lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <20040302183636.31175.qmail@web41603.mail.yahoo.com> From: keydet89 at yahoo.com (Harlan Carvey) Subject: Looking for a tool Paul, > I ran into a situation today where neither > Foundstone's Process Explorer > nor Sysinternals' "pslist" would list the master > process that was > controlling some processes that I was trying to > kill. Does anyone on > the list know of a better utility that will list > *all* running processes on a Windows box? First off, I don't think FoundStone has a "Process Explorer" utility. If they do, can you provide a link? To answer your question, you may need to try multiple tools. For example, get tlist.exe from the MS Debugger Tools (ie, NOT the RK). Run tlist.exe and pslist.exe, and see if there are any disparities. Also, get openports.exe from DiamondCS, and see if the process has a port open...you may see the PID w/ openports, but not w/ the other process enumeration tools. I was recently working w/ the AFX Rootkit 2003 and found that while tlist.exe doesn't see the "hidden" process (Task Manager won't open on Win2K, and doesn't show the process on Win2K3), pslist did. And if the "hidden" process bound itself to a port, then openports would find it, too. If the issue is w/ DLL injection, here's what I suggest...run listdlls on a clean machine w/ the same operating system running as the "infected" system. Then run it on the infected system, and see if there are any disparities. Tough to do by hand, I know, but I use Perl to automate a lot of that for me. Hope that helps... Harlan
Powered by blists - more mailing lists