DOCSLIB.ORG

BLOG Windows CLI and Tools – Part 2

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
BLOG Windows CLI and Tools – Part 2 Windows CLI and Tools – Part 2 ALEXANDRE BORGES - BLOG Windows CLI and Tools – Part 2 Author: Alexandre Borges Revision: A.1 Website: http://alexandreborges.org This second part of the series brings some additional and useful command which can be used on a daily administration: Command 57: How to get a list of processes and associated network information The command tcpvcon.exe (from Sysinternals suite - http://technet.microsoft.com/en- us/sysinternals/bb842062.aspx) shows every processes and associated ports from a Windows system: C:\Sysinternals>Tcpvcon.exe -a TCPView v3.01 - TCP/UDP endpoint viewer Copyright (C) 1998-2010 Mark Russinovich and Bryce Cogswell Sysinternals - www.sysinternals.com [TCP] googledrivesync.exe PID: 2692 State: ESTABLISHED Local: exadata.example.com Remote: qc-in-f125.1e100.net [TCP] googledrivesync.exe PID: 2692 State: ESTABLISHED Local: exadata.example.com Remote: qc-in-f125.1e100.net [TCP] chrome.exe PID: 2836 State: ESTABLISHED Local: exadata.example.com Remote: qc-in-f125.1e100.net [TCP] AvastSvc.exe PID: 1920 State: ESTABLISHED Local: exadata.example.com Remote: r-051-044-234-077.ff.avast.com [TCP] vmware.exe PID: 9508 State: ESTABLISHED Local: EXADATA Remote: localhost [TCP] vmware.exe PID: 9508 State: CLOSE_WAIT Local: exadata.example.com Remote: a23-199-243-51.deploy.static.akamaitechnologies.com [TCP] vmnat.exe PID: 4464 http://alexandreborges.org Page 1 Windows CLI and Tools – Part 2 State: CLOSE_WAIT Local: exadata.example.com Remote: 69.31.75.226 [TCP] vmnat.exe PID: 4464 State: ESTABLISHED Local: exadata.example.com Remote: exadata.example.com (truncated output) Using Tcpvcon.exe is possible to export the output to a CSV file and import it into Excel: C:\Sysinternals>Tcpvcon.exe –a -c > list_conn.csv Figure 1 Command 58: How to determine resources are associated with a process Sometimes we need to know all resources (file, registry keys, and network ports) which are associated with a process and the handle.exe tool from Sysinternals can be appropriate: C:\Sysinternals>handle.exe -p Dropbox.exe Handle v3.51 Copyright (C) 1997-2013 Mark Russinovich http://alexandreborges.org Page 2 Windows CLI and Tools – Part 2 Sysinternals - www.sysinternals.com ---------------------------------------------------------------------- -------- Dropbox.exe pid: 1484 EXADATA\Administrator 14: File (RW-) C:\Windows 20: File (RW-) C:\Windows\SysWOW64 24: File (RW-) C:\Windows\winsxs\x86_microsoft.vc90.crt_1fc8b3b9a1e18e3b_9.0.30729.61 61_none_50934f2ebcb7eb57 1C4: File (R-D) C:\Windows\SysWOW64\en-US\KernelBase.dll.mui 1C8: File (RW-) C:\Windows\winsxs\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7 601.18120_none_72d2e82386681b36 1CC: File (RW-) C:\Windows\winsxs\x86_microsoft.windows.common- controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2 220: Section \Sessions\1\BaseNamedObjects\windows_shell_global_counters 2FC: Section \BaseNamedObjects\__ComCatalogCache__ 308: Section \BaseNamedObjects\__ComCatalogCache__ 3D8: File (RW-) C:\Users\Administrator\AppData\Roaming\Dropbox\notifications.dbx 408: File (R-D) C:\Windows\SysWOW64\wbem\wbemdisp.tlb 494: File (RW-) C:\Users\Administrator\AppData\Roaming\Dropbox\photo.dbx 4D8: File (RW-) C:\Users\Administrator\AppData\Roaming\DropboxMaster\instance.dbx 4DC: File (RW-) C:\Users\ADMINI~1\AppData\Local\Temp\dropbox_sqlite_ext.