Articles

Detecting When Processes Start on Windows to Check Legitimacy

ByAdmin November 15, 2023November 15, 2023

It is useful to be able to monitor and detect when new processes start on Windows in real-time. This allows us to scan their memory or perform other checks to ensure they are legitimate or to identify potential malware.

The most straightforward method is to poll the list of running processes and identify new ones via the Windows API. The main drawback is its resource-intensive nature, as it continuously queries the system, which can impact performance.

Another approach on Windows is to subscribe to process creation events using Windows Management Instrumentation (WMI). This enables you to be notified by the system when a new process starts.

This approach also leverages the event-driven nature of the system, where your program is notified by Windows when a new process starts, reducing resource usage.

The easiest programming language to use for this task on Windows is C#, as the .NET Framework provides classes that simplify interaction with WMI.

using System;
using System.Management;

class ProcessMonitor
{
    public static void Main()
    {
        string queryString = "SELECT * FROM Win32_ProcessStartTrace";

        ManagementEventWatcher watcher = new ManagementEventWatcher(new WqlEventQuery(queryString));
        watcher.EventArrived += new EventArrivedEventHandler(ProcessStarted);
        watcher.Start();

        Console.WriteLine("Listening for new processes. Press any key to exit.");
        Console.ReadKey();

        watcher.Stop();
    }

    private static void ProcessStarted(object sender, EventArrivedEventArgs e)
    {
        Console.WriteLine("Process started: " + e.NewEvent["ProcessName"]);
    }
}

This code defines a WMI query to listen for Win32_ProcessStartTrace events, which are triggered when a new process starts. It subscribes to the EventArrived event of ManagementEventWatcher to receive notifications when a new process begins. In the ProcessStarted method, the event is handled, and the name of the process that started is output to the console.

Using this approach, we can detect in real-time when a new process has started and then extract the memory image, or parts of it, for analysis as needed.

To run the code example, you will need the appropriate administrative privileges, especially to access process information for system processes. Note, also this approach is specific to Windows and relies on the capabilities of the .NET Framework and WMI infrastructure.

Articles

Getting the Base Address of kernel32.dll

ByAdmin November 20, 2023November 20, 2023

Finding the base address of kernel32.dll in on Windows for shellcode, exploit development or otherwise can be a challenging due to various constraints. But, there are three main ways to accomplish this, which are discussed in the following sub-sections after an overview of how system DLLs work. Kernel32.dll and System DLLs Firstly, we should note…

Articles

Tools and Frameworks for Binary Analysis

ByAdmin November 14, 2023November 14, 2023

There are several tools and frameworks designed for binary analysis, which are key for cyber-security work (e.g, malware analysis). And, lend themselves to a whole host of areas such as reverse engineering, vulnerability discovery and and exploitation. The following are some of the most popular ones and worth investigating further. You can also integrate binary…

Articles

Analysis of the Havoc Framework

ByAdmin June 9, 2024June 9, 2024

The Havoc framework is a sophisticated open-source command-and-control (C2) post-exploitation tool. Developed to provide a comprehensive and customizable solution for red team operations and penetration testing, Havoc facilitates advanced attack scenarios while remaining stealthy and adaptable. Architecture The Havoc framework consists of several core components designed to work together seamlessly: Key Features Technical Components Workflow…

Articles

Understanding and Implementing Microsoft Detours for Function Hooking

ByAdmin August 23, 2024August 23, 2024

Detours is a library developed by Microsoft Research for intercepting and modifying the behavior of arbitrary Win32 functions on various Windows-compatible processors. Unlike static redirection, Detours operates at runtime, making it incredibly versatile for debugging, instrumentation, and extending application functionality without altering the source code or executable files on disk. Why Use Detours? Basic Concepts…

Articles

Inter-Service Communication in Windows Services

ByAdmin June 9, 2024June 13, 2024

In modern software systems, particularly those running on Windows, it is crucial for various services operating in the background to communicate with each other. This necessity is heightened in complex software systems where different services are responsible for distinct aspects of the system’s functionality. Scenarios Modular Design In a modularly designed system, distinct services handle…

Articles

Modifying a Binary via Powershell

ByAdmin December 21, 2023March 7, 2024

Creating or modifying a binary files in PowerShell can be done using various methods. One common approach is to use the Set-Content cmdlet along with a byte array. This approach is useful for creating or modifying binary files directly from PowerShell, especially when dealing with small files or when you need to automate the process…

Similar Posts