Understanding how Process Explorer’s dialogs and options work is all well and good, but how about using it to do some actual troubleshooting or to diagnose a problem? Today’s Geek School tutorial will help you learn how to do just that.

NAVIGATION

  1. What are SysInternals tools and how do you use them?
  2. Understanding Process Explorer
  3. Using Process Explorer for Troubleshooting and Diagnostics
  4. Understanding Process Monitor
  5. Using Process Monitor to Troubleshoot and Find Registry Hacks
  6. Using autorun to deal with startup processes and malware
  7. Using BgInfo to Display System Information on the Desktop
  8. Using PsTools to control other PCs from the command line
  9. Analyze and manage your files, folders and drives
  10. Conclusion and Sharing Tools

Not so long ago, we began to investigate all kinds of malware and software that gets installed automatically every time you don’t pay attention when installing software. Almost all free software products on the market, including «authoritative» ones, include toolbars, terrible search or adware, and some of them are difficult to eliminate.

We have seen many computers from people who we know have installed so much spyware and adware that the PC barely even boots up. In particular, trying to load a web browser is next to impossible as all adware and tracking software compete for resources to steal your personal information and sell it to the highest bidder.

Naturally, we wanted to do a little research on how some of them work, and there’s no better place to start than the Conduit Search malware that has claimed hundreds of millions of computers around the world. This nefarious horror hijacks your search engine in your browser, changes your home page, and worst of all, it hijacks your new tab page no matter what browser you have.

We’ll start by looking at that and then show you how to use Process Explorer to troubleshoot locked files and folders errors that are in use.

And then we’ll end up with another look at how some adware hides behind Microsoft processes these days so they look legitimate in Process Explorer or Task Manager when they’re actually not.

Investigation of malware to search the conduit

As we have already mentioned, the Conduit search engine hijacker is one of the most persistent, nasty, and terrible things that almost every one of your relatives probably has on their computer. They bundle their software in obscure ways with whatever free software they can, and in many cases, even if you choose not to, the hijacker will still get installed.

Conduit installs what they call «Search Protect» which they claim prevents malware from making changes to your browser. What they don’t mention is that it also doesn’t let you make any changes to their browser unless you use their Search Protect panel to make those changes, which most people won’t know about since they’re in the system tray.

Conduit will not only redirect all your searches to Bing’s own page, it will also make it your home page. It can be assumed that Microsoft is paying them for all this Bing traffic, since they also pass arguments like ?

Fun fact: The company behind this piece of junk is worth $1.5 billion and JP Morgan has invested $100 million in them. It pays to be evil.

Conduit takes over a new tab… But how?

Hacking your search and home page is trivial for any malware. This is where Conduit amplifies the evil and somehow rewrites the New Tab page to make it show Conduit even if you change all the settings.

You can uninstall all your browsers, or even install a browser you haven’t installed before, like Firefox or Chrome, and Conduit will still be able to grab the New Tab page.

Someone must be in jail, but they’re probably on a yacht.

It doesn’t take much effort from a geek’s skill point of view to ultimately conclude that the problem lies with the Search Protect application running in the system tray. Complete this process and all of a sudden your new tabs will open exactly as the browser creator intended.

But how exactly does this happen? No add-ons or extensions installed on any of the browsers. There are no plugins. Register is clean. How do they do it?

Here we turn to Process Explorer to do some research. First, we’ll find the Search Protect process in the list, which is simple enough because it has the correct name, but if you’re not sure, you can always open a window and use the little bull’s eye icon next to binoculars to figure out which one. the process belongs to the window.

Now you can simply select the appropriate process, which in this case was one of three that are automatically started by the Windows service that Conduit installs. How did I know that the windows service is restarting it? Because the color of this line is pink, of course. Armed with this knowledge, I could always stop or uninstall the service (although in this particular case, you can simply uninstall it from the Uninstall Programs section of the Control Panel).

Now that you’ve selected a process, you can use the keyboard shortcuts CTRL+H or CTRL+D to open the Pens view or DLL view, or you can use the View menu -> Bottom Bar View to do so.

Note: in the Windows world, a «handle» is an integer value that is used to uniquely identify a resource in memory, such as a window, an open file, a process, or many other things. Each open application window on your computer has, for example, a unique «window handle» that you can use to refer to it.

DLLs, or Dynamic Link Libraries, are shared pieces of compiled code that are stored in a single file to be shared between multiple applications. For example, instead of each application writing its own file open/save dialogs, all applications can simply use the common dialog code provided by Windows in the comdlg32.dll file.

Looking through the list of markers for a few minutes got us closer to what was going on because we found markers for Internet Explorer and Chrome that are currently open on the test system. We’ve definitely confirmed that Search Protect does something with our open browser windows, but we need to explore a little more to figure out exactly what.