{5f3e3153- 5bce-5766-8f84-3e3e7ecf0d81}.tmpwvlmpb.lck 588: File (RW-) C:\Users\Administrator\AppData\Roaming\Dropbox\config.dbx 5BC: File (R-D) C:\Windows\SysWOW64\FirewallAPI.dll 5C4: File (R-D) C:\Windows\SysWOW64\stdole2.tlb 698: Section \Sessions\1\BaseNamedObjects\libcef_5458814812778194973 70C: File (RWD) C:\Windows\System32\drivers\etc 7D0: File (R-D) C:\Windows\Fonts\StaticCache.dat 8EC: File (RW-) C:\Users\Administrator\AppData\Roaming\Dropbox\sigstore.dbx 8F8: File (RW-) C:\Users\Administrator\AppData\Roaming\Dropbox\filecache.dbx 9E0: File (RW-) C:\Users\Administrator\AppData\Roaming\Dropbox\TO_HASH_mwg23a BF0: File (RW-) C:\Users\Administrator\AppData\Roaming\Dropbox\deleted.dbx C5C: File (RW-) C:\Windows\winsxs\x86_microsoft.windows.common- controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2 C60: File (RW-) C:\Users\Administrator\Dropbox Command 59: How to detect network card interface (NIC) working in promiscuous mode To determine which NIC are working in promiscuous mode we can use a tool named promiscdetect (http://ntsecurity.nu/toolbox/promiscdetect/) . If exists any NIC that doesn’t support promiscuous mode (for example, wireless cards) then the tool can’t open the adapter: C:\Users\Administrator\Desktop\Forensic_Study>promiscdetect.exe PromiscDetect 1.0 - (c) 2002, Arne Vidstrom ([email protected]) - http://ntsecurity.nu/toolbox/promiscdetect/ http://alexandreborges.org Page 3 Windows CLI and Tools – Part 2 Adapter name: - Intel(R) 82579LM Gigabit Network Connection Active filter for the adapter: - Directed (capture packets directed to this computer) - Multicast (capture multicast packets for groups the computer is a member of) - Broadcast (capture broadcast packets) Adapter name: - Intel(R) Centrino(R) Ultimate-N 6300 AGN Active filter for the adapter: - Directed (capture packets directed to this computer) - Multicast (capture multicast packets for groups the computer is a member of) - Broadcast (capture broadcast packets) Adapter name: - Realtek RTL8187 Wireless 802.11b/g 54Mbps USB 2.0 Network Adapter Warning: Cannot open the adapter Adapter name: - SAMSUNG Mobile USB Remote NDIS Network Device Warning: Cannot open the adapter Adapter name: - VirtualBox Host-Only Ethernet Adapter Active filter for the adapter: - Directed (capture packets directed to this computer) - Multicast (capture multicast packets for groups the computer is a member of) - Broadcast (capture broadcast packets) Command 60: How to list, disable and enable applications (programs, dlls, services, codecs, etc…) which will be started in next boot Doubtless, the best application for this task is Autoruns.exe and Autorunsc.exe from Sysinternals. Personally, I like the option –v (to verify digital signatures) and –m (to exclude signed Microsoft entries (applications, dlls, etc..) c:\Sysinternals>autorunsc.exe -v -m | more Autostart program viewer Copyright (C) 2002-2013 Mark Russinovich and Bryce Cogswell Sysinternals - www.sysinternals.com HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Entry last modified: 25/01/2014 22:23 [DISABLED] NVHotkey rundll32.exe C:\Windows\system32\nvHotkey.dll,Start http://alexandreborges.org Page 4 Windows CLI and Tools – Part 2 NVIDIA Hotkey Service, Version 268.83 (Verified) NVIDIA Corporation 8.17.12.6883 c:\windows\system32\nvhotkey.dll 05/06/2011 08:36 HKLM\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run Entry last modified: 07/03/2014 13:39 ZoneAlarm "C:\Program Files (x86)\CheckPoint\ZoneAlarm\zatray.exe" ZoneAlarm (Verified) Check Point Software Technologies Ltd. 12.0.104.0 c:\program files (x86)\checkpoint\zonealarm\zatray.exe 26/10/2013 03:05 SDTray "C:\Program Files (x86)\Spybot - Search & Destroy 2\SDTray.exe" Spybot - Search & Destroy tray access (Verified) Safer Networking Ltd. 2.0.12.127 c:\program files (x86)\spybot - search & destroy 2\sdtray.exe 13/11/2012 10:08 VirtualCloneDrive "C:\Program Files (x86)\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s Virtual CloneDrive Daemon (Verified) Elaborate Bytes AG 5.4.5.1 c:\program files (x86)\elaborate