Article 003rd: Process Monitor help document (Part 3, with a simple demo of Process Monitor)

[Import and export configuration]

Once you have configured a filter, you can use the savefilters menu item in the Tools menu to save it. Process Monitor adds the filter you saved to the load filter menu for convenient access. You can also select "organize filters" in the "Tools" menu to open the "manage filters" dialog box to change the display sequence of filters. You can use the manage filter dialog box to rename the saved filter, and export the filter in a certain format. In this way, you can use the manage filter dialog box in other systems to re-import the filter.

You can also use the "exportconfiguration" menu item in the "file" menu to export the configuration information of the entire process monitor, including filter, column object selection, column Object Sequence and size, Log File Settings, and debugging help file path configuration information to a process monitor configuration file (. PMC ). Use the "export configuration" menu item in the "file" menu to read a saved configuration file or use the "/loadconfig" command line option.

 

Command line options]

Process Monitor provides some command line options:

/Openlog <saved PML Log File>

Enable process monitor to open and read the specified log file.

/Backingfile <Log File Name>

Make process monitor create and use the specified file name as the log file.

/Pagingfile

Save the event to a paging file.

/Noconnect

When this flag appears, processmonitor cannot start Log Activity automatically.

/Nofilter

Clear the filter at startup.

/Accepteula

Automatically bypass the permission and bypass the EULA dialog box.

/Profiling

Open the thread analysis event class.

/Minimized

Minimize the display window of process monitor on the taskbar at startup.

/Waitforidle

Wait for an instance of process monitor until preparation is complete.

/Terminate

Terminate all instances of Process Monitor and exit.

/Quiet

Filter options are not used at startup.

/Run32

With this switch, you can run the 32-bit processmonitor in 64-bit windows to open the logs generated in the 32-bit system.

/Hookregistry

This switch can only be used in 32-bit Vista and Server 2008. processmonitor uses a system call hook to replace the Registry callback mechanism to monitor registry activity, this allows you to view softgrig's virtual registry operations on these operating systems. This option must be used when process monitor runs on the system for the first time and can only be used for troubleshooting softgrid applications.

/Saveas,/saveas1,/saveas2

With/openlog, processmonitor can be used to export a log file in CSV, XML, or PML format. The/saveas1 option includes the stack information exported in XML format, and the/saveas2 option adds the symbolic information.

/Loadconfig

Read the specified filter and setting file.

 

[Processmonitor script writing]

You can use the command line option of Process Monitor to compile batch files. Here, the example shows how to compile the batch file so that it can capture the latest upload (notepad.exe) Program:

set PM=C:\sysint\procmon.exestart %PM% /quiet /minimized /backingfile C:\temp\notepad.pml%PM% /waitforidlestart /wait notepad.exe%PM% /terminate

The first call to process monitor isStartCommand to ensure that the process is separated from the console window, so that it can run at the same time with the latest command. The second call uses/WaitforidleCommand to pause the batch file until the first instance appears, runs, and captures event activity. The last call is/TerminateCommand, it tells the first instance to stop capturing, save important data to the backup file, and then exit smoothly.

 

[Inject Application debugging information]

If you are an application developer, it is very useful to include your debugging output in the event stream of Process Monitor, in this way, you can better associate application operations with other events. Process Monitor allows unauthorized applications to inject a string of up to 2048 characters in length. The following sample code shows how to open the debugging interface of Process Monitor and write information in the event stream. In actual programming, you do not need to end with a null character, although the example ends with a null character. The following code example describes how to generate the debugging output of Process Monitor. John Robbins has also compiled a help class. You can easily add these support classes locally or in management applications. You can download them here.

Note: You must display the analysis events (which are filtered by the default filtering configuration) to view these events.

