|25 Aug 2010||#1|
| || |
Quick Tip: Locate Malicious Handles Quickly
Locate Malicious Handles Quickly
A lot of us, I'm sure, use process explorer or process hacker (some might just use task manager) to view, verify and analyze the processes running on our computers. If a strange process shows up (bykxlvd.exe, for instance) we'll quickly start to investigate and take whatever actions we think necessary.
Some malicious files (the Zeus Trojan, for instance) may not show up as a running process, but instead may simply "hook" into a program by creating a handle to it. Because of this, we won't see it in task manager, and unless we are being very detailed, we might miss it in Process Explorer or Process Hacker.
The following command line command will enumerate all the handles registered in your system, then search for names that contain .exe, and then write the results to a text file and place it on your desktop.
In this way, you can look at a (hopefully) short list of executables and quickly determine if any look out of the ordinary--and then further investigate if necessary.
What you'll Need: Handles, by Sys Internals (197kb). Please either install the tool into your System32 folder, or create an entry in your PATH system variable (My Computer>Properties>Advanced>Environment Variables). If you don't do this, then you will need to include the full path name of the tool when using this command.
How to do it: Run this command in a command prompt (Note that you can also save this command to a text file and save it with a .bat extension, to run it as a clickable batch file. If running in a batch file, you will need to replace the % with two %%:
For /F "tokens=1,2,3,4*" %G in (' handle ^| find ".exe" ') do ( echo [%G] [%H] [%I] [%J] [%K] >> "%USERPROFILE%\Desktop\CurrentHandles.txt" )
Update: Edited the command so that it accurately identifies all executable handles and running executables.
|My System Specs|
|Similar help and support threads for2: Quick Tip: Locate Malicious Handles Quickly|
|lsass,exe leaking resources (handles)||General Discussion|
|Handles of taskbar disappear and reappear every few minutes||General Discussion|
|USB controller and hub weirdness, which driver handles which port||Drivers|
|Alert:Threat Type: Malicious Web Site / Malicious Code||Security News|
|Latest SQL injection quickly spreads malicious JS||System Security|
|Resource Monitor - View Handles and Modules||Tutorials|