Hello All,
I do a lot of malware research and have recently begun to think that it is best to use something like Helix for system diagnosis over the internal tools such as cmd.exe, services, and taksmanager. My question is, the systinternal tools such as procmon, filemon, autorun etc where do these tools pull their information from? Meaning if there is a rootkit or trojan on the system that has replaced the internal components that lists the ports for cmd wouldn't the tools such as tcpview be affected as well, or if taskmanager is trojaned to hide process, isn't that also going to affect procmon etc etc…..
Thanks for your help in advance.
Mark
it is best to use something like Helix for system diagnosis over the internal tools such as cmd.exe, services, and taksmanager.
Yes, absolutely.
My question is, the systinternal tools such as procmon, filemon, autorun etc where do these tools pull their information from?
They temporarily load a driver into the kernel and do all their work from there, either accessing OS data structures directly or issuing "undocumented" OS function calls.
Meaning if there is a rootkit or trojan on the system that has replaced the internal components that lists the ports for cmd wouldn't the tools such as tcpview be affected as well, or if taskmanager is trojaned to hide process, isn't that also going to affect procmon etc etc…..
Placing trojaned copies of the binaries on the disk won't effect the Sysinternals tools because they don't use the system apps at all. In fact, they should see all usermode rootkit activity. Kernel rootkits could be a different matter; you might see evidence, or you might not. Some rootkits will detect the Sysinternals tools being loaded and change their behaviour accordingly (like unhiding things so Rootkit Revealer can't detect them or actively attacking the loaded drivers).
You can get around this by having kernel mode rootkit detectors that read and interpret the contents of physical memory themselves to detect anomalies, without relying on the OS in any way. Of course, then you need to watch out for malware that compromises access to physical memory twisted
I do a lot of malware research and have recently begun to think that it is best to use something like Helix for system diagnosis over the internal tools such as cmd.exe, services, and taksmanager.
Sure, but just remember…EXEs on Windows make use of DLLs on the system.
My question is, the systinternal tools such as procmon, filemon, autorun etc where do these tools pull their information from?
Process Monitor collects information using documented APIs, similar to what Task Manager and other tools that query the system for process-related information use.
FileMon "listens" for various file-related events on the system. While the API may be 'undocumented', it is also implemented via WMI.
AutoRuns uses documented APIs to access the Registry.
Meaning if there is a rootkit or trojan on the system that has replaced the internal components that lists the ports for cmd wouldn't the tools such as tcpview be affected as well, or if taskmanager is trojaned to hide process, isn't that also going to affect procmon etc etc…..
Many user-mode rootkits use DLL injection, and were relatively easy to detect using various means, some of which I discussed in my first book. Kernel-mode rootkits are a bit more insidious, but also harder to write and get working properly…I know some guys at MS that work with external customers, and the majority of times they find kernel-mode rootkits, it is because someone is having continual BSoDs.
H