Document Translation NO. 003: Process Monitor Help document (Part 3, with a simple demo of Process Monitor)

"Import and Export Configuration"

Once you have configured a filter, you can save it using the Save Filter (savefilters) menu item in the Tools menu. Process Monitor joins your saved filters to the Read Filter menu, which makes it easy for you to access them. You can also select Manage Filters (Organize Filters) from the Tools menu to open the Manage Filter dialog box to change the order in which the filters are displayed. You can use the Manage Filters dialog box to rename a saved filter, or you can easily export a filter in a certain format. This allows you to import again in another system using the Manage Filter dialog box.

You can also use the Export Configuration (exportconfiguration) menu item in the File menu to export configuration information for the entire process monitor, including filters, column selection, column purpose order, and size. Log file settings and debug Help file path configuration information into a process Monitor's configuration file (. PMC).

Use the Import Configuration menu item in the File menu to read a saved configuration file or use the/loadconfig command-line option.

"Command-line Options"

The Process Monitor provides some command-line options:

/openlog< saved PML log files >

Enables process Monitor to open and read the specified log file.

/backingfile< log file name >

Enables process Monitor to create and use the specified file name as the log file.

/pagingfile

Save the event in a paging file.

/noconnect

When this sign appears, Processmonitor cannot initiate log activity on its own initiative.

/nofilter

Empties the filter at startup.

/accepteula

Proactively bypass the license and bypass the EULA dialog box.

/profiling

Open the Threading Analysis event class.

/minimized

Causes Process Monitor to minimize its form to appear on the taskbar when it starts.

/waitforidle

Wait for an instance of the process Monitor. Until it is ready to complete.

/terminate

Terminates all instances of the process monitor and exits.

/quiet

The filter option is not used at startup.

/run32

Use this switch to perform the processmonitor of the 32-bit version number in Windows with a 64-bit version number. To open a log generated on a 32-bit system.

/hookregistry

This switch can only be used in 32-bit Vista and Server 2008, and Processmonitor uses system call hooks instead of the register callback mechanism to monitor the activity of the Register, merriness it to view Softgrig's virtual register operations on these operating systems. This option must be used when the process monitor is first executed on the system, and can only be used for troubleshooting SoftGrid applications.

/saveas,/saveas1,/saveas2

With/openlog to use these switches, you can enable Processmonitor to export a log file in CSV, XML, or PML format. The/SAVEAS1 option contains stack information exported in XML format, while the/SAVEAS2 option adds symbolic information.

/loadconfig

Reads the specified filter and settings file.

"Processmonitor scripting"

You can use the command-line options of Process Monitor to write batch files.

The sample here shows you how to write a batch file. Make it possible to capture the operation of the Notepad (Notepad.exe) Program:

Set Pm=c:\sysint\procmon.exestart%pm%/quiet/minimized/backingfile C:\temp\notepad.pml%PM%/waitforidlestart/wait notepad.exe%pm%/terminate

The first call to Process Monitor uses the start command. To make sure that the process is detached from the console form, which allows it to be executed at the same time as the latest command. The second call uses the /waitforidle command, which can cause the batch file to be paused. Until the first instance appears, executes, and captures the event activity. The final call uses the /terminate command, which tells the first instance to stop snapping. Save important data to the backup file and exit successfully.

"Inject debugging information for the application"

Assuming you are an application developer, it is useful to include your own debug output in the event stream of Process Monitor. This allows you to better associate the operation of the application with other events. Process Monitor agrees to inject an unauthorized application into a wide string of up to 2048 characters in length. The following demo sample code shows how to open the Debug interface of Process Monitor and write information in the event stream. You do not need to end with a null character in actual programming, although the demo sample ends with a null character. The following code shows a sample description of how to generate the debug output of the process monitor. John Robbins also wrote a helper class. You can easily join these support in your local or admin app and you can download it here.

Note: You must display the profiling event (it is filtered by the default filter configuration). To view these events.

