![\"\"](\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2020\/04\/procmon_1.png\")
<\/a><\/figure><\/div>\n\n\n\nThis is pretty cool as it helps researches to find out where the possible access to an interesting object (a key, a file, etc.) comes from -i.e. from main .exe or loaded .dll. <\/p>\n\n\n\n
The second feature is the export to XML that may include the aforementioned stack trace (tick the ‘Resolve stack symbols’ as well – it will resolve addresses to actual function names if these are available in symbols).<\/p>\n\n\n\n This will create a HUGE XML file.<\/p>\n\n\n\n And a very interesting one…<\/p>\n\n\n\n It includes sections for process list and events. The first one includes a list of processes and their properties:<\/p>\n\n\n\n And the second one lists the actual events:<\/p>\n\n\n\n followed by the stack trace – all frames one bye one:<\/p>\n\n\n\n With this data, and taking selective stack trace entries, it’s very easy to convert it to a timeline that resembles a log from an API Monitor…<\/p>\n\n\n\n A small snippet of data:<\/p>\n\n\n\n The Stack Trace covers the stack from user and kernel mode.<\/p>\n\n\n\n You may be wondering now… what happens when Procmon detects API calls from a code injected into another process?<\/p>\n\n\n\n Great question…<\/p>\n\n\n\n They stand out as hell… as Procmon is unable to resolve them:<\/p>\n\n\n\n That last address 0x16000067c?<\/p>\n\n\n\n Bingo! It’s a code injected by malware.<\/p>\n\n\n\n Now, all you have to do is to filter this data by PID, address range, etc. I am not a XML wizard so I take a shortcut and parse this data in a line-by line way using a simple state machine; still, the result is pretty… API Monitorish…<\/p>\n\n\n\n And the bonus:<\/p>\n\n\n\n You could convert these events and incorporate them as comments into IDA, extract IOCs (e.g. by filtering over ‘CreateFile’, etc.), and probably do a few more interesting things (support PE dumping of injected code?)<\/p>\n","protected":false},"excerpt":{"rendered":" A competition for the most important research tool on Windows platform is not necessary – ProcMon will always win. Why? It helps us with research, troubleshooting, and it still works after so many years, and despite so many changes introduced … Continue reading <\/a><\/figure>\n\n\n\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<procmon><processlist><process>\n<ProcessIndex>100<\/ProcessIndex>\n<ProcessId>160<\/ProcessId>\n<ParentProcessId>2880<\/ParentProcessId>\n<ParentProcessIndex>101<\/ParentProcessIndex>\n<AuthenticationId>00000000:00071cd1<\/AuthenticationId>\n<CreateTime>132308446793816226<\/CreateTime>\n<FinishTime>0<\/FinishTime>\n<IsVirtualized>0<\/IsVirtualized>\n<Is64bit>1<\/Is64bit>\n<Integrity>High<\/Integrity>\n<Owner>user<\/Owner>\n<ProcessName>Procmon64.exe<\/ProcessName>\n<ImagePath>C:\\Users\\user\\AppData\\Local\\Temp\\Procmon64.exe<\/ImagePath>\n<CommandLine>\"C:\\Users\\user\\AppData\\Local\\Temp\\Procmon64.exe\" \/originalpath \"C:\\tools\\Procmon.exe\"<\/CommandLine>\n<CompanyName>Sysinternals - www.sysinternals.com<\/CompanyName>\n<Version>3.53<\/Version>\n<Description>Process Monitor<\/Description>\n<modulelist>\n<module>\n<Timestamp>132308446979926644<\/Timestamp>\n<BaseAddress>0x2360000<\/BaseAddress>\n<Size>77824<\/Size>\n<Path>C:\\Windows\\system32\\wbem\\wbemsvc.dll<\/Path>\n<Version>10.0.14409.1005 (rs1_srvoob.161208-1155)<\/Version>\n<Company>Microsoft Corporation<\/Company>\n<Description>WMI<\/Description>\n<\/module>\n...\n<eventlist>\n<event>\n<ProcessIndex>105<\/ProcessIndex>\n<Time_of_Day>11:38:18.1001657<\/Time_of_Day>\n<Process_Name>Explorer.EXE<\/Process_Name>\n<PID>2192<\/PID>\n<Operation>CreateFile<\/Operation>\n<Path>C:\\Users\\user\\AppData\\Local\\Temp\\Procmon64.exe<\/Path>\n<Result>SUCCESS<\/Result>\n<Detail>Desired Access: Read Attributes, Disposition: Open, Options: Open Reparse Point, Attributes: n\/a, ShareMode: Read, Write, Delete, AllocationSize: n\/a, OpenResult: Opened<\/Detail>\n<stack>\n<frame>\n<depth>0<\/depth>\n<address>0xfffff8800116d067<\/address>\n<path>C:\\Windows\\system32\\drivers\\fltmgr.sys<\/path>\n<location>FltAcquirePushLockShared + 0x907<\/location>\n<\/frame>\n\u2026\n<frame>\n<depth>1<\/depth>\n<address>0xfffff8800116f9aa<\/address>\n<path>C:\\Windows\\system32\\drivers\\fltmgr.sys<\/path>\n<location>FltIsCallbackDataDirty + 0x20ba<\/location>\n<\/frame>\n\u2026\n<frame>\n<depth>39<\/depth>\n<address>0x78e7c521<\/address>\n<path>C:\\Windows\\SYSTEM32\\ntdll.dll<\/path>\n<location>RtlUserThreadStart + 0x21<\/location>\n<\/frame>\n<\/stack>\n<\/event><\/pre>\n\n\n\n
<ProcessIndex>105<\/ProcessIndex>\n<Time_of_Day>11:38:34.0276039<\/Time_of_Day>\n<Process_Name>Explorer.EXE<\/Process_Name>\n<PID>2192<\/PID>\n<Operation>RegOpenKey<\/Operation>\n<Path>HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run<\/Path>\n<Result>SUCCESS<\/Result>\n<Detail>Desired Access: Write, Query Value, Enumerate Sub Keys, Delete<\/Detail>\n<stack>\n<frame>\n<depth>0<\/depth>\n<address>0xfffff80002e3e550<\/address>\n<path>C:\\Windows\\system32\\ntoskrnl.exe<\/path>\n<location>MmUnmapViewInSessionSpace + 0x7a0<\/location>\n<\/frame>\n\u2026\n<frame>\n<depth>12<\/depth>\n<address>0x16000067c<\/strong><\/address>\n<\/frame>\n<\/stack>\n<\/event><\/pre>\n\n\n\n
105 svchost.exe 0x2600475cc 9 RegQueryKey HKCU SUCCESS\n105 svchost.exe 0x2600475cc 12 RegOpenKey HKCU\\\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Run SUCCESS\n105 svchost.exe 0x2600475cc 8 RegSetInfoKey HKCU\\\nSoftware\\Microsoft\\Windows\\CurrentVersion\\Run SUCCESS\n105 svchost.exe 0x2600471dd 13 RegCloseKey HKCU SUCCESS\n105 svchost.exe 0x2600471dd 14 RegOpenKey HKCU SUCCESS\n105 svchost.exe 0x260047291 7 RegEnumKey HKCU SUCCESS\n105 svchost.exe 0x260047291 7 RegEnumKey HKCU SUCCESS<\/pre>\n\n\n\n