X hits on this document





109 / 120

Monitor. The Process Monitor can capture detailed information about any running

process in a Windows® system including: filesystem, registry, and network activity. Just

the Process Monitor alone is helpful in analyzing the behavior of an application when

making the determination of whether or not it is malicious. As an aside, Mark's story is

an interesting one because he is recognized as a true expert on the internals of Windows®

even though he did not participate in its development—a true testament to what can be

learned about software through reverse engineering. At the time of this writing, the

Sysinternals suite contained 66 different utilities, but we'll focus on the most useful one

in this context of analyzing the behavior of malware: Process Monitor. In the exercise

that accompanies this section, it is recommended that you use Process Monitor to

complete it. If you have the opportunity to experiment with other tools in the

Sysinternals suite, you are encouraged to do so. The following description of Process

Monitor is given on the Windows Sysinternals web site [46]:

“Process Monitor is an advanced monitoring tool for

indows® that shows

real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds

an extensive list of enhancements including rich and non-destructive filtering,

comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit.”

Fig. 10.1 contains a capture of a Process Monitor session where the filesystem activity of

the Password Vault application is recorded. When using Process Monitor, you can

selectively monitor registry, filesystem, network, and thread activity.


Document info
Document views458
Page views459
Page last viewedTue Jan 17 23:45:40 UTC 2017