#include <windows.h>#include <tchar.h>#include <stdio.h>#define FILE_DEVICE_PROCMON_LOG 0x00009535#define IOCTL_EXTERNAL_LOG_DEBUGOUT (ULONG) CTL_CODE( FILE_DEVICE_PROCMON_LOG, 0x81, METHOD_BUFFERED, FILE_WRITE_ACCESS )int main(){        HANDLE hDevice = CreateFile( L"\\\\.\\Global\\ProcmonDebugLogger", GENERIC_READ|GENERIC_WRITE, FILE_SHARE_READ|FILE_SHARE_WRITE|FILE_SHARE_DELETE, NULL, OPEN_EXISTING, FILE_ATTRIBUTE_NORMAL, NULL );        if ( hDevice != INVALID_HANDLE_VALUE ) {                WCHAR text[] = L"Debug out";                DWORD textlen = (wcslen(text)+1) *sizeof(WCHAR);                DWORD nb = 0;                BOOL ok = DeviceIoControl( hDevice, IOCTL_EXTERNAL_LOG_DEBUGOUT, text, textlen, NULL, 0, &nb, NULL );                if ( ok ) {                        printf( "wrote debug output message\n" );                } else {                        printf( "error 0x%x\n", GetLastError() );                }                CloseHandle( hDevice );        } else {                printf( "error %d opening Process Monitor\n", GetLastError() );        }        return 0;}

[Appendix: simple demo of processmonitor]

To briefly demonstrate the functions of this software, I will study 001st anti-virus attacks: self-replication and self-deletion, and 002nd anti-virus attack and defense research articles: use the Registry to implement the combination of programs in the two articles, and then use processmonitor to monitor its behavior.

Here we will summarize the activities of the "malicious program" I have compiled to compare with the monitoring results of processmonitor:

(1) copy itself to the System32 and Windows directories.

(2) add itself to the Registry hkcu \ Software \ Microsoft \ Windows \ CurrentVersion \ Run.

(3) .exe program.

(4) Delete itself.

Next, run process monitor v3.10 on the computer (Note: Real viruses should be run and monitored under virtual machines). The "processmonitor filter" dialog box is displayed, let's set the filter conditions. The program to be monitored is named mongohacked.exe, including the process name in the filter, and then click Add ". Zookeeper hacked.exe is included in the filter. Click OK ".

Figure 1 filter settings

Run the mongohacked.exe program. At this time, processmonitor has monitored the corresponding operations of the program, as shown in:

Figure 2 view monitoring results

The figure shows the execution process of the entire program. First, you can open the process tree to check the startup status of related processes:

Figure 3 process tree

Zookeeper hacked.exe”and the cmd.exe program are also started. If necessary, you should also monitor it.

Here, I have enabled monitoring for all projects. For simplicity, we can analyze them one by one. First, processmonitor only displays file monitoring. Then, view the information:

Figure 4 self-replication of zookeeper hacked.exe

The monitoring results show that the program copies itself to the windows and system32 directories. Continue observation:

Figure 5 creating a self-deleted file in cmdhacked.exe

The delself. CMD file is created and written to it. At this point, we did not find that the hacker hacked.exeexample has the ability to delete itself, so we must monitor the cmd.exe. The result is as follows:

Figure 6 automatic deletion of mongohacked.exe

The setdispositionionionfileis used for the extension of hacked.exe and delself. cmd ". To end, we have analyzed the behavior of the hacker hacked.exe file, and then analyzed the Registry behavior. Close the file action button, open registry monitoring, and perform analysis:

Figure 7 registry Metric

Processmonitor has monitored the corresponding registry key. The details are also provided in the detail column, which is not described here.

By now, mongohacked.exe has been analyzed. You can compile a kill-killing tool based on the above analysis results. The preparation of the kill tool has been discussed in my article.

The above briefly introduces how to use process monitor. More functions of this software need to be explored. I hope that readers can keep learning my articles as a starting point to become an expert in the anti-virus field.

Article 003rd: Process Monitor help document (Part 3, with a simple demo of Process Monitor)