#include <windows.h> #include <tchar.h> #include <stdio.h> #define File_device_procmon_log 0x00009535#define ioctl_external_log_debugout (ULONG) Ctl_code (File_device_procmon_log, 0x81, METHOD_BUFFERED, FILE_ write_access) int main () {HANDLE hdevice = CreateFile (L "\\\\.\\global\\procmondebuglogger", generic_read| Generic_write, file_share_read| file_share_write|        File_share_delete, NULL, open_existing, file_attribute_normal, NULL);                if (hdevice! = invalid_handle_value) {WCHAR text[] = L "Debug out";                DWORD Textlen = (wcslen (text) +1) *sizeof (WCHAR);                DWORD nb = 0;                BOOL OK = DeviceIoControl (Hdevice, ioctl_external_log_debugout, text, Textlen, NULL, 0, &AMP;NB, NULL);                if (OK) {printf ("wrote debug output message\n");                } else {printf ("Error 0x%x\n", GetLastError ());   } closehandle (Hdevice);     } else {printf ("error%d opening Process monitor\n", GetLastError ()); } return 0;}

"attached: A simple demonstration of Processmonitor"

For a brief demonstration of the functionality of the software. I will be "anti-virus Defense Research NO. 001: Self-replication and self-deletion" and "anti-viral Defense research NO. 002: The use of registration form to achieve self-priming" in the two articles of the program, and then use Processmonitor to monitor its behavior.

Here's a summary of the behavior of the "malicious program" I wrote in order to compare it to the Processmonitor results:

(1) copy itself to the System32 and Windows folder.

(2) Add itself to the hkcu\software\microsoft\windows\currentversion\run of the Register.

(3) Image hijacking Cmd.exe program.

(4) Delete itself.

Next, the process Monitor v3.10 is executed in the computer first (note: The real virus should be executed and monitored under the virtual machine), and the Processmonitor Filter dialog box pops up, allowing us to set the filter criteria.

Here we want to monitor the program name "Hacked.exe", include the process name in the filter, and then click "Add". The "Hacked.exe" is now included in the filter. We click "OK".

Figure 1 Filter settings

Execute the "Hacked.exe" program, at which point Processmonitor has monitored the action of the program, for example, as seen in:

Figure 2 Viewing the monitoring results

The whole process of running the program is fully monitored in the diagram. First, you can open the process tree to see how the related processes are started:

Figure 3 Viewing the process tree

Visible "Hacked.exe" itself also started the Cmd.exe program. If necessary, it should also be monitored.

Here I have opened all the monitoring of the project. For the sake of simplicity, we can analyze it one by one. First, let processmonitor only show file monitoring. Then proceed to view:

Figure 4 Viewing the self-replication of "Hacked.exe"

Visible by monitoring results. The program copies itself to Windows and the System32 folder.

Continue to observe:

Figure 5 "Hacked.exe" creates a self-deleted file

This creates the Delself.cmd file and writes it. So far. We do not find that "Hacked.exe" has the behavior of deleting itself, so it is necessary to monitor the Cmd.exe. The results are as follows:

watermark/2/text/ahr0cdovl2jsb2cuy3nkbi5uzxqvaw9pb19qeq==/font/5a6l5l2t/fontsize/400/fill/i0jbqkfcma==/ Dissolve/70/gravity/center ">

Figure 6 Viewing the self-deletion behavior of "Hacked.exe"

The Cmd.exe trigger called Setdispositioninformationfile is visible. Used to delete "Hacked.exe" and "Delself.cmd".

Until we get here. We have analyzed the file behavior of "Hacked.exe" and then analyzed the behavior of the register. Close the file Behavior button to open the Register monitor. For analysis:

Fig. 7 Monitoring of Register items

The processmonitor has already monitored the corresponding register entries. The corresponding details are also given in the detail column, which is not described here.

At this point, "Hacked.exe" has been analyzed to complete. Ability to write kill tools based on the above analysis results.

The preparation of the Kill tool has been discussed in my article. No longer described here.

The above introduces the use of Process Monitor. Many other features of this software are to be explored.

I hope readers can use my article as a starting point. Continue to learn and become an expert in the field of anti-virus.

Document Translation NO. 003: Process Monitor Help document (Part 3, with a simple demo of Process Monitor)