You are browsing the archive for Malware Analysis.

Quick & Dirty Sysmon Replacement aka Process Hacker logging

March 14, 2020 in Malware Analysis, Prevention, Random ideas, Reversing, Sandboxing

Sysmon is great, no doubt. However… very often an overkill.

Yes, you’ve read this right. I say: who cares about registry writes, process access, driver or module loads, etc. ? What if we just want to log running processes?

Process Hacker comes to our rescue.

The recent versions of this tool include a very handy logging capability that is available not only from a GUI level (CTRL+L keyboard shortcut), but also helps to write stuff that is ‘happening’ directly to a log file – yes, as it happens.

I find it very useful as it helps to monitor unusual activity of the system w/o engaging the full-blown capabilities of Sysmon (performance!). And yes, I do know how weird it sounds… Sysmon cures everything…

How do we set our Process Hacker instance to deliver all this goodness?

We first run Process Hacker with our Admin creds. Then we open Hacker \ Options menu item:

Then choose one of the ‘Notification’ options and either leave it as it is (log everything) or we write down our own rules that can either include or exclude certain paths….

In the below example we include all the process names:

and then we exclude notepad*.exe:

We can include/exclude both processes and services. This is awesome. It’s simple, it’s working.

And if you are curious where the information about these is stored, look for a `ProcessHacker.exe.settings.xml`file that lists the following:

  <setting name="ProcessHacker.ExtendedNotifications.LogFileName">LOGFILEPATH</setting>
  <setting name="ProcessHacker.ExtendedNotifications.ProcessList">PROCESSLIST</setting>
  <setting name="ProcessHacker.ExtendedNotifications.ServiceList">SERVICELIST</setting>

where PROCESSLIST/SERVICELIST has a form of:

  • \e<pattern for exclusion
  • \i<pattern for exclusion

That’s it really… Nothing ground breaking, but a very handy tool for quick & dirty investigations. I find it most useful to detect ‘funny’ Windows 10 services that start ‘out of nowhere’. I then… usually kill them. One by one, you may eventually kill’em all…

Oh yeah.. it may help with malware analysis too 😉 but somehow.. the analysis techniques and priorities changed a lot over last few years…

Le coût du développement des capacités

December 22, 2019 in Malware Analysis

How much does it cost to develop la capacité ?

I took a stab at it, because there is an opinion out there suggesting that delayed, limited, or otherwise responsible disclosure of certain ‘open source’ security tools will affect the attackers by costing them time and money to develop their own.

I argue that this cost is low. Low enough to make it negligible. I base my assumption on a pure technical assessment of the code development task. Let me clarify it a bit: I am assuming that the aim is to replace a tool only, while existing operators and processes they follow is already established. From this point of view, I believe my technical approach is not far fetched.

The time to develop capabilities is hard to assess. There are coders who are magicians of assembly and produce very high quality code, with novelty ideas, tricks and solutions, and do it quickly. And then there are these who use RAD tools to develop quickly, and w/o much flair, but may actually cut time a lot. The end result is often similar tho — the capability exists and can deliver desired results.

In order to make it easier, I split the assuming coding task into a couple of categories:

  • atomic operations (you need them to build everything else e.g. create a file with content)
  • utilities (you need these as building blocks to code more complex features e.g. save screenshot)
  • rich features (quite complex coding tasks that require more time to code and test, and often research e.g. VNC client)
  • very complex stuff (some evasions, but primarily vulnerability research that helps to develop 0days)

Additionally, I introduced extra time (and cost) ‘penalty’ for writing in assembly and position-independent code (PIC). As many argue, and I agree with them, such extra time is usually negligible and in some cases non-existent, but I aim to present the worse case cost scenario.

Another assumption I make is that the coder has 3-5 years of experience. Knows how to program, but may need to research new topics and learn by trial and error. Last, but not least — it is very Windows-centric.

I didn’t list all the features, and I bet I missed some — please send me a feedback on what I missed and I will add it to the sheet.

This assessment is based on a 50 USD / hour rate. You can adjust it easily to any other hourly rate. It is important to mention that 100K USD / year is a lot of money and in many countries this number should be much smaller e.g. closer to 15-45K. As such, the final cost may be far lower.

Also, you may have a team of coders working on different parts of a project, and only code cherry-picked bits reducing both time and cost of the development. Finally, imho a 16-20yo bored coder can kill it (except for VR part) in ~3 months for no salary at all, but putting a dollar value on it helps to make it a tangible data in any argument about a cost of capabilities

The latest version is shown below:

You can also download a sheet and play around with it yourself.

If you have any comments, please let me know.