bytes\virtualclonedrive\vcddaemon.exe 10/03/2013 14:08 vmware-tray.exe "C:\Program Files (x86)\VMware\VMware Workstation\vmware- tray.exe" VMware Tray Process (Verified) VMware 10.0.1.41495 c:\program files (x86)\vmware\vmware workstation\vmware-tray.exe 18/10/2013 15:49 (trucated output) Complementary you can use the GUI version (autoruns.exe): http://alexandreborges.org Page 5 Windows CLI and Tools – Part 2 Figure 2 It’s still possible to save the output in a CSV file and import it into Excel: c:\Sysinternals>autorunsc.exe -v -m -c > autoruns_list.csv Command 61: How to dump the Event log Managing event logs in Windows system is critical and exist nice tools when trying to dump the Event Logs. One of these good tools is psloglist.exe (from Sysinternals Suite – http://technet.microsoft.com/en-us/sysinternals/bb842062). For example, to dump the event log from last 1 day: C:\Sysinternals>psloglist.exe -d 1 | more PsLoglist v2.71 - local and remote event log viewer Copyright (C) 2000-2009 Mark Russinovich Sysinternals - www.sysinternals.com System log on \\EXADATA: [209298] Service Control Manager Type: INFORMATION Computer: EXADATA Time: 16/03/2014 19:20:34 ID: 7036 The Application Experience service entered the running state. [209297] Service Control Manager Type: INFORMATION Computer: EXADATA Time: 16/03/2014 19:19:35 ID: 7036 The Windows Modules Installer service entered the stopped state. [209296] Service Control Manager http://alexandreborges.org Page 6 Windows CLI and Tools – Part 2 Type: INFORMATION Computer: EXADATA Time: 16/03/2014 19:19:33 ID: 7040 User: NT AUTHORITY\SYSTEM The start type of the Windows Modules Installer service was changed from auto start to demand start. (truncated output) Even better, it’s possible to show events from last 60 minutes: C:\Sysinternals>psloglist.exe -m 60 | more PsLoglist v2.71 - local and remote event log viewer Copyright (C) 2000-2009 Mark Russinovich Sysinternals - www.sysinternals.com System log on \\EXADATA: [209299] Microsoft-Windows-DNS-Client Type: WARNING Computer: EXADATA Time: 16/03/2014 19:29:29 ID: 1014 User: NT AUTHORITY\NETWORK SERVICE Name resolution
Load more

Recommended publications
  • Windows Internals, Sixth Edition, Part 2
    spine = 1.2” Part 2 About the Authors Mark Russinovich is a Technical Fellow in ® the Windows Azure™ group at Microsoft. Windows Internals He is coauthor of Windows Sysinternals SIXTH EDITION Administrator’s Reference, co-creator of the Sysinternals tools available from Microsoft Windows ® The definitive guide—fully updated for Windows 7 TechNet, and coauthor of the Windows Internals and Windows Server 2008 R2 book series. Delve inside Windows architecture and internals—and see how core David A. Solomon is coauthor of the Windows Internals book series and has taught components work behind the scenes. Led by a team of internationally his Windows internals class to thousands of renowned internals experts, this classic guide has been fully updated Windows developers and IT professionals worldwide, SIXTH for Windows 7 and Windows Server® 2008 R2—and now presents its including Microsoft staff. He is a regular speaker 6EDITION coverage in two volumes. at Microsoft conferences, including TechNet As always, you get critical, insider perspectives on how Windows and PDC. operates. And through hands-on experiments, you’ll experience its Alex Ionescu is a chief software architect and internal behavior firsthand—knowledge you can apply to improve consultant expert in low-level system software, application design, debugging, system performance, and support. kernel development, security training, and Internals reverse engineering. He teaches Windows internals courses with David Solomon, and is ® In Part 2, you will: active in the security research community.
