It’s been about a month since my first post, and quite a bit has happened in that short amount of time. I chose a project topic, received my team assignments, and hit the ground running! My project this term is a bit more in the realm of cybersecurity research than building an application, but so far I have enjoyed the process and working with my teammates. Our research is focused on malware sample analysis, and involved with that is a ton of different software, tools, and other technologies that we have at our disposal.
One of my favorite tools for malware analysis is the Process Monitor, or ProcMon, which may not be the most glamorous answer and might not be a popular option when there are so many newer and fancier analysis tools out in the world. But there’s a reason it’s been around since the 90s-00s and continues to be a highly ranked tool for this type of research.
Process Monitor in action
ProcMon was built as a tool that records live activity of file systems, process creation, and registry key changes. This can be especially useful in malware analysis because some types of malware will pull a Houdini when run and disappear from the current directory completely. With this tool you can watch and wait to see where new folders and processes are being created and started even as they occur in the background away from prying eyes. It’s a little like sleuthing, looking at all the raw clues and putting them all together to figure out where the malware has popped up and what it’s up to now.
One downside to this tool is the sheer volume of sifting that is required to find a needle in the haystack. In seconds there can be thousands of events popping up on the screen as the computer works on its normal processes in addition to whatever the malware is doing as it carries out its nefarious purpose. There is the option to export the data to CSV to analyze. But it would be much improved if the filters worked as well as they are meant to, and all sorting could be conducted directly inside ProcMon. With all the information that can be gleaned from this tool to spur further investigation, it is definitely a favorite of mine.
Leave a Reply