Using foresic tools (1): process explorer, process monitor, and autoruns
May 19, 2018
⏳ 3 min read
Sources
Process explorer
Submit to VirusTotal to check hash
Process Explorer -> Options -> VirusTotal.com -> Check VirusTotal.com
Executables with high ratio mean higher chance of malicious behaviour.
The ratio is the number of virus engines that recognized the executable as a malicious software divided by total number of virus engines.
If the ratio is 1/67, it is probably a false positive, but if it’s more than that, it’s worth doubting.
If you want to delete the program, stop the program on boot using Autoruns and then delete it.
Verify image signatures
Process Explorer -> Options -> Verify image signatures
Process monitor
Registry operations
RegQueryKey
Retrieves information about the specified registry key.
RegSetInfoKey
Closes the specified registry key.
RegCloseKey
Closes the specified registry key.
RegOpenKey
Opens the specified registry key.
RegCreateKey
Creates the specified registry key. If the key already exists in the registry, the function opens it.
RegEnumKey
Enumerates the subkeys of the specified open registry key. The function retrieves the name of one subkey each time it is called.
Full list of proc mon operations
CloseFile CreateFile CreateFileMapping DeviceIoControl FileSystemControl FlushBuffersFile Load Image LockFile NotifyChangeDirectory Process Create Process Exit Process Profiling Process Start QueryAllInformationFile QueryAttributeInformationVolume QueryAttributeTagFile QueryBasicInformationFile QueryDeviceRelations QueryDirectory QueryEAFile QueryFileInternalInformationFile QueryFullSizeInformationVolume QueryInformationVolume QueryNameInformationFile QueryNetworkOpenInformationFile QueryNormalizedNameInformationFile QueryObjectIdInformationVolume QueryOpen QueryPositionInformationFile QueryRemoteProtocolInformation QuerySecurityFile QuerySizeInformationVolume QueryStandardInformationFile QueryStreamInformationFile ReadFile
@@@@@@@@@@@@ RegCloseKey RegCreateKey RegDeleteKey RegDeleteValue RegEnumKey RegEnumValue RegLoadKey RegOpenKey RegQueryKey RegQueryKeySecurity RegQueryMultipleValueKey RegQueryValue RegSetInfoKey RegSetKeySecurity RegSetValue @@@@@@@@@@@
SetAllocationInformationFile SetBasicInformationFile SetDispositionInformationFile SetEndOfFileInformationFile SetPositionInformationFile SetRenameInformationFile SetSecurityFile TCP Accept TCP Connect TCP Disconnect TCP Receive TCP Reconnect TCP Retransmit TCP Send TCP TCPCopy Thread Create Thread Exit UDP Receive UDP Send UnlockFileSingle WriteFile
Use filter to narrow down to the thing
Process monitor -> Filter -> Filter -> Include / Exclude
Operations to watch over
WriteFile
CreateFile
Process Create
Process Start
RegCreateKey
RegDeleteKey
RegSetInfoKey
TCP Connect
TCP Receive
Load Image
Access DeniedFilter by Path contains suspiciousExecutable.
Filter by Path contains "\Run"
Use process tree to find out any children processes exist
Process monitor -> Tools -> Process tree
Use Jump to to see the registry change directly on regedit.
Additional tips
- Stop capturing at first and set the filter first
- See Tools -> ~ Summary (ex. Registry summary) to see which path has been made changes the most or do other useful operations.
- Use the “target button” to directly select on the screen which process to monitor.
Autoruns
Scanning on VirusTotal and Verifying image signatures
Autoruns share the same function with process explorer. It can submit the hash to virusTotal and verify signatures as well:
Options -> Scan options -> Verify image signatures
Options -> Scan options -> Check VirusTotal.comJump to Image
Select application
Entry -> Jump to ImageOpens the directory where the selected application is at.
Jump to registry
Select application
Entry -> Jump to EntryThe suspicious look suspicious.
Suspicious files often do not have or have weird descriptions, and do strange registry operations.
