lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200403020351.i223pUP07940@netsys.com>
From: tony at cathedral-of-hate.org (Tony)
Subject: Looking for a tool

I would also suggest using something similar to
http://www.codeproject.com/dll/displayloadedmodules.asp  (Code and binary
available).  This will list all of the loaded DLL's (Hence the name) and
each process they are in.  Then you can find which processes have dll's
loaded that it shouldn't.  It is probably explorer.exe because that process
loads DLL's into memory that are registered.  
 
If it appears that no executable has a module that is loaded correctly then
there is probably some sort of rootkit installed that hooks PSAPI.
 
Good Luck
Tony M
 
 
  _____  

From: full-disclosure-admin@...ts.netsys.com
[mailto:full-disclosure-admin@...ts.netsys.com] On Behalf Of Schmehl, Paul L
Sent: Monday, March 01, 2004 3:37 PM
To: full-disclosure@...ts.netsys.com
Subject: RE: [Full-Disclosure] Looking for a tool
 
-----Original Message-----
From: Nick Jacobsen [mailto:nick@...icsdesign.com] 
Sent: Monday, March 01, 2004 5:31 PM
To: Schmehl, Paul L; full-disclosure@...ts.netsys.com
Subject: RE: [Full-Disclosure] Looking for a tool
Well, I usually use *sysinternals* Process Exporer, and have yet to see it
fail to list a process...  how do you know the process exists, if you can't
list it?
 
Real simple.  I have randomly named processes (like gk5odre.exe) popping up,
and when I kill them, another one takes their place.  *Something* has to be
the parent than controls this.  I can delete an entire registry key and
watch it be recreated in less than a second.  I can delete a directory with
three dlls in it and watch it be recreated right before my eyes.  I can kill
the randomly named process and watch it reappear using the same name or a
completely different name.  I can delete the executable after killing the
process, and it will be recreated in no time.  So *something* has to be
controlling it, yet when I look at the process tree, the randomly named
process appears to be the parent.
Paul Schmehl (pauls@...allas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu/~pauls/ 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20040301/633a9e28/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