Re: Looking for a tool

[Harlan Carvey <keydet89 () yahoo com>]

Paul, 

> I ran into a situation today where neither
> Foundstone's Process Explorer
> nor Sysinternals' "pslist" would list the master
> process that was
> controlling some processes that I was trying to
> kill.  Does anyone on
> the list know of a better utility that will list
> *all* running processes on a Windows box?

First off, I don't think FoundStone has a "Process
Explorer" utility.  If they do, can you provide a
link?

To answer your question, you may need to try multiple
tools.  For example, get tlist.exe from the MS
Debugger Tools (ie, NOT the RK).  Run tlist.exe and
pslist.exe, and see if there are any disparities. 
Also, get openports.exe from DiamondCS, and see if the
process has a port open...you may see the PID w/
openports, but not w/ the other process enumeration
tools.  

I was recently working w/ the AFX Rootkit 2003 and
found that while tlist.exe doesn't see the "hidden"
process (Task Manager won't open on Win2K, and doesn't
show the process on Win2K3), pslist did.  And if the
"hidden" process bound itself to a port, then
openports would find it, too.

If the issue is w/ DLL injection, here's what I
suggest...run listdlls on a clean machine w/ the same
operating system running as the "infected" system. 
Then run it on the infected system, and see if there
are any disparities.  Tough to do by hand, I know, but
I use Perl to automate a lot of that for me.

Hope that helps...

Harlan



_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html