SANS Digital Forensics and Incident Response Blog

Live Investigations

Ever need to get hold of a set of trusted tools to check processes on a live windows host and just don't have a disk with these on you?

Well, the answer is at hand. SysInternals have a "live site. On this site, they provide a simple list of all of their tools ready for a direct downloads where-ever you are (as long as you have Internet access of course). As the site states:

Sysinternals Live is a service that enables you to execute Sysinternals tools directly from the Web without hunting for and manually downloading them. Simply enter a tool's Sysinternals Live path into Windows Explorer or a command prompt as http://live.sysinternals.com/<toolname> or \live.sysinternals.com\tools\<toolname>.

One of these tools is pslist.

11

Pslist displays process, CPU and memory information or thread statistics for all processes that are presently running on the system. The information listed for each process includes the time the process has executed, the amount of time the process has executed in kernel and user modes, and the amount of physical memory that the OS has assigned the process. Command-line switches allow the viewing of memory-oriented process information, thread statistics, or all three types of data.

Syntax

pslist [-?] [-d] [-m] [-x][-t][-s [n] [-r n]][\computer [-u username] [-p password]] [name | pid]

Some common parameters

-d Shows statistics for all active threads on the system, grouping threads with their owning process.

-m Shows memory-oriented information for each process, rather than the default of CPU oriented information.

-x Shows CPU, memory, and thread information for each of the processes specified.

-t Shows the tree of processes.

This tool (and many others) can be downloaded from http://live.sysinternals.com/.

In its standard mode, this tool is similar to the UNIX ?ps' command. When run with a combination of the parameters, it can become a powerful tool that can greatly aid in locating malware on live systems. The ?-x' parameter groups processes with the information concerning the process allowing for a far more granular look at what is occurring on the system (as is displayed below).

21

The ?-t' or tree option on the other hand displays the process hierarchy and the dependencies.

31

Best of all, these tools can now be run directly from the web.

Craig Wright is a Director with Information Defense in Australia. He holds both the GSE-Malware and GSE-Compliance certifications from GIAC. He is a perpetual student with numerous post graduate degrees including an LLM specializing in international commercial law and ecommerce law as well as working on his 4th IT focused Masters degree (Masters in System Development) from Charles Stuart University where he is helping to launch a Masters degree in digital forensics. He is engaged in his second doctorate, a PhD on the quantification of information system risk at CSU.

8 Comments

Posted June 22, 2009 at 12:44 PM | Permalink | Reply

Dave Hull

Good info, Craig. I didn't know about http://live.sysinternals.com. Question, how can I run these and keep the command shell window open long enough to see the output?

Posted June 22, 2009 at 1:02 PM | Permalink | Reply

Doug Burks

Dave,
I believe you can do this by launching a command prompt and referencing the tool's UNC path like this:
\\\\live.sysinternals.com\ools\\pslist.exe
(This assumes your firewall allows SMB traffic to live.sysinternals.com.)