The next thing to do is double-click on a process in the list to open the details view and then go to the Image tab, which will give you information about the full path to the executable, the command line, and even the working folder. We’ll click on the «Explore» button to take a look at the installation folder and see what else is lurking there.

Interesting! We found several DLLs here, but for some odd reason none of those DLLs were listed in the DLL view for the Search Protect process when we reviewed it earlier. This might be a problem.

Anytime you want to know if a DLL file is currently being used by any application on your system, you can open the search bar by going to the Search menu, pressing the keyboard shortcut CTRL+F, or simply clicking on the binoculars icon on the bar tools. Now enter part of the DLL name, or even the full name if you like.

We decided to only look for the beginning, «SPVC», as that was the common link between the two, and of course it looks like these DLLs are loaded directly into each of the browser processes running on our computer.

By clicking on one of the items in the list and switching to the «Themes» page, we confirmed what was bothering us. Both Chrome and Internet Explorer launched streams using the SPVC32.dll or SPVC64.dll files from the Search Protect malware, and that’s how they hijacked our new tab — not by changing settings, but by hijacking the browser from within.

Note. In Windows, a thread is what the operating system allocates to load processor time. A process in Windows is what we used to think of as geeks and sysadmins, but threads are technically the only thing running in Windows, not processes. Some processes may have only one thread of execution, but others may have many threads that all work separately from each other, usually interacting with some kind of in-process communication mechanism.

You can also double click on any of the threads to see the full execution stack, which can be useful to see what functions are being called and try to figure out what the problem is.

You might be wondering how Search Protect was able to get Google Chrome to load this DLL, and the answer is that Windows provides a feature called DLL Injection. A process can inject a DLL into another process and then intercept certain API functions. This is how certain apps override Windows features or features of other apps. This is a very complex topic that we definitely can’t get into in this tutorial, but if you really want to read more, you can check out this guide.

It’s also worth noting that you can see per-thread CPU usage by going into this level of detail, which can be very helpful when troubleshooting an application with plugins. You can use this to figure out that a certain DLL file is taking up too much CPU time and then do some research into what that component belongs to.

Working with locked files or folders

Since it’s unlikely that you’ll be constantly investigating malware, it’s also useful to use Process Explorer for other tasks, such as working with those «In Use» dialog boxes that you can try to delete, move, or modify a file or folder that is in use at any time. another process, especially if you’re not sure which process is blocking it.

When you get an error like this, just go to Process Explorer, open search with CTRL+F or icon, and then type in the name of the folder above (or a more fully descriptive path if the name is very vague).

You will very quickly see a process in the list that has a file or folder open, and you can double click on it to identify the process in the list.

Your immediate reaction may be to simply close the process, but you don’t have to. You can also right-click on a file or folder in the handle list (use the CTRL + H option to bring up the handle list) and select the «Close Handle» option. This resource is now unlocked!

Note. If you’re deleting something, this is ideal, but if you’re just trying to edit or move that item, you should probably open the offending app and deal with it there so you don’t lose your data.

Examining processes that look safe but aren’t

In the course of our malware research, we have noticed another problem that is becoming more common, so it is wise to keep an eye on it in the future. What is this problem? Malware hides behind legitimate Windows processes and works well.

The problem is with the Windows utility rundll32.exe, which can be used to randomly run functions from DLL files. Since this utility is signed by Microsoft, it appears in the list as a perfectly legitimate process, but in reality they just transfer all their malware/adware code into a .DLL file instead of an .EXE file, and then download the malware using rundll32.exe instead. In fact, if you see rundll32.exe running as «native process» in the blue color shown below, that’s almost always something that shouldn’t be running.

In the example below, you can see that although we used the Verified Signer feature to verify this element, when we hover over it and view the full path, it actually downloads a DLL, which turns out to be part of the adware. product.

Note: before you start yelling about running a virus scan, we note that we did and nothing worked. Many of these software, adware and spyware are ignored by antivirus utilities.

Double clicking to open the details shows another problem and we can also see the directory where the malware ends up, which we will use to investigate further.

Inside this directory, we found several files that were constantly updated in the background.

The rest of the investigation led to some other tools that weren’t SysInternals that we’ll probably cover later, but suffice it to say that it’s just a piece of malware that worked in conjunction with another application to work with the software. ,

The important point here is that malware can lurk behind legitimate Windows executables, so be sure to keep an eye out for anything like that.

Further

Stay tuned tomorrow to learn more about SysInternals as we show you how to use the Process Monitor utility to keep track of what applications are actually doing behind the scenes. This will open your eyes.

Похожие записи