More Info Needed In Process Enumeration

Home Forums Discussions General More Info Needed In Process Enumeration

Viewing 2 posts - 1 through 2 (of 2 total)
  • Author
    Posts
  • May 15, 2008 at 4:16 pm #5198
    shakuni
    Participant

      There is this tool that fetches the list of all the running processes and then flags all those processes that are dangerous. Now getting the list of all the running processes is trivial and has been discussed on the forums infinite times. What I ask is how does the tool decides wheather a process is dangerous or not. My first thought was that this tool monitors all the api calls of all the processes and then based on that info it determines the dangerous processes but this can’t be true since system processes uses almost same apis that are used by dangerous processes (like accessing registries and files on disk etc.). Any ideas? (otherwise I would have to reverse the program myself to find out how it does that)

      May 19, 2008 at 7:29 am #6610
      Vadim Smirnov
      Keymaster

        Probably you are right and the mentioned tool monitors the process behavior and imported/used Win32 API. An example, not every normal process uses CreateRemoteThread.

      • Author
        Posts
      Viewing 2 posts - 1 through 2 (of 2 total)
      • You must be logged in to reply to this topic.