flat assembler
Message board for the users of flat assembler.

Index > Windows > More Info Needed In Process Enumeration

Author
Thread Post new topic Reply to topic
shakuni



Joined: 11 Oct 2007
Posts: 24
shakuni
There is this tool that fetches the list of all the running processes and then flags all those processes that are dangerous. Now getting the list of all the running processes is trivial and has been discussed on the forums infinite times. What I ask is how does the tool decides wheather a process is dangerous or not. My first thought was that this tool monitors all the api calls of all the processes and then based on that info it determines the dangerous processes but this can't be true since system processes uses almost same apis that are used by dangerous processes (like accessing registries and files on disk etc.). Any ideas?

_________________
There is no rule, law or tradition that apply universally... including this one.
Post 04 May 2008, 18:05
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17662
Location: In your JS exploiting you and your system
revolution
shakuni wrote:
Any ideas?
Use an anti-virus program. Is it a subject of a large amount of research. I would expect that if you are one person trying this on your own then it will consume 100% of your time for many years before you can even get close to making something useful.
Post 04 May 2008, 18:41
View user's profile Send private message Visit poster's website Reply with quote
ic2



Joined: 19 Jan 2008
Posts: 75
ic2
Quote:
My first thought was that this tool monitors all the api calls of all the processes and then based on that info it determines the dangerous processes but this can't be true since system processes uses almost same apis that are used by dangerous processes (like accessing registries and files on disk etc.). Any ideas?

I don't think any program can tell this unless it is a Trog^n, V<rus or S^yware written program.
Quote:
Use an anti-virus program.....consume 100% of your time for many years

I agree, but I think these days programs has gotten so advance with today's modern technologies that comes out a cracker jack box. For example, in my case: Avira-AV has even attempted to take over my machine with the latest and greatest updates I accepted last week. Wonderful for a minute... Now I am in the processes at this very moment, of finding and deleting that annoying junk that had caused my machine an extra 2 ½ minutes to boot among other things.

And to speak of taking over machines... I now see what you mean, totally in the old String & Proc thread, revolution.

I thought AV's were to scan the PE header to extract needed information. Hell they hacked far ahead of all my first installed programs (with services by the (my) most respected drivers) and now AVIRA controls my FIREWALL and SYSTEM even at boot time. I even caught when it allow their packets to ride when RULES were SET that said "NO NO"... since accepting their new update... to date, I seen it ALL for over a week and have been keep track, seriously since I finally notice the change in boot time Like the average user/programmer, I blamed and tested everything else but AV update until yesterday.

I'm getting ready to re-install Windows and do it all over again .... just to be sure... while most would never see or even listen until years later ... I seen it ALL.

Bottom line at this point I would say, any program that goes beyond a PE header to extract information for information needed is a da^e Trogon itself. Anyway, I rather spend those years on how the OS handles those types of program, than go from there to learn quicker. This way you stay legit while figuring out how you want to do things... Not my way [unless]...for me it's delete delete practice. practice, remember... re-install re-install. I know no better and I don''t know how to seriously debugger such a thing and don't have to worry about it.

I hate wasting time, but that's what I do since Win95 to keep my machine fit. I need no spyware or vir^us fighter programs who grows-up to be the spyware itself for whatever reason. Anyway, I only got it on my machine to tell me if my FASM will ride or not and that's IT. I still plan to buy it (if it come on CD) but I'm going to hack the rot-guts out of it so it remember that ic2, most beloved, paid in full, (King of Firewalls) comes FIRST.

I'm new too and still learning but I think this should be explored by more experienced people who should want to know. If my english is not understood... don't worry about it
Post 05 May 2008, 19:18
View user's profile Send private message Reply with quote
asmrox



Joined: 19 Jan 2008
Posts: 160
asmrox
dont waste ur time
Post 06 May 2008, 15:12
View user's profile Send private message Reply with quote
shakuni



Joined: 11 Oct 2007
Posts: 24
shakuni
Quote:

dont waste ur time

I am sorry but I have nothing else to do.
My antivirus scanner written in pure asm and C will be out soon which has some process enumeration capabilities as well.
Post 06 May 2008, 16:49
View user's profile Send private message Reply with quote
revolution
When all else fails, read the source


Joined: 24 Aug 2004
Posts: 17662
Location: In your JS exploiting you and your system
revolution
ic2 wrote:
And to speak of taking over machines... I now see what you mean, totally in the old String & Proc thread, revolution.
I suggest you: use a router on your incoming Internet, don't download all the crap just because it is free, do use virustotal.com, and don't install Avira again.
Post 06 May 2008, 17:11
View user's profile Send private message Visit poster's website Reply with quote
asmrox



Joined: 19 Jan 2008
Posts: 160
asmrox
Quote:
I am sorry but I have nothing else to do.

Making such 'AVs' can be just a programming practise, nothing more. You would learn more writing viruses.

Therre infinity ways to bypass it. Maybe changing smth in kernel mode would do some effects, but if user will run .exe as admin it has no sense.
As more you code in KM you just make diffrent system, why not write one from 0?

Its just a waste of time.

Quote:
My antivirus scanner written in pure asm and C will be out soon which has some process enumeration capabilities as well.

nothing more than 'hello world', maybe just more advanced.
Post 06 May 2008, 18:41
View user's profile Send private message Reply with quote
shakuni



Joined: 11 Oct 2007
Posts: 24
shakuni
Quote:

Making such 'AVs' can be just a programming practise, nothing more. You would learn more writing viruses.Its just a waste of time.

I just told you that I have a lot of free time so please lemme "waste" it.
Quote:

nothing more than 'hello world', maybe just more advanced.

OMG I thought that there are only assembly experts here, But no, I was wrong. People here have sixth sense who can see the code that I have'nt posted yet. Can you please help me by "seeing" the windows source code and helping me implementing custom subsystem in windows (see my other thread). Thanks in advance
Post 06 May 2008, 19:46
View user's profile Send private message Reply with quote
Display posts from previous:
Post new topic Reply to topic

Jump to:  


< Last Thread | Next Thread >
Forum Rules:
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum


Copyright © 1999-2020, Tomasz Grysztar. Also on GitHub, YouTube, Twitter.

Website powered by rwasa.