another note, has anyone ever looked at any of the Windows Internals Books? I am thinking about buying the 4th ( http://www.amazon.com/Microsoft-Windows-Internals-4th-Server/dp/0735619174/ref=sr_1_2?ie=UTF8&s=books&qid=1265909914&sr=1-2) and 5th ( http://www.amazon.com/Windows%C2%AE-Internals-Including-Windows-PRO-Developer/dp/0735625301/ref=sr_1_1?ie=UTF8&s=books&qid=1265909914&sr=1-1) editions Thanks for the link to the malware analysis video. I started watching it last night and what little I saw I liked. Gonna finish it today at work. On Thu, Feb 11, 2010 at 8:52 PM, Tim Mugherini <gbugbear at gmail.com>wrote:For those who forget your USB drive of tools while on the job http://live.sysinternals.com/ Also if you like the tools - I came across this Malware Analysis video from Mark Russinovich (author of the sysinternals suite) a couple of years back. For those not familiar with the tools , its definitely worth a watch. My personal Fav tool/feature would be the dumping of strings from volatile memory using process explorer Here's the video http://www.microsoft.com/emea/spotlight/sessionh.aspx?videoid=359 On Thu, Feb 11, 2010 at 7:32 PM, Matthew Lye <lyematt at gmail.com> wrote:I went a cached the site, especially all the source code. Never know if MS is going to let a good thing keep going. -Matthew Lye You can do anything you set your mind to when you have vision, determination, and and endless supply of expendable labor. <No trees were harmed during this transmission. However, a greatnumber ofelectrons were terribly inconvenienced> On Fri, Feb 12, 2010 at 6:41 AM, Jack Daniel <jackadaniel at gmail.com>wrote:One thing MS did right when they bought Sysinternals was bundle allofthe tools in a single compressed file for easier download. So, who else dropped everything a few years ago when the MS acquisition of Sysinternals was announced and downloaded copies of everything they could find? Jack On Thu, Feb 11, 2010 at 2:23 PM, Josh Ciceraro <josh.ciceraro at gmail.com>wrote:I always put process explorer on all of my machines. It puts thetaskmanager to shame. Microsoft should be embarrassed. Psexec isanotherawesome tool. I have just recently started using process monitorandthe information you can get from it is just awesome. On Thu, Feb 11, 2010 at 1:34 PM, Butturini, Russell <Russell.Butturini at healthways.com> wrote:Absolutely. Sysinternals tools are the BEST for forensics, troubleshooting, systems management?Anything under the sun! I use psinfo, psloggedon, pslist,listdlls, and logonsessions in my forensicstoolkit,and use process explorer as well when investigating malware. ________________________________ From: pauldotcom-bounces at mail.pauldotcom.com [mailto:pauldotcom-bounces at mail.pauldotcom.com] On Behalf OfTylerRobinson Sent: Thursday, February 11, 2010 12:27 PM To: PaulDotCom Security Weekly Mailing List Subject: Re: [Pauldotcom] Sysinternals From both a white and grey hat perspective I love erd commanderandpstools especially psexec I would be lost without psexec. On Feb 11, 2010 11:23 AM, "Josh Ciceraro" <josh.ciceraro at gmail.com>wrote: Hello, I was wondering if anyone here in the group uses any of the sysinternals tools and what are some favorites. I really like autoruns,processexplorer, and process monitor. Disk2Vhd seems pretty promising,thoughI haven't played with it yet. -- kaizoku Josh _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com******************************************************************************This email contains confidential and proprietary information andis notto be used or disclosed to anyone other than the named recipient ofthisemail, and is to be used only for the intended purpose of thiscommunication.******************************************************************************_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com-- kaizoku Josh _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com-- ______________________________________ Jack Daniel, Reluctant CISSP http://twitter.com/jack_daniel http://www.linkedin.com/in/jackadaniel http://blog.uncommonsensesecurity.com _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com-- kaizoku Josh _______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com_______________________________________________ Pauldotcom mailing list Pauldotcom at mail.pauldotcom.com http://mail.pauldotcom.com/cgi-bin/mailman/listinfo/pauldotcom Main Web Site: http://pauldotcom.com
-- kaizoku Josh -------------- next part -------------- An HTML attachment was scrubbed... URL: http://mail.pauldotcom.com/pipermail/pauldotcom/attachments/20100212/2a16dedf/attachment.htm
Current thread:
- Sysinternals, (continued)
- Sysinternals Ken Pryor (Feb 11)
- Message not available
- Sysinternals Tyler Robinson (Feb 11)
- Sysinternals Butturini, Russell (Feb 11)
- Sysinternals Josh Ciceraro (Feb 11)
- Sysinternals Jack Daniel (Feb 11)
- Sysinternals Matthew Lye (Feb 11)
- Sysinternals Tim Mugherini (Feb 11)
- Sysinternals Josh Ciceraro (Feb 12)
- Sysinternals craig bowser (Feb 12)
- Sysinternals Peter Fisher (Feb 12)
- Sysinternals Josh Ciceraro (Feb 12)
- Sysinternals MattNels (Feb 14)
- Sysinternals Josh Ciceraro (Feb 17)
- Sysinternals Tyler Robinson (Feb 11)
- Sysinternals Jody & Jennifer McCluggage (Feb 12)
- Sysinternals Jody & Jennifer McCluggage (Feb 12)
- Sysinternals Josh Ciceraro (Feb 13)
- Sysinternals Christian Frichot (Feb 11)
- Sysinternals d4ncingd4n at gmail.com (Feb 11)
- Message not available
- Sysinternals Michael Salmon (Feb 11)
- Sysinternals Jack Daniel (Feb 11)