I’m at the Techno Security and Digital Forensics conference in Myrtle Beach again this year. I sat in on a presentation about performing malware analysis. The analyst began with using two popular Microsoft tools: Dependency Walker and Process Explorer. He used Dependency Walker to do a quick, static analysis of the malware file, just to see what .DLLs it used. As malware continues to become more and more sophisticated, this type of analysis is limited. We see a lot of noise. However, by watching the behavior in a sandboxed, isolated environment, we can see what a malware does. With the right set of tools, we can even fool malware into thinking its properly online.
Process Explorer is the more interesting tool here because it allows us to see processes in real time. We can see the handles a process has open. We can also examine any built-in strings that could reveal information about what the malware connects to, maybe who the author was, etc. But Process Explorer’s primary reason for existence wasn’t to help with malware analysis. It, like most of the rest of the Sysinternals suite, is designed to by a toolset to help administrators troubleshoot issues on their systems. I have Sysinternals tools available whenever I’m looking at a system.
The two tools I use the most are Process Explorer and Process Monitor. Process Monitor keeps a log of all file system and registry access. This is great for figuring out why a particular application is failing. Often something is missing. Or, the key to figuring out why something is broke is stored in a configuration file or in a registry value. By seeing what a process attempts to access, I can usually find where the issue is. Combined with Process Explorer, I can get a good view of what an application is trying to do.
The best part of these tools is that they are free. They aren’t hard to learn how to use, either. And they aren’t considered “hacking tools,” meaning you can run them on your system, even if you’re a DBA or developer. If you manage Windows systems, I would definitely recommend familiarizing yourself with these tools, if you haven’t already.