Professional Documents
Culture Documents
Lab 07 - Working With Windows Processes
Lab 07 - Working With Windows Processes
Lab 07 - Working With Windows Processes
NOTE(S):
• Further understand the different Process Explorer properties and settings, what
they mean, and how to benefit from them.
• Understand more about threads and processes with network connections.
• Searching for strings in program image files and memory.
• Understand the different Windows sessions.
By the end of the lab, you should have a better understanding of Windows processes,
threads, how to find strings in the image file and in memory, processes with network
connections, and the different Windows sessions and what each one is used for. You will
also have the ability to spot a suspicious process that tries to use a common Windows
process name.
Make sure you have the VPN files ready to connect to the HERA lab environment.
Lab Network:
• You:
o IP: 192.168.210.10
• RDP Credentials:
o Username: AdminELS
o Passwords: Nu3pmkfyX
To continue our understanding about Windows Processes, use Process Explorer to answer
the questions below. Some questions require you to do some research.
Determine how strings found while doing static analysis can help you with your analysis.
What if the malware sample you are working on is obfuscated so the strings cannot be found
during a basic search? This is one way of using the process’s memory to help us in our
analysis.
Note: There are three experiments to help you understand this task.
Use netcat to run an experiment and determine how the netcat listener on port 9999 can be
seen in a process monitoring tool such as process explorer.
Note: There is an experiment that will help you understand this task.
In this task, we want to understand what Windows sessions are and how to interact with
them.
Note: There is an experiment that will help you understand this task.
1. When we open Process Explorer, we can see that there are some processes in pink,
which represent based on procexp.exe’s documentation Windows services. Children
of these processes may be launched in a different color, as shown in Figure 2.1.
2. The reason there are two Client Server Runtime (csrss.exe) processes running is
because there will be one (csrss.exe) for the system and then one for each user that
is logged into the machine. If there are two users logged into a machine, there would
be three csrss.exe processes. It would be suspicious if any one user had multiple
instances running. Csrss.exe is used for “Console Windows, creating and/or deleting
threads, and some parts of the 16-bit virtual MS-DOS environment.” The details of
each process are shown in Figures 2.2 and 2.3, respectively.
Make sure you remember the full path to the csrss.exe program location and can
identify the parent of this process. The process IDs might be different, but they will
both show no parent name.
Now, you might be asking “but how did you know which one is for the system and
which is for the client?” The answer is, if we check the Security tab, we can see under
which session each one of them is running. Our system’s instance is running under
Session 0, as shown in Figure 2.4, while the client’s instance is running under Session
1, as shown in Figure 2.5.
Both csrss.exe processes are running under the user account named NT
AUTHORITY\SYSTEM which has the SID S-1-5-18. Remember these details, as they
are very important in case you are working on malware that is trying to run as a
csrss.exe process.
10
3. Now, this is a good question about Explorer.exe, since this process is always running
when a user is logged into the system, it makes it a great target by attackers to inject
their shellcode and run it from there, why? Because again, it’s always running. So, if
we find an explorer.exe listening on some port or even some connections going out of
it, this means it is probably running some injected code. If we double click on
Explorer.exe, we can see the general process details in Figure 2.6.
11
Before going to the TCP/IP tab to answer the question, you should make sure you
notice that this process does not have a parent, since the parent launches explorer.exe
and terminates itself, it is running under the context of the user that is logged into the
system, and also this process is running in session 1, as shown in Figure 2.7.
Now, go to the TCP/IP tab on the process details page as shown in Figure 2.8. We will
find that there is nothing listening there, which is the normal state of this process.
12
Explorer.exe should spawn the user’s programs, and nothing else. These siblings (or
child programs) can have listening ports, but explorer.exe itself should not. This is
true even if there are network shares that explorer.exe can access!
So, if you find the explorer on a system is not running out of system root and making
TCP/IP connections? Then it should be checked, since this is not normal at all!
Let’s do another test to understand cmd.exe processes a little. Open cmd.exe and
write down the process details. An instance of cmd.exe and it’s conhost.exe are
shown in Figure 2.9; in Figure 2.10, we can see the process details.
As shown, the cmd.exe has a process ID 6096 and the console host (conhost.exe) has
a process ID of 3656. Also, it is not only shown in Figure 2.9 that cmd.exe’s parent is
actually explorer.exe, but we can prove that from the cmd.exe details in Figure 2.10,
which shows that the explorer.exe is actually the parent of cmd.exe and it has the
3828 process ID.
13
Then, while in the command prompt, type cmd.exe again. What happened?
A new cmd.exe process is created, which is shown in Figure 2.11.
14
Is this another process or is it still the same process ,and do they match? Well, yes
this is another new process, but its parent is cmd.exe as shown in Figure 2.11 and is
proven by checking the new cmd.exe’s process details, which is shown in 2.12. We
can see that the cmd.exe ,which has a process ID of 3060, is the parent of the
cmd.exe that has the process ID 4400.