    [Show full text]
  • MARK RUSSINOVICH Chief Technology Officer Microsoft Azure
    MARK RUSSINOVICH is the CTO of Microsoft Azure. He was a co-founder of software producers Winternals before it was acquired by Microsoft in 2006. Russinovich earned his B.S. in computer engineering from Carnegie Mellon Uni- versity in 1989 and M.S. in computer cngineering from Rensselaer Polytechnic Institute. He later returned to CMU, and received a Ph.D. in computer engineer-ing on Application-transparent fault manage- ment in 1994, under the supervision of Zary Segall. From 1994 through early 1996 Russinovich was a research associate with the University of Oregon's computer science department and then joined NuMega Technologies as a developer, working on performance monitoring software for Window NT. In 1996, he and Bryce Cogswell cofounded Winternals Software, where Russinovich served as Chief Software Architect, and the web site sysinternals.com, where he wrote and published dozens of popular Windows administration and diagnostic utilities in- cludeing Autoruns, Filemon, Regmon, Process Explorer, TCPView, and RootkitRevealer among many others. In 1997 he worked as a consulting associate at OSR Open Systems Resources, Inc. and then joined IBM's Thomas J. Watson Research Center as a research staff member, re- searching operating system support for Web server acceleration and serving as an oper- ating systems expert. Russinovich joined Microsoft in 2006, when it acquired Most existing blockchain protocols fail to meet several key enterprise requirements, including Winternals Software. con-fidentiality, acceptable transaction throughput and latency, computational efficiency (e.g. In his role as an author, he is a regular energy costs for proof-of-work consensus), and effective governance.
    [Show full text]
  • Sysinternals Learning Resources
    THE PERSONAL COMPUTER SPECIALIST Sysinternals Learning Resources Help and Support Sysinternals Learning Resources Help Desk Books Windows Internals Book Homepage The official updates and errata page for the definitive book on Windows internals, by Mark Russinovich and David Solomon. Windows Sysinternals Administrator's Reference The official guide to the Sysinternals utilities by Mark Russinovich and Aaron Margosis, including descriptions of all the tools, their features, how to use them for troubleshooting, and example real-world cases of their use. Articles Inside the Windows Vista Kernel: Part 1 Inside the Windows Vista Kernel: Part 2 Inside the Windows Vista Kernel: Part 3 Inside Windows Vista User Account Control Inside Windows Server 2008 Kernel Changes Mark's Blog Articles Hunting Down and Killing Ransomware Scareware, a type of malware that mimics antimalware software, has been around for a decade and shows no sign of going away. The goal of scareware is to fool a user into thinking that their computer is heavily infected with malware and the most convenient...(read more) Monday, Jan 7 The Case of the Unexplained FTP Connections A key part of any cybersecurity plan is “continuous monitoring”, or enabling auditing and monitoring throughout a network environment and configuring automated analysis of the resulting logs to identify anomalous behaviors that merit investigation. This...(read more) Tuesday, Oct 30 Windows Azure Host Updates: Why, When, and How Windows Azure’s compute platform, which includes Web Roles, Worker Roles, and Virtual Machines, is based on machine virtualization. It’s the deep access to the underlying operating system that makes Windows Azure’s Platform-as-a-Service (PaaS) uniquely...(read more) Wednesday, Aug 22 The Case of the Veeerrry Slow Logons This case is my favorite kind of case, one where I use my own tools to solve a This case is my favorite kind of case, one where I use my own tools to solve a problem affecting me personally.
    [Show full text]
  • ELEC 377 – Operating Systems Week 11 – Class 3 Last Class
    ELEC 377 – Operating Systems Week 11 – Class 3 Last Class • Security ◊ Passwords and Program Threats ELEC 377 – Operating Systems Today • Security ◊ Sony Rootkit and Copy Protection - try and relate to the concepts we have covered during the course. ELEC 377 – Operating Systems Systems What is a Root Kit? • Root Kit is software to hide the evidence of system modification • Originally used by intruders in Unix systems to hide changes to systems ◊ add a back door process such as a chat daemon or ftp server running on non-standard port ◊ changes to ps, netstat, w, passwd and other system commands to hide the back door • Now applies to any operating system ◊ Changes are now usually made to kernel and system libraries rather than to system commands – Although some combine both system libraries and system commands ELEC 377 – Operating Systems What is a Root Kit? • Not the initial vulnerability ◊ initial vulnerability is used to gain access, root kit is used to maintain access to compromised system ◊ Sometimes the intruder patched vulnerability to keep ‘exclusive’ access to the system ◊ root kit may attempt to maintain ownership of the system - one part of root kit notices when another part has been removed and reinstalls that component • Often used by viruses and worms to disguise activities. ◊ Thus rootkit detection is a concern for Security Vendors. ELEC 377 – Operating Systems Root Kit Research • Commercial and Personal Systems ◊ when you get malware, you want to remove it ◊ limit its damage • Sensitive Systems. ◊ You don’t want to eradicate the malware ◊ You need to observe it -- who is it reporting to? -- what kind of information is it interested in -- limit access to sensitive information ◊ Problem: it is checking to see if anyone is watching -- may self destruct/or may attempt to destroy system.
