Hunting Malware with Windows Sysinternals — Process Explorer

Windows Sysinternals

The Sysinternals tools were created by Mark Russinovich and Bryce Cogswell. They were initially conceived and developed to help administrators and developers in their activity, but over the years’ multiple capabilities have been added and tools have been created to aid malware analysts in finding malicious behavior.

Process Explorer

Process explorer is a tool that let us access a lot of information about processes running on a machine, and offer some nice functionalities out of the box which we can leverage to analyze and determine if something is malicious.

Colors

The first thing we’ll see when we open process explorer is the list of the processes that are running on the system.

Process Explorer — Processes View
Process Explorer default color scheme

Path, Description and Company Name

Almost all legitimate processes (except for system processes) have a description and a company name. So the absence of one or both of these should indicate suspicious behavior.

Image Signature

Additionally, process explorer provide a feature called “Verify Image Signatures” which will verify if an executable files or DLL of a process have trusted digital signatures automatically. This can be of great help as some malware don’t bother to sign their code. So always be on the lookup for unverified processes or DLL’s.

Enabling the “Verify Image Signatures” via the options menu

Virus Total

Process explorer also integrates by default with Virus Total so it can send the hashes of the executables and DLL’s to check if they’re already flagged by AV engines.

Enabling the VirusTotal submission via the options menu

Command Line

By default, process explorer doesn’t show the command lines that launches a process. This can be enabled by selecting the “Select Columns” option from the “View” menu or by right clicking on any column on the processes pane and selecting the “Select Columns” option.

“Select Columns” option

Strings

Analyzing the strings of an executable has always been a powerful technique during static analysis, as they contain most of the times interesting indicators.

Strings tab for a process

TCP/IP

As the name suggest, this feature can let us quickly identify processes that have any active TCP connections, (i.e communicating via the network).

DLLs

Process explorer let us access any loaded DLL by a process by pressing the “Ctrl+D” shortcut or by selecting it from the .

DLL’s loaded by a process

Handles

When an application wants to access resources such as files or the registry, it needs to request them via the appropriate windows API responsible for handling the requested resource. Once this request is completed successfully, windows will allocate a handle and return its index in the handle table of the process.

List of handles opened by a process

Conclusion

Process explorer is a powerful tool that can be leveraged to perform some advance malware hunting and analysis.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Nasreddine Bencherchali

Nasreddine Bencherchali

I write about #ThreatHunting #WindowsInternals #Malware #DFIR and occasionally #Python.