15
Now, while they are both running the same executable image, they do not match,
because each one of them is a different process with its own different details.
16
Feel free to do your experiments differently, the steps below are how I covered them, and I
hope they will help you understand the idea behind them.
EXPERIMENT #1
1. Double click on the program welcome.exe and record the process details. In my
case the details are shown in Figure 3.1.
17
2. Now, go to the Strings tab and search for the text that is displayed for you in the
image. This are shown in Figure 3.2.
If you ask me did, I find the text? The answer, as shown in Figure 3.6, is yes. The
reason why I was able to find it, is because this string is part of the executable image
itself. Plus, that, the string is easily searched using tools we saw in our static analysis
18
module. Also, if you look closely, you will not only see the “eLearnSecurity MAP”
string, but even the “Welcome to” string that is displayed in the message box.
Finally, if we search in the memory, we should also be able to find the string there
too. Check it out yourself.
EXPERIMENT #2
1. Open notepad.exe and write any text in it and save it as elsmapfile.txt. The process
details are shown in Figure 3.3 and are listed in ProcExp.exe as shown in Figure 3.4.
19
2. Now go to the Strings tab. Do a search for the file name you just created.
a. Did you find the file name? Why?
As shown in Figure 3.5, we couldn’t find the string, because it is not part of
the notepad.exe image file.
20
Figure 3.5 – Searching Notepad.exe Strings for file name / Not Found
b. On the same Strings tab, select the Memory option and search again. Did you
find the file name?
21
c. How do you think this could help us when dealing with Malware?
It will help us understand that if there is some information which is not part
of the image file (EXE) or only available after running the program, then we
can search the memory for that information. Whatever is hidden in the
executable itself is exposed in memory if we know where and how to search
22
for it. Keep in mind that not all strings are searched for this way, but this is
just one way of doing things.
EXPERIMENT #3:
This time do the same thing, but by starting the program welcome2.exe and searching for
the strings you saw in the message box. In my case that is shown in Figure 3.7.
Figure 3.7 – Searching Welcome2.exe Strings for file name / Not Found
23
As you can see, we were not able to find the text. If you load the program in CFF Explorer,
as shown in Figure 3.8, you will see that this program is actually packed, which means I can
only see what’s inside after unpacking the program.
Now, let us search for the strings in the memory of the process, which is shown in Figure
3.9.
24
We were able to find the strings and that’s because the program was unpacked in memory
and now the strings inside are shown in memory.
25
Open cmd.exe, then run the netcat program nc.exe as shown below (If the system asks you
for permission to open the port as shown in Figure 4.1, just select both networks and hit the
Allow access button):
Open another cmd.exe and make sure that the process is running properly by checking its
status using netstat as shown below:
I’m assuming you got something similar to the results shown in Figure 4.2.
26
Now, in process explorer go and check the TCP/IP tab for nc.exe, which in my case are
shown in Figure 4.3.
What we found is the same process status we saw in the cmd.exe when using netstat. This
also means we can check processes and their network status from process explorer. I
would recommend you check out what happens when another nc.exe connects to this
process.
27
In this task, we want to understand what Windows sessions are and how to interact with
them. Open cmd.exe with administrative privileges. Then launch notepad.exe and record
the PID, PPID, Parent Process, Session #, and the User. In my case these are shown in Figures
5.1 and 5.2, respectively.
28
Notepad.exe is running in session 1, which is an interactive session that our user can
interact with.
Now go to the SysInternals directory and run the program psexec.exe using the following
command:
If you are looking for the process notepad.exe under the psexec.exe under the explorer.exe
tree, stop and expand the services.exe tree and look under the service named
PSEXESVC.EXE ,as shown in Figure 5.3.
Even if we can see on the command line that we did run the program and it is seen in
process explorer, we still cannot see it on our desktop. Go to the notepad.exe process
details and check the session number there. As shown in Figure 5.4, the process is running
29
in session 0, which is why we cannot interact with it, since it is running in a different
isolated environment that our session does not have access to.
The first thing is to keep in mind that we can’t interact with processes running in session 0
directly and also, they will not be visual to us, since they are running in another environment
which is isolated. Another important thing to check in Figure 5.4, is the user that is running
the process is NT AUTHORITY\SYSTEM and not our normal user (or administrator), which
is what the psexec tool provided our run of notepad.exe.
Another nice feature in Process Explorer that we can use as proof, is on the notepad.exe’s
main process details page, click on the Bring to Front button, what happens is the system
will raise an error saying there is no visual window for this program, even though we all
know that notepad.exe is a visual tool. This is shown in Figure 5.5.
30
Before we end this lab, let’s do one more test. Run the program psexec.exe again, but this
time using the following command (using the -i option) as shown below:
But with that said, the process as shown in Figure 5.6 is still:
4. Running with the NT AUTHORITY\SYSTEM context as we wanted.
5. The process is running under Services.exe tree not the explorer.exe tree.
31
32