    [Show full text]
  • 2.5 Win-History [Read-Only]
    Unit OS2: Operating System Principles 2.5. History of the Windows NT/2000/XP/2004 OS Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze Copyright Notice © 2000-2005 David A. Solomon and Mark Russinovich These materials are part of the Windows Operating System Internals Curriculum Development Kit, developed by David A. Solomon and Mark E. Russinovich with Andreas Polze Microsoft has licensed these materials from David Solomon Expert Seminars, Inc. for distribution to academic organizations solely for use in academic environments (and not for commercial use) Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze 2 1 Roadmap for Section 2.5. History of NT Windows Release History and Versions New features in Windows XP/2003 Original Windows Design Goals/Culture How Development Processes evolved throughout Windows NT 3.1 Development and Windows 2000 Development Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze 3 NT Timeline first 10 years 2/89 Coding Begins 7/93 NT 3.1 Ships 9/94 NT 3.5 Ships 5/95 NT 3.51 Ships 7/96 NT 4.0 Ships 12/99 NT 5.0 a.k.a. Windows 2000 ships Windows Operating System Internals - by David A. Solomon and Mark E. Russinovich with Andreas Polze 4 2 Unix Timeline first 20 years ’69 Coding Begins ’71 First Edition – PDP 11/20 ’73 Fourth Edition – Rewritten in C ’75 Fifth Edition – Leaves Bell Labs, basis for BSD 1.x ’79 Seventh Edition – One of the best ’82 System III ’84 4.2 BSD ’89 SVR4 Unification of Xenix, BSD, System V NT development begins Windows Operating System Internals - by David A.
    [Show full text]
  • Mitigating Pass-The-Hash and Other Credential Theft, Version 2
    Mitigating Pass-the-Hash and Other Credential Theft, version 2 Trustworthy Computing Trustworthy Computing 1 Legal disclaimer This document is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT. This document is provided “as-is.” Information and views expressed in this document, including URL and other Internet website references, may change without notice. You bear the risk of using it. Microsoft, Windows, Active Directory, Forefront, Windows Server, and Windows Vista are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. Copyright © 2014 Microsoft Corporation. All rights reserved. The names of actual companies and products mentioned herein may be the trademarks of their respective owners. 2 Mitigating Pass-the-Hash and Other Credential Theft, version 2 Acknowledgments Writers Patrick Jungles Mark Simos Ben Godard Joe Bialek Matthew Bucher Cal Waits William Peteroy Thomas Garnier Contributors Aaron Margosis Eric Leonard Michael Howard Aaron Tebrink Eric Mitchell Michael Poole Adam Stasiniewicz Eugene Siu Michael Scovetta Al Tieman Georgeo Pulikkathara Michiko Short Andrea Piazza Glenn Pittaway Nate Morin Andrew Idell Graham Calladine Nathan Ide Arden White Hasnat Naveed Nicholas DiCola Bill Talbot James Noyce Patrick Arnold Chris Betz Joe Corey Paul Cullimore Chris Hale John Rodriguez Roger Grimes Chris Jeuell John Wall Ted Daley Cristin Goodwin Joshua Talbot Tom Stolk Cynthia Sandvick Keith
    [Show full text]
  • Malware Removal Guide
    MALWARE REMOVAL GUIDE Malware Detection and Removal on Windows There are a number of free tools that can help with this. None of them are perfect, and none of them will detect 100% of all known malware- so the important thing is to use all of them in the hope that the overlap of their detection is enough to remove the problem. However, it is still very possible that no tool will be able to detect and/or clean the malware. In this instance it is possible that an “expert” may be able to manually work out where the malware is hiding and how to remove it – however, the easiest solution is likely to be a rebuild. Always Suggest Password Changing Please note that it's worth suggesting password changing to the users regardless of what is found. If anything that might be a major security risk is found - in particular keystroke loggers, rootkits, remote admin kits, etc - the user, and any other user of the machine, must change their passwords for all services that they may have used on that system, and local passwords for all users – including Administrator – on the system itself. If they do online banking or credit/debit card purchases they should also inform their banks, and follow the exact procedures given by them – this is vitally important. When to suspect malware Definitely suspect malware if the user reports unexpected popups, browsers going to sites other than the ones they were actually trying to go to, and similar problems. Also suspect it if you spot software associated with peer-to-peer filesharing; traditionally such software tends to have malware included.
    [Show full text]
  • Defrag Manager 3.0 by Winternals Software Column by Jim Justen PRODUCT RATING ❑ Very Poor ❑ Poor ❑ Fair ❑ Good ❑ Very Good ✗❑ Excellent
    Defrag Manager 3.0 by Winternals Software Column By Jim Justen PRODUCT RATING ❑ Very poor ❑ Poor ❑ Fair ❑ Good ❑ Very Good ✗❑ Excellent n a recent article I examined Executive Software’s Diskeeper these are beyond the scope of this article, but they are testament to the Windows disk defragmentation software. Diskeeper is one of expertise in Windows architecture that Winternals has at it’s disposal. I many solid offerings available in the marketplace, and all do a yeoman’s job at the task of reducing disk fragmentation. However I PRODUCT OVERVIEW thought Diskeeper’s administrative features a bit of an afterthought. In fact, what really differentiates defragmentation products is not Defrag manager installs and operates from a single admin worksta- their performance at defragmentation (even though some claim unreal- tion. This clever architecture means that it is not necessary to install istic performance gains), but rather their ease of use, pricing, and and manage the defragmentation engine on individual systems, but administrative features. rather all management of the application is performed from one single In this month’s Technical Report we’re taking a look at Winternal’s point. When a scheduled defragmentation is started, Defrag Manager Defrag Manager 3.0. Although one of many products available for this deploys a tiny 127K application (called the “SmartPhase Engine” ) task, defrag manager offers some unique features, and can realistically from the admin station to the targeted systems as the defragmentation simplify the workday of admins faced with the dull but vital task of engine. Once the defragmentation is complete, the software deletes disk defragmentation.
    [Show full text]
  • Mark Russinovich & Other News
    Security Now! Transcript of Episode #370 Page 1 of 30 Transcript of Episode #370 Mark Russinovich & Other News Description: We begin the week with a visit with our distinguished guest, Mark Russinovich, late of Sysinternals and now with Microsoft. Mark joins us to chat about the release of his second security thriller, "Trojan Horse," and to share some of his view of the security world. High quality (64 kbps) mp3 audio file URL: http://media.GRC.com/sn/SN-370.mp3 Quarter size (16 kbps) mp3 audio file URL: http://media.GRC.com/sn/sn-370-lq.mp3 SHOW TEASE: It's time for Security Now!. Steve Gibson is here. We've got lots of security news, including a zero-day exploit in IE9, IE8 and 9. Oy oy oy. But before we do that, we're going to talk to one of our favorite authors. Mark Russinovich is here, next on Security Now!. Leo Laporte: This is Security Now! with Steve Gibson, Episode 370, recorded September 19th, 2012: Mark Russinovich. It's time for Security Now!, the show that protects you and your loved ones online and your privacy online. And we've got a great show planned for you today. Let me first introduce our Explainer in Chief himself, Mr. Steve Gibson of GRC.com. Hi, Steve. Steve Gibson: Hey, Leo. Great to be with you again, as always. Before we began I didn't just double-check that you've got your recorders running, but... Leo: I am recording this. Because if you're hearing it now, ladies and gentlemen of the jury, then it must have been recorded.
