Diagnosing Malware with Resource Monitor
Window’s Resource Monitor is a hidden gem within the OS that can be very useful to an incident responder in a crunch. It isn’t as comprehensive as SysInternals Process Monitor but it is built in to Windows so you can use it on a computer with no internet connection. It lacks the depth of WMIC but it does have a very nice GUI (if you are into that sort of thing). In short, resource monitor is a worthy addition to the incident responders toolkit. Resource Monitor isn’t a separate program, but rather it is an operational mode for Performance Monitor (Perfmon.exe). If you start Performance Monitor with the "/res" option you will see the Resource Monitor interface. Click START->Run and type “Perfmon.exe /res” and press Enter. Here is what it looks like.
.png)
It has a series of Tabs across the top (Number 1) for Overview, CPU, Memory, Disk and Network. Each of the tabs is broken down into sections that can be expanded or collapsed by clicking the arrow on each section's header (Number 2). The top section on each tab allows you to check a box next to a process names that will apply a filter to the other sections of the tab. So by checking the box next to “Firefox.exe” you will only see disk, memory and network resources associated with the Firefox process. The disk section shows you files that are open by the process. The networking section will show you the fully qualified DNS name for each of the TCP and UDP connections in use by that process. The memory section gives you a quick look at how much memory is in use by the process. That’s about it for the Overview tab. If that didn't tell you everything you wanted you can refer to the CPU, Memory, Disk and Network tabs for more information. Lets take a look at the CPU tab.
.png)
The CPU tab has some nice features. By selecting a process you can see all of the OS Handles in use by the process (number 4). It even has a search feature that allows you search all of the open handles. The Modules section (number 5) will show you all of the DLLs that are in use by the process.
I’ll leave the remaining tabs for you to explore on your own. I think you will find that in a pinch resource monitor is a good way for a first responder to get a first look at what is happening on a computer.
Performance monitor used Performance counters and Event Tracing for Windows to capture data from various sources. The "/res" option is one of performance monitors way of displaying that information to you. If you are curious what other modes Performance Monitor has give “perfmon.exe /report” a try. If your want to see how a penetration tester might use Event tracing check out this article.
Join me for SANS 504 Hacker Techniques, Exploits and Incident response in San Antonio Texas November 27th - December 2nd 2012 in San Antonio Texas!
Mark Baggett
On Twitter @markbaggett
A Heap of Overflows?
The heap is a section of memory where applications can dynamically allocate and free memory space. Heap Overflows occur when a computer application is able to overwrite the operating system's data structure at the beginning of a block of heap memory and then free that memory. That data structure contains a double link lists with pointers to the previous and next block of memory. When the memory block is freed an "unlink" function is called that uses those two overwritten pointers to find the previous and next blocks of allocated memory and change their pointer so they point to one another and no longer point to the block being freed. To "safely unlink" a block of memory the OS should verify the pointers on previous and next blocks tpoint to the block being freed before it is unlinked. WIthout this check an attacker can use the overwritten pointers to change a value in the memory location of their choosing to the value of their choosing and in most cases gain control of the program's execution.
Ben Hawkes did some analysis of the unlink functions inside the DLLs that are in Windows 8 and found that most of the core libraries in Windows are in fact verifying those pointers and safely unlinking the blocks. That is good news! The bad news is he found many instances of DLLs that are not using those core libraries and not safely unlinking memory.
What does this mean? I don't know. But the research is pretty cool. Mr Hawkes provided a list of DLL's that are not using safe unlinking. They may or may not be exploitable. That is yet to be seen. It is worth a read. http://www.inertiawar.com/win8_unlink/
Join me for SANS 504 Hacker Techniques, Exploits and Incident response in San Antonio Texas November 27th - December 2nd 2012 in San Antonio Texas!
Mark Baggett
On Twitter @markbaggett
Comments
Anonymous
Dec 3rd 2022
10 months ago
Anonymous
Dec 3rd 2022
10 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> nearest public toilet to me</a>
<a hreaf="https://defineprogramming.com/the-public-bathroom-near-me-find-nearest-public-toilet/"> public bathroom near me</a>
Anonymous
Dec 26th 2022
9 months ago
Anonymous
Dec 26th 2022
9 months ago
https://defineprogramming.com/
Dec 26th 2022
9 months ago
distribute malware. Even if the URL listed on the ad shows a legitimate website, subsequent ad traffic can easily lead to a fake page. Different types of malware are distributed in this manner. I've seen IcedID (Bokbot), Gozi/ISFB, and various information stealers distributed through fake software websites that were provided through Google ad traffic. I submitted malicious files from this example to VirusTotal and found a low rate of detection, with some files not showing as malware at all. Additionally, domains associated with this infection frequently change. That might make it hard to detect.
https://clickercounter.org/
https://defineprogramming.com/
Dec 26th 2022
9 months ago
rthrth
Jan 2nd 2023
9 months ago