News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

More Info Needed In Process Enumeration

Started by shakuni, May 04, 2008, 06:07:01 PM

Previous topic - Next topic

shakuni

There is this tool that fetches the list of all the running processes and then flags all those processes that are dangerous. Now getting the list of all the running processes is trivial and has been discussed on the forums infinite times. What I ask is how does the tool decides wheather a process is dangerous or not. My first thought was that this tool monitors all the api calls of all the processes and then based on that info it determines the dangerous processes but this can't be true since system processes uses almost same apis that are used by dangerous processes (like accessing registries and files on disk etc.). Any ideas?

donkey

One of the funny heuristic signatures is if you call GetProcessHeap/HeapAlloc as the first calls in a program, f-secure and a few other heuristic scanners will flag this as malicious. The malware scanners look for a number of things and incorporate a kind of AI to load the suspected application into a debugger/emulator and scan it for specific signatures. You can learn more here...

http://www.securityfocus.com/infocus/1622

Donkey
"Ahhh, what an awful dream. Ones and zeroes everywhere...[shudder] and I thought I saw a two." -- Bender
"It was just a dream, Bender. There's no such thing as two". -- Fry
-- Futurama

Donkey's Stable