Process Analyzer Overview

Process Analyzer is a stand-alone executable that compliments SysAnalyzer. While SysAnalyzer focuses on system analysis, Process analyzer focuses on individual processes.

Process Analyzer can be either run by double clicking it directly, or from the command specifying the process id and whether to run in interactive mode or not.

If run manually, process analyzer will present the user with two lists. The upper list shows all of the running processes detected on the system, while the lower list displays the known exploit signatures currently loaded.



To run process analyzer, just right click on the process you wish to analyze and choose the "Analyze" option.

When run, Process Analyzer will take the following actions:
  • Take a memory dump of the executable
  • Copy a sample of the exe and dump to [USER DESKTOP]\analysis
  • Scan the memory dump with its exploit scanner
  • Create strings listings of the memory dump file
  • parse the string dumps for Urls, Regkeys, and Exe references
  • compile some info on the executable such as
    • filesize
    • md5
    • file property info
Additionally it can also add the output of the packer detector PeID if this application is placed in its home directory. (must be current .93 version)

Once all of this information is compiled, it will then present a report to the user in a built in editor.

The exploit scanner can also be launched independently from a right click menu on the lower listbox. Note that the signatures it contains can never be all inclusive. They were developed from known malcode. Newer exploits will have to have signatures generated for them. New adaptations or implementations of old exploits may not trigger the specific signature detection’s. The signatures could also possibly report false positive results. This implementation of a signature scanner is very basic, and is only designed as a guide to help analysts look for known functionality.

New exploit signatures can be added to the scanner without having to recompile the application. When Process Analyzer first loads up, it will read in signatures from the file exploit_signatures.txt located in the applications home directory. Entries are one per-line ini name = signature format. Signatures can either be plaintext strings or \x encoded byte values.