Thankfully PM has a range of filters that can include or exclude data from the output. This is due to the fact that hundreds of events can occur per second, and letting malware run for 10-15 minutes will produce hundreds of thousands of events that are logged. With that being said, the output from Process Monitor can be a bit overwhelming (to say the least) if you don’t know how to use it. Plus, all of the output can be exported out to a file for later viewing, which makes life pretty simple. What is this This is a repository consisting of process monitor filters sets, that when used during analysis tasks can significantly aid events list reading. To be used for quick Behavioral analysis of testing specimens. It can be used as a very detailed timeline for malware execution, or set to display the activity associated with a targeted process. SysInternals' Process Monitor filters repository - collected from various places and made up by myself. It monitors as much or as little activity as you want. “Proces Monitor is an advanced monitoring tool for Windows that shows real-time file system, registry, and process/thread activity” For anyone performing dynamic (live) analysis of malware, an essential tool to have at hand is Windows Sysinternal’s Process Monitor. So why is this a must for malware analysis? The website describes the tool best:
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |