lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20040302183636.31175.qmail@web41603.mail.yahoo.com>
From: keydet89 at yahoo.com (Harlan Carvey)
Subject: Looking for a tool

Paul, 

> I ran into a situation today where neither
> Foundstone's Process Explorer
> nor Sysinternals' "pslist" would list the master
> process that was
> controlling some processes that I was trying to
> kill.  Does anyone on
> the list know of a better utility that will list
> *all* running processes on a Windows box?

First off, I don't think FoundStone has a "Process
Explorer" utility.  If they do, can you provide a
link?

To answer your question, you may need to try multiple
tools.  For example, get tlist.exe from the MS
Debugger Tools (ie, NOT the RK).  Run tlist.exe and
pslist.exe, and see if there are any disparities. 
Also, get openports.exe from DiamondCS, and see if the
process has a port open...you may see the PID w/
openports, but not w/ the other process enumeration
tools.  

I was recently working w/ the AFX Rootkit 2003 and
found that while tlist.exe doesn't see the "hidden"
process (Task Manager won't open on Win2K, and doesn't
show the process on Win2K3), pslist did.  And if the
"hidden" process bound itself to a port, then
openports would find it, too.

If the issue is w/ DLL injection, here's what I
suggest...run listdlls on a clean machine w/ the same
operating system running as the "infected" system. 
Then run it on the infected system, and see if there
are any disparities.  Tough to do by hand, I know, but
I use Perl to automate a lot of that for me.

Hope that helps...

Harlan




Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