Tuesday, April 7, 2015

All tools

There isn’t always just one tool for the job — it’s much better to use them all together. Here’s an example scenario to give you an idea of how you might tackle the investigation, although it’s worth noting that there are any number of ways to figure out what’s going on. This is just a quick example to help illustrate, and is by no means an exact list of steps to follow.
Scenario: System is Running Slow, Suspected Malware
The first thing you should do is open up Process Explorer and see what processes are using up resources on the system. Once you’ve identified the process, you should use the built-in tools in Process Explorer to verify what the process actually is, make sure it’s legitimate, and optionally scan that process for viruses using the built-in VirusTotal integration.

This process is actually a SysInternals utility, but if it wasn’t, we’d be checking it.
Note: if you really think there might be malware, it’s often helpful to unplug or disable internet access on that machine while troubleshooting, although you might want to do VirusTotal lookups first. Otherwise that malware might download more malware, or transmit more of your information.
If the process is completely legitimate, kill or restart the offending process, and cross your fingers that it was a fluke. If you don’t want that process to start anymore, you can either uninstall it, or use Autoruns to stop the process from loading at startup.
If that doesn’t solve the problem, it might be time to pull out Process Monitor and analyze the processes that you’ve already identified and figure out what they are trying to access. This can give you clues into what is actually going on — maybe the process is trying to access a registry key or file that doesn’t exist or it doesn’t have access to, or maybe it is just trying to hijack all of your files and do lots of sketchy things like accessing information that it probably shouldn’t, or scanning your whole drive for no good reason.
In addition, if you suspect that the application is connecting to something that it shouldn’t, which is very common in the case of spyware, you’d pull out the TCPView utility to verify whether that is the case.
At this point you might have determined that the process is malware or at crapware. Either way you don’t want it. You can run through the uninstall process if they are listed in Control Panel’s Uninstall Programs list, but many times they aren’t listed, or don’t clean up properly. This is when you pull out Autoruns and find every place that the application has hooked into the startup, and nuke them from there, and then nuke all of the files.
Running a full virus scan of your system is also helpful, but lets be honest… most crapware and spyware gets installed despite anti-virus applications being installed. In our experience, most anti-virus will happily report “all clear” while your PC can barely operate because of spyware and crapware.

TCPView

This utility is a great way to see what applications on your computer are connecting to what services over the network. You can see most of this information on the command prompt using netstat, or buried in the Process Explorer / Monitor interface, but it’s much easier to just pop open TCPView and see what is connecting to what.
The colors in the list are pretty simple and similar to the other utilities — bright green means that the connection just showed up, red means the connection is closing, and yellow means the connection changed.
You can also look at the process properties, end the process, close the connection, or pull up a Whois report. It’s simple, functional, and very useful.

Note: When you first load TCPView, you might see a ton of connections from [System Process] to all sorts of internet addresses, but this usually isn’t a problem. If all of the connections are in the TIME_WAIT state, that means that the connection is being closed, and there isn’t a process to assign the connection to, so they should up as assigned to PID 0 since there’s no PID to assign it to.
This usually happens when you load up TCPView after having connected to a bunch of things, but it should go away after all the connections close and you keep TCPView open.

Coreinfo

Shows information on the system CPU and all of the features. Ever wondered if your CPU is 64-bit or if it supports hardware-based virtualization? You can see all that and much, much more with the coreinfo utility. This can be really useful if you want to see whether an older computer can run the 64-bit version of Windows or not.
 

Handle

This utility does the same thing that Process Explorer does — you can quickly search to find out which process has an open handle that is blocking access to a resource, or from deleting a resource. The syntax is pretty simple:
handle <resource>
And if you want to close the handle, you can use the hexadecimal handle code (with -c) in the list combined with the process ID (the -p switch) to close it.
handle -c <hex> -p <PID>

It’s probably a lot easier to use Process Explorer for this task.

ListDlls

Just like Process Explorer, this utility lists out the DLLs that are loaded as part of a process. It’s a lot easier to use Process Explorer, of course.

RamMap

This utility analyzes your physical memory usage, with loads of different ways to visualize the memory, including by physical pages, where you can see the location in RAM that each executable is loaded into.

Strings Finds Human-Readable Text in Apps and DLLs

If you see a weird URL as a string in some software package, it is time to worry. How would you see that weird string? Using the strings utility from the command prompt (or using the function in Process Explorer instead).












RegJump

This command line utility opens up the Registry Editor and navigates down to the key that you specify as an argument on the command line. No more manually clicking through the tree… assuming you use it. The syntax:
regjump <registrykey>

Hex2Dec

This converts numbers from hex to decimal and the other way on the command line.

Autologon

This utility very quickly enables automatic login for your account. Just enter your password, click Enable, and you’re done. You can also use this to disable automatic login if it is enabled and you don’t feel like figuring out how to switch it back.
It’s worth noting that enabling automatic login in Windows is really easy in the first place.

AccessChk

This simple utility reports the effective permissions for files and folders… and registry keys, and processes, and a lot of other stuff. Basically, permissions can be really complicated, so this utility shows what an account actually has permission to do with the object.

AccessEnum

This utility is really useful, as you can completely audit the permissions and who has access to files, folders, and registry keys on your system. If you have a really complicated security setup, this tool will let you figure out who has access and see if you’ve made a mistake somewhere.

ShellRunAs

This utility is actually a shell extension that lets you quickly run an application as a different user, which was really useful back in the XP days when there wasn’t a good way to run applications as Administrator if you had a standard user. It’s still quite useful in the enterprise environment (for older computers).
Note: this feature is built into Windows 7 and 8, but hidden behind the Shift + Right Click menu.
Installing is simple, just use this from the command line:
shellrunas /reg
And uninstall is equally simple:
shellrunas /unreg
To use once you’ve installed it, just right-click on any executable file and choose the Run as different user option.

And then enter the username and password for the alternate user.

RegDelNull

Finds and deletes registry keys with null characters in the name. Probably not something you want to do.

Ctrl2Cap

This utility remaps your CAPS LOCK key to CTRL instead.

BlueScreen Screen Saver

Yep.  This one is loads of fun — just install it by right-clicking and choosing Install, and then you can enjoy a fun BSOD all the time.

No comments:

Post a Comment