You are browsing the archive for Random ideas.

Quick & Dirty Sysmon Replacement aka Process Hacker logging

March 14, 2020 in Malware Analysis, Prevention, Random ideas, Reversing, Sandboxing

Sysmon is great, no doubt. However… very often an overkill.

Yes, you’ve read this right. I say: who cares about registry writes, process access, driver or module loads, etc. ? What if we just want to log running processes?

Process Hacker comes to our rescue.

The recent versions of this tool include a very handy logging capability that is available not only from a GUI level (CTRL+L keyboard shortcut), but also helps to write stuff that is ‘happening’ directly to a log file – yes, as it happens.

I find it very useful as it helps to monitor unusual activity of the system w/o engaging the full-blown capabilities of Sysmon (performance!). And yes, I do know how weird it sounds… Sysmon cures everything…

How do we set our Process Hacker instance to deliver all this goodness?

We first run Process Hacker with our Admin creds. Then we open Hacker \ Options menu item:

Then choose one of the ‘Notification’ options and either leave it as it is (log everything) or we write down our own rules that can either include or exclude certain paths….

In the below example we include all the process names:

and then we exclude notepad*.exe:

We can include/exclude both processes and services. This is awesome. It’s simple, it’s working.

And if you are curious where the information about these is stored, look for a `ProcessHacker.exe.settings.xml`file that lists the following:

  <setting name="ProcessHacker.ExtendedNotifications.LogFileName">LOGFILEPATH</setting>
  <setting name="ProcessHacker.ExtendedNotifications.ProcessList">PROCESSLIST</setting>
  <setting name="ProcessHacker.ExtendedNotifications.ServiceList">SERVICELIST</setting>

where PROCESSLIST/SERVICELIST has a form of:

  • \e<pattern for exclusion
  • \i<pattern for exclusion

That’s it really… Nothing ground breaking, but a very handy tool for quick & dirty investigations. I find it most useful to detect ‘funny’ Windows 10 services that start ‘out of nowhere’. I then… usually kill them. One by one, you may eventually kill’em all…

Oh yeah.. it may help with malware analysis too 😉 but somehow.. the analysis techniques and priorities changed a lot over last few years…

Going BAT…mode crazy

March 12, 2020 in Anti-*, Anti-Forensics, Batch Analysis, File Formats ZOO, Random ideas

What will the following bat file print? Foo, or Bar?

@echo off

 mode con cp select=65000 > nul
 set jump=+ACQ-
 mode con cp select=437 > nul
 goto %jump%

:+ACQ-
 echo Foo
 goto :eof

:$
 echo Bar
 goto :eof

Here’s the answer:

Batch files can be saved as text files using different encodings, including UTF7, and UTF8 as well as MBCS/DBCS characters sets.

One can therefore enforce encoding and change it not only outside of a batch file, but also on the fly, as is the case in the example above. As a result, the part of the code that executes after first ‘mode’ is encoded in UTF7 (‘+ACQ-‘ is an encoded ‘$’ sign), and the second is OEM-US English.

The below example replaces UTF7 in the above example with Traditional Chinese:

@echo off

 mode con cp select=950 > nul
 set jump=§A¦n
 mode con cp select=65001 > nul
 goto %jump%

:§A¦n
 echo Foo
 goto :eof

:你好
 echo Bar
 goto :eof

If you look at this code using 950 character set (big5) you will see this:

@echo off

 mode con cp select=950 > nul
 set jump=你好
 mode con cp select=65001 > nul
 goto %jump%

:你好
 echo Foo
 goto :eof

:雿末
 echo Bar
 goto :eof

and if you choose to preview as UTF8:

@echo off

 mode con cp select=950 > nul
 set jump=§A¦n
 mode con cp select=65001 > nul
 goto %jump%

:§A¦n
 echo Foo
 goto :eof

:你好
 echo Bar
 goto :eof

Misleading, isn’t it?

When you run this version of script you will see an error from the interpreter – this is a result of it interpreting superfluous UTF8 prefixes that seem to be appearing out of nowhere within the interpreter. Perhaps further study of cmd.exe internals can help to eliminate this quirk. Still, the jump goes to the proper label & errors can be always hidden with standard error redirection: