News:

MASM32 SDK Description, downloads and other helpful links
MASM32.com New Forum Link
masmforum WebSite

More Info Needed In Process Enumeration

Started by shakuni, May 04, 2008, 06:07:01 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions

shakuni

May 04, 2008, 06:07:01 PM
There is this tool that fetches the list of all the running processes and then flags all those processes that are dangerous. Now getting the list of all the running processes is trivial and has been discussed on the forums infinite times. What I ask is how does the tool decides wheather a process is dangerous or not. My first thought was that this tool monitors all the api calls of all the processes and then based on that info it determines the dangerous processes but this can't be true since system processes uses almost same apis that are used by dangerous processes (like accessing registries and files on disk etc.). Any ideas?

donkey

#1
May 04, 2008, 06:55:51 PM
One of the funny heuristic signatures is if you call GetProcessHeap/HeapAlloc as the first calls in a program, f-secure and a few other heuristic scanners will flag this as malicious. The malware scanners look for a number of things and incorporate a kind of AI to load the suspected application into a debugger/emulator and scan it for specific signatures. You can learn more here...

http://www.securityfocus.com/infocus/1622

Donkey
"Ahhh, what an awful dream. Ones and zeroes everywhere...[shudder] and I thought I saw a two." -- Bender
"It was just a dream, Bender. There's no such thing as two". -- Fry
-- Futurama

Donkey's Stable
Print
Go Up Pages1
User actions