Finding Malware with Sysinternals Process Explorer

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
greetings i'm professor k and in this short video presentation we're going to take a look at how we can go about locating finding and detecting malware using sysinternal's process explorer in a previous video we did an overview of sysinternal's process explorer and i explained how you can download it and how you can extract it and how you can launch process explorer from within the suite of sysinternal tools using the command prompt the download links are provided for you in the video description and in the lab file for this video we're going to begin by launching the assist internal suite of tools in a command prompt now to do this i'm going to hold down my shift key on my keyboard and i'm going to right click on this this internals extracted folder and from the context menu i will select open command window here using administrator rights and there we are the abbreviated name for the process explorer that we need to launch is prosexp64.exe now i've typed that into the command prompt and all i have to do now is just hit enter comes back to a prompt and in just a moment process explorer opens up if our machine is infected with an instance of malware there are some things that we can look for up inside a process explorer that will help us find it and one of the main indicators that we probably do have a process that may be malicious is the lack of a description or a company name so over here if you find that suspicious process running and underneath description and company name you don't see anything that should alert you that this could be malicious most legitimate software can be verified using its digital signature by default verifying signatures is not enabled up inside of process explorer but we can go up to options and we can check the box here for verify image signatures and if you look over to the right you can see where that piece of software got its signature from though not always most software vendors will take the time and do the expense of purchasing a certificate from a third-party vendor that provides certificates so if they can show everyone who's concerned that their software is actually legit process explorer integrates by default with virustotal and you can send the hashes of the executables and the dlls to check if any av engines have ever flagged them for this feature to work the machine being analyzed must have access to the internet and it is highly recommended that this feature be enabled as it can be a great help during the analysis now when you first go to the internet to check to see if a process is actually malicious using virustotal you will have to agree to the terms of service so once that pops up you can just go ahead and say yes to that and over here you can see that all the hashes for all these different processes have been submitted to virustotal and the way you do that you just go over here to options and you're gonna scroll on down to virustotal.com and you're gonna check the box here for check virustotal.com and over here on the right you can see what engines if any have looked at any of your processes and ever flagged them by default process explorer does not show the command lines that launch the process adding the command line information can be enabled by selecting the select columns option from the view menu or by right clicking on any column on the processes pane and selecting the select columns option so we can go up here to view and from here we can go down and we can select columns and from here we can check the box for showing the command line and over here you can see how this process was actually launched using a command prompt by identifying the command that launched a process we can get some very useful information especially if that malicious process contains arguments that we can use to determine the nature of the process analyzing the strings of an executable has always been a powerful technique during static analysis as they contain interesting indicators now to do this all you have to do is just find the process that you want to analyze just double click it just find one here go ahead and do the classic start menu and from here you can click on the strings tab and here you see all the strings associated with this executable from this window we can inspect both on disk and in-memory strings the in-memory strings only shows the part where the executable is mapped in memory which is the case of packed or encrypted encoded samples which sometimes can be a gold mine of indicators of compromise or ioc another indicator of compromise might be a process that is attempting to communicate via the network to the internet they may be trying to call out to a command and control center they may be trying to get a hold of a server or they may be part of a bot now to see if any application is actually trying to communicate you can right click on that process for instance i have firefox.exe currently running and it is open if i right click on it and i go to properties and i open up the tcpip tab you'll notice that we can look at all the connections that are currently established with internet explorer and we also see the remote addresses and what we're actually connecting to via this process processes need to establish handlers and they also need to have access to dlls now to see what dlls are being used by a particular process you can highlight that process in this case firefox dot exe and if i hold down the control key on my keyboard and i press the letter d you'll see that all of the dlls associated with that process open up and now we can also see over to the right if virustotal is aware of any malicious dlls that may be present on our machine to close the viewing pane we can go up here to the right of our taskbar and we just click on the icon to close that viewing pane out when an application wants to access resources such as files or the registry it must request them with the appropriate windows api responsible for handling the requested resource once this request is completed successfully windows will allocate and handle and return its index in the process handle table so to get this table to pop up for handles what we're going to do is hold down the control key and press the letter h so i'll select firefox.exe and i'm going to hold down the control key and on my keyboard i'll press the letter h and here we see all the handles of all the files that are associated with the apis that are needed to launch firefox.exe make sure that you understand where a file should be launching from if you have a well-known executable such as dns.exe launching from within the temp folder well that should alert you that that's probably not legit to see the path of where the process is launching from all we have to do is find that process right click on it and if we click on image we are shown exactly where that process is being launched from so you see that up inside of my program files i do have a subfolder called dropbox i have a client and inside that client folder i have dropbox.exe that's telling me that this process is probably legit now if you're concerned about it well then you can go down here and kill the process and you can see down here that virustotal is going to give you a brief synopsis of just how many av engines detected this as being malicious and if you would like to look at the auto start location if the machine is loading this at startup you can just click on explore and it'll take you right up to the registry so you can examine it in more detail and so in this short video presentation we looked at a number of different ways that we can use process explorer help us to analyze and detect and find malicious software on our machine if you have any questions you got any concerns about anything that was shown to you in this short video presentation please don't hesitate to reach out contact your instructor and i'll see you in my next video
Info
Channel: Professor K
Views: 60,621
Rating: undefined out of 5
Keywords: windows 10, process explorer, sysinternals, sysinternals suite, procexp64.exe, procexp.exe, change process priority, increase fps for gamers, check processes for virus, suspend processes, replace task manager, tutorial, help, tips, diagnostics, troubleshooting, server 2016, server 2019, process explorer windows 10, malware analysis, process explorer malware analysis, process explorer download
Id: y2bNLCWHFNs
Channel Id: undefined
Length: 9min 25sec (565 seconds)
Published: Mon Sep 06 2021
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.