More Info Needed In Process Enumeration

Home Forums Discussions General Discussion More Info Needed In Process Enumeration

This topic contains 1 reply, has 2 voices, and was last updated by  Vadim Smirnov 9 years, 1 month ago.

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • #5198

    shakuni
    Participant

    There is this tool that fetches the list of all the running processes and then flags all those processes that are dangerous. Now getting the list of all the running processes is trivial and has been discussed on the forums infinite times. What I ask is how does the tool decides wheather a process is dangerous or not. My first thought was that this tool monitors all the api calls of all the processes and then based on that info it determines the dangerous processes but this can’t be true since system processes uses almost same apis that are used by dangerous processes (like accessing registries and files on disk etc.). Any ideas? (otherwise I would have to reverse the program myself to find out how it does that)

    #6610

    Vadim Smirnov
    Moderator

    Probably you are right and the mentioned tool monitors the process behavior and imported/used Win32 API. An example, not every normal process uses CreateRemoteThread.

Viewing 2 posts - 1 through 2 (of 2 total)

You must be logged in to reply to this topic.