    [Show full text]
  • Windows Sysinternals Administrator's Reference
    Windows® Sysinternals Administrator’s Reference Mark Russinovich Aaron Margosis PUBLISHED BY Microsoft Press A Division of Microsoft Corporation One Microsoft Way Redmond, Washington 98052-6399 Copyright © 2011 by Aaron Margosis and Mark Russinovich All rights reserved. No part of the contents of this book may be reproduced or transmitted in any form or by any means without the written permission of the publisher. Library of Congress Control Number: 2011931614 ISBN: 978-0-7356-5672-7 4 5 6 7 8 9 10 11 12 LSI 7 6 5 4 3 2 Printed and bound in the United States of America. Microsoft Press books are available through booksellers and distributors worldwide. If you need support related to this book, email Microsoft Press Book Support at [email protected]. Please tell us what you think of this book at http://www.microsoft.com/learning/booksurvey. Microsoft and the trademarks listed at http://www.microsoft.com/about/legal/en/us/IntellectualProperty/ Trademarks/EN-US.aspx are trademarks of the Microsoft group of companies. All other marks are property of their respective owners. The example companies, organizations, products, domain names, email addresses, logos, people, places, and events depicted herein are fictitious. No association with any real company, organization, product, domain name, email address, logo, person, place, or event is intended or should be inferred. This book expresses the author’s views and opinions. The information contained in this book is provided without any express, statutory, or implied warranties. Neither the authors, Microsoft Corporation, nor its resellers, or distributors will be held liable for any damages caused or alleged to be caused either directly or indirectly by this book.
    [Show full text]
  • Vulnerability Detection in Activex Controls Through Automated Fuzz Testing
    Vulnerability Detection in ActiveX Controls through Automated Fuzz Testing Will Dormann and Dan Plakosh CERT R Coordination Center Software Engineering Institute 4500 Fifth Avenue, Pittsburgh, PA 15213-2612 http://www.cert.org Abstract. Vulnerabilities in ActiveX controls are frequently used by attackers to compromise systems using the Microsoft Internet Explorer web browser. A programming or design flaw in an ActiveX control can allow arbitrary code execution as the result of viewing a specially-crafted web page. In this paper, we examine effective techniques for fuzz testing ActiveX controls, using the Dranzer tool developed at CERT. By testing a large number of ActiveX controls, we are able to provide some insight into the current state of ActiveX security. 1 Introduction We live in a world where software vulnerabilities are pervasive. One important aspect of a vulnerability is how it can be reached, or what are its attack vectors. In the early days of the internet, server-side vulnerabilities were targeted the most. For example, the Morris Worm of 1988 worked by exploiting vulnerabilities in sendmail and fingerd [1]. Even as late as 2001, vulnerabilities in high-profile network server software were widely exploited [2]. As the internet landscape has changed, there has been a shift in focus to client-side vulnerabilities [4]. With most software vulnerabilities, the attack vector is to cause the vulnerable application to process specially-crafted data. With server-side applications, such as sendmail or fingerd, an attacker may connect to the vulnerable service as a client and send data that was crafted in a way that causes the service to crash in an exploitable manner.
    [Show full text]
  • May/June 2006
    48 FEATURE STORY TECHNOLOGY REVIEW may/june 2006 MMAY-RootkitAY-Rootkit 4488 44/21/06/21/06 55:02:57:02:57 PPMM By Wade Roush Inside the Spyware Scandal Last year, Sony BMG put antipiracy software on their CDs. In so doing, they spied on their own customers and gave hackers the power to access people’s computers. What were they thinking? ohn Guarino is the owner of TecAngels, a two-man After six or seven of these encounters, Guarino was computer consultancy in Manhattan. Give Guarino growing weary. Then, on September 30, he discovered the your ailing Windows PC, and in two or three hours mysterious fi les on his own PC. “That’s what really pissed Jhe’ll return it to you in perfect health. Often, he can me off ,” Guarino says. “I was like, ‘I can’t believe it. I have solve his customers’ problems over the phone. the latest fi rewall, the latest antivirus software, three or four But last summer, Guarino came across a problem he antispyware programs. How did this get here?’” couldn’t fi x. In the process of fl ushing out the spyware and Like any good investigator, Guarino backtracked. He viruses infecting his customers’ computers, he began to fi nd knew that the fi les hadn’t been there the last time he had the same mysterious intruders in machine after machine. scanned his computer. He tried to reconstruct everything he They were strangely named fi les lurking deep inside the had done with his machine over the previous few days—what “registry” where Windows stores settings and instructions programs he had installed, what e-mails he had received, that control all of a computer’s hardware and software.
    [Show full text]