Sysinternals Homepage
Forum Home Forum Home > Sysinternals Utilities > Process Monitor
  New Posts New Posts RSS Feed - ProcMon: Helping with analyze malware
  FAQ FAQ  Forum Search   Events   Register Register  Login Login

ProcMon: Helping with analyze malware

 Post Reply Post Reply
Author
Message
bobovy View Drop Down
Newbie
Newbie
Avatar

Joined: 07 February 2017
Status: Offline
Points: 3
Post Options Post Options   Thanks (0) Thanks(0)   Quote bobovy Quote  Post ReplyReply Direct Link To This Post Topic: ProcMon: Helping with analyze malware
    Posted: 07 February 2017 at 1:05pm
Hello all,

I wonder if there is any way to use ProccessMonitor
to automatically analyze malware?

I want to create a script which will run a virtual machine (in the same way as the cuckoo sandbox, but I do not use Cuckoo) and will run on Windows the ProccessMonitor in silent mode
.

1. In which parameters should I run ProccessMonitor?
2. A
lso, what exactly should I logging? All on default setting or maybe I should apply some of filters?
3. And
what kind of filter to apply to discard unnecessary logs?
4. Is there any way to using ProccessMonitora open the malware.EXE file and check all the changes that will be made in system Windows?


Back to Top
hzqst007 View Drop Down
Newbie
Newbie


Joined: 18 February 2017
Status: Offline
Points: 1
Post Options Post Options   Thanks (0) Thanks(0)   Quote hzqst007 Quote  Post ReplyReply Direct Link To This Post Posted: 18 February 2017 at 2:29am
Most malware softwares (eg. softwares protected by Themidia, Safengine or VMProtect) will check if any ARK tools (like procmon) is present in the system. if there is one, the malware will not going to work "properly" and immediately quit.
You need to code your own monitor software and customize your virtual machine, to avoid being detected by malwares.
Back to Top
bobovy View Drop Down
Newbie
Newbie
Avatar

Joined: 07 February 2017
Status: Offline
Points: 3
Post Options Post Options   Thanks (0) Thanks(0)   Quote bobovy Quote  Post ReplyReply Direct Link To This Post Posted: 18 February 2017 at 9:20am
Originally posted by hzqst007 hzqst007 wrote:

Most malware softwares (eg. softwares protected by Themidia, Safengine or VMProtect) will check if any ARK tools (like procmon) is present in the system. if there is one, the malware will not going to work "properly" and immediately quit.
You need to code your own monitor software and customize your virtual machine, to avoid being detected by malwares.


Oh yes, but we could change the name of ProccessMonitor proccess, I'm right? Furthermore, we can "hardening" Windows against detect VM by malware, for example: https://github.com/a0rtega/pafish/blob/master/README.md project parfish.

Also I understood that in some of case during runs malware we couldn't prevent by detect VMs. This metod - as I think - should be much better than Windows without any implement "anti-vm-detect".

I found this filters to download: https://zeltser.com/process-monitor-filters-for-malware-analysis/ It can be enough?
Back to Top
 Post Reply Post Reply
  Share Topic   

Forum Jump Forum Permissions View Drop Down

Forum Software by Web Wiz Forums® version 11.06
Copyright ©2001-2016 Web Wiz Ltd.