Posted June 22, 2009 at 8:36 PM | Permalink | Reply

craigswright

Actually, the syntax is correct, but it does use HTTP. I have included a log sample to show this below where I am on 203.57.21.111, the Proxy is on 203.57.21.103 and live.sysinternals is on 207.46.140.150.
What occurs is that the connection tries over NBT, fails and then embeds in HTTP. With Web folders (XP, Vista, Win 7), you can run network shares over HTTP.
So the result is that you can connect even with a firewall ''" as long as you have a proxied connection to sysinternals.
Give it a go.
Here are the logs.
Jun 23 06:37:11 syd-gw kernel: RULE 15 ''" ACCEPT IN=eth1 OUT=eth0 SRC=203.57.21.103 DST=207.46.140.150 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=26692 DF PROTO=TCP SPT=11745 DPT=80 SEQ=1870090135 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402)
Jun 23 06:37:11 syd-gw kernel: RULE 15 ''" ACCEPT IN=eth1 OUT=eth0 SRC=203.57.21.103 DST=207.46.140.150 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=26693 DF PROTO=TCP SPT=11746 DPT=80 SEQ=2041725747 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402)
Jun 23 06:37:11 syd-gw kernel: RULE 15 ''" ACCEPT IN=eth1 OUT=eth0 SRC=203.57.21.103 DST=207.46.140.150 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=26694 DF PROTO=TCP SPT=11747 DPT=80 SEQ=4061277770 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402)
Jun 23 06:37:12 syd-gw kernel: RULE 15 ''" ACCEPT IN=eth1 OUT=eth0 SRC=203.57.21.103 DST=207.46.140.150 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=26717 DF PROTO=TCP SPT=11748 DPT=80 SEQ=2861956311 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402)
Jun 23 06:37:12 syd-gw kernel: RULE 31 ''" DENY IN=eth1 OUT=eth0 SRC=203.57.21.111 DST=207.46.140.150 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=10331 DF PROTO=TCP SPT=62228 DPT=445 SEQ=1496903742 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405B40103030201010402)
Jun 23 06:37:13 syd-gw kernel: RULE 31 ''" DENY IN=eth1 OUT=eth0 SRC=203.57.21.111 DST=207.46.140.150 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=10342 DF PROTO=TCP SPT=62229 DPT=139 SEQ=2657529080 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405B40103030201010402)
Jun 23 06:37:15 syd-gw kernel: RULE 31 ''" DENY IN=eth1 OUT=eth0 SRC=203.57.21.111 DST=207.46.140.150 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=10382 DF PROTO=TCP SPT=62228 DPT=445 SEQ=1496903742 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405B40103030201010402)
Jun 23 06:37:16 syd-gw kernel: RULE 31 ''" DENY IN=eth1 OUT=eth0 SRC=203.57.21.111 DST=207.46.140.150 LEN=52 TOS=0x00 PREC=0x00 TTL=127 ID=10390 DF PROTO=TCP SPT=62229 DPT=139 SEQ=2657529080 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405B40103030201010402)
Jun 23 06:37:21 syd-gw kernel: RULE 31 ''" DENY IN=eth1 OUT=eth0 SRC=203.57.21.111 DST=207.46.140.150 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=10454 DF PROTO=TCP SPT=62228 DPT=445 SEQ=1496903742 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405B401010402)
Jun 23 06:37:22 syd-gw kernel: RULE 31 ''" DENY IN=eth1 OUT=eth0 SRC=203.57.21.111 DST=207.46.140.150 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=10456 DF PROTO=TCP SPT=62229 DPT=139 SEQ=2657529080 ACK=0 WINDOW=8192 RES=0x00 SYN URGP=0 OPT (020405B401010402)
Jun 23 06:38:10 syd-gw kernel: RULE 15 ''" ACCEPT IN=eth1 OUT=eth0 SRC=203.57.21.103 DST=207.46.140.150 LEN=48 TOS=0x00 PREC=0x00 TTL=127 ID=29608 DF PROTO=TCP SPT=11778 DPT=80 SEQ=3979115720 ACK=0 WINDOW=65535 RES=0x00 SYN URGP=0 OPT (020405B401010402)

Posted June 23, 2009 at 1:18 AM | Permalink | Reply

Dave Hull

That's it Craig. I should have tried it before asking. :)
Very cool. Thanks for sharing the info, judging from the chatter there were quite a few of us that didn't know this was available.

Posted June 23, 2009 at 9:31 PM | Permalink | Reply

Randy

well. at first I thought "dns" would be stopped using the symantec site. But through SMB and comand prompt, which I never tried would work I believe even with infections. I have been experimenting with ways to get around malware preventing the loading of tools because of DNS. If this works then one could also crap other tools this way. We block nothing out but I was a little surprised to see the file download through the command prompt

Posted June 23, 2009 at 10:47 PM | Permalink | Reply

Randall

Sorry bout "crap", meant grab!

Posted June 24, 2009 at 12:42 AM | Permalink | Reply

Randall

I would love to see malware and virus standalone apps available this way but obscuring the DNS so as to access them, this might work

Posted June 26, 2009 at 9:27 PM | Permalink | Reply

Richard Bejtlich

So this is indeed cool, but when you access the tools via proxied Web connections you're just downloading them and running them locally. The same goes for UNC connection, exception you don't get to keep the copy you run.