[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200403020351.i223pUP07940@netsys.com>
From: tony at cathedral-of-hate.org (Tony)
Subject: Looking for a tool
I would also suggest using something similar to
http://www.codeproject.com/dll/displayloadedmodules.asp (Code and binary
available). This will list all of the loaded DLL's (Hence the name) and
each process they are in. Then you can find which processes have dll's
loaded that it shouldn't. It is probably explorer.exe because that process
loads DLL's into memory that are registered.
If it appears that no executable has a module that is loaded correctly then
there is probably some sort of rootkit installed that hooks PSAPI.
Good Luck
Tony M
_____
From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Schmehl, Paul L
Sent: Monday, March 01, 2004 3:37 PM
To: full-disclosure@...ts.netsys.com
Subject: RE: [Full-Disclosure] Looking for a tool
-----Original Message-----
From: Nick Jacobsen [mailto:nick@...icsdesign.com]
Sent: Monday, March 01, 2004 5:31 PM
To: Schmehl, Paul L; full-disclosure@...ts.netsys.com
Subject: RE: [Full-Disclosure] Looking for a tool
Well, I usually use *sysinternals* Process Exporer, and have yet to see it
fail to list a process... how do you know the process exists, if you can't
list it?
Real simple. I have randomly named processes (like gk5odre.exe) popping up,
and when I kill them, another one takes their place. *Something* has to be
the parent than controls this. I can delete an entire registry key and
watch it be recreated in less than a second. I can delete a directory with
three dlls in it and watch it be recreated right before my eyes. I can kill
the randomly named process and watch it reappear using the same name or a
completely different name. I can delete the executable after killing the
process, and it will be recreated in no time. So *something* has to be
controlling it, yet when I look at the process tree, the randomly named
process appears to be the parent.
Paul Schmehl (pauls@...allas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040301/633a9e28/attachment.html
Powered by blists - more mailing lists