Re: Tool Release: ProcL - Detect Hidden Process

From: Pallav Khandhar <nightrover@gmail.com>
To: bugtraq@securityfocus.com,security-basics@securityfocus.com,pen-test@securityfocus.com,full-disclosure@lists.grok.org.uk,vuln-dev@securityfocus.com,binaryanalysis@securityfocus.com,honeypots@securityfocus.com,packet@packetstormsecurity.org,bugs@securitytracker.com,news@securiteam.com,focus-ms@securityfocus.com,secprog@securityfocus.com,forensics@securityfocus.com,dailydave@lists.immunitysec.com
Cc:
Subject: Re: Tool Release: ProcL - Detect Hidden Process
Date:


Greetings,

I am glad to release ProcL v1.0.  ProcL employs many different methods  
to detect hidden processes. Essentially, ProcL detailed and  
implemented a mechanism to embed all these different approaches in one  
tool to detect hidden processes. Our methods of detecting hidden  
processes requires the examination of each kernel object - EPROCESS,  
ETHREADS, HANDLES, JOBS. Therefore, we believe, ProcL would defeat  
process concealment from one certain method.

Hiding a process is particularly threatening because it represents  
some malicious code running on your system that you are completely  
unaware of. Process hiding has a significant effect. Many of the  
trojan, virus, spyware, rootkit writers use similar techniques to hide  
themselves and stay undetected as long as possible on target machines.  
Finding all the ways a rootkit might hide a process is just the first  
step in defending against the rootkits. Detecting hidden objects is a  
promising new area in rootkit detection.

For more information on the tool
http://www.scanit.net/rd/tools/03

Download the tool
http://www.scanit.net/files/tools/ProcL.zip

Cheers,
Pallav Khandhar
Sr. Security Researcher
Scanit R&D Lab





Copyright © 1995-2021 LinuxRocket.net. All rights reserved.