New freeware tool released: Advanced Process Manipulation

[Wayne - DiamondCS]

Yes, another freeware utility in the same month!

http://www.diamondcs.com.au/index.php?page=apm
110kb full install, NT4/2K/XP only

Enjoy!

[UNICRON]

neato, lets hope it is used for good and not evil

I wish I could drag the border between the two main areas to make one bigger at the expense of the other.

PS. what stops me from loading my own trojans with this thing?

[Wayne - DiamondCS]

> lets hope it is used for good and not evil
I don't see how it could be used for 'evil' ?

> what stops me from loading my own trojans with this thing?
You could only use it to load a DLL on your own computer (or other computer you have physical access to), so why would you want to load a trojan? APM requires a human user to make it function, it can't be used in an automated manner. If you want to attack somebodys computer and want to use APM against it you'll need physical access to that computer, but then if that's the case why bother using APM - why not just start deleting files with the command prompt, you have physical access already ...

I understand your concern but fail to see how APM could be abused in such a manner, or used for anything bad -- its essentially an anti-trojan tool after all.

Here's an example - APM vs the Cold Fusion stealth trojan - http://www.diamondcs.com.au/index.php?page=apm-example

[UNICRON]

sounds good.

[Patrice]

Great work DCS!!!

I wasn't aware until now, that there are trojans which can hide themselves in other processes. Damn it...

Now, I will begin to try to understand all the dll's on my computer.

Best regards,

Patrice

[Pilli]

Patrice, A useful page about how & what TDS3 can or is capable of doing just in case you forgot

http://tds.diamondcs.com.au/index.php?page=features

Heh I always used an extension for the Windows Task Manager (NT/2000).
http://www.codeguru.com/system/TaskManagerEx.html

Even though I never got a Virus/Trojan Infection yet I do use it for other purposes…

[LowWaterMark]

This is a nice tool! Lots to play with in here.

Thanks Wayne!!

[controler]

Hello

I am trying this new software but I am getting problems.
When I try to drag and expand the window, I get double windows on the bottom.
When i try right click on a process and select one of the options,
the programs is hanging for me.
I am using Windows XP Home.

[Pilli]

Hi Controler, Did you read the manual? There are certain processes that you cannot control.

Quote:

Caution: Programs are typically not designed with the idea in mind that modules can be attached later and take control over them (as APM does). That is, APM is capable of making programs do things that their author(s) did not intend for them to do. Although you will rarely encounter any problems when using APM against target processes, please keep this in mind when manipulating them with APM. You use this tool at your own risk.

Limitations:

System Processes
APM isn't able to work inside system processes such as smss.exe, csrss.exe, winlogon.exe, services.exe and so on. However, you shouldn't encounter any problems when using APM with application processes, such as Notepad or Calculator that come with the Windows operating system.

[controler]

Excuse me!!!! ?

Did you read my post? I am sure you are not telling me a program should hang. I tried other processes besides system. I do know better than to try mess with XP system files.The problem is most likely my computer since I have not reformatted in a while.
I think I understand now. If a trojan attaches itself to a system process this program is of no use? It will only work when applications DLL have been infected?

LOL

[Pilli]

Sorry Controler, I missed your meaning as you did not state the actual processes that APM "hung" on I have had no problem with non -system processes in XP.

I am sure Wayne will answer your last question.

[controler]

Hi pilli

That is ok. I am only trying to find what I can.
here is a copy of my system info. Maybe this will help/

OS Name***Microsoft Windows XP Home Edition
Version***5.1.2600 Service Pack 1 Build 2600
OS Manufacturer***Microsoft Corporation
System Name***HEWLETT-5K1589J
System Manufacturer***Hewlett-Packard
System Model***HP Pavilion Notebook PC
System Type***X86-based PC
Processor***x86 Family 6 Model 11 Stepping 1 GenuineIntel ~1133 Mhz
BIOS Version/Date***Insyde Software IB.M1.10, 12/3/2002
SMBIOS Version***2.3
Windows Directory***C:\WINDOWS
System Directory***C:\WINDOWS\System32
Boot Device***\Device\HarddiskVolume2
Locale***United States
Hardware Abstraction Layer***Version = "5.1.2600.1106 (xpsp1.020828-1920)"
User Name***HEWLETT-5K1589J\Owner
Time Zone***Central Daylight Time
Total Physical Memory***256.00 MB
Available Physical Memory***42.11 MB
Total Virtual Memory***826.41 MB
Available Virtual Memory***434.81 MB
Page File Space***586.93 MB
Page File***C:\pagefile.sys

[Gavin - DiamondCS]

In TDS detection list is Rootkit.yyt 1.0 by a Chinese trojan maker yyt_hac. This uses CreateRemoteThread and SetWindowsHookEx to inject "hider" DLLs inside MANY processes, including csrss.exe and explorer.exe. With the DLL inside most important places, the "rootkit" (not a real kernel level, driver rootkit) can patch calls to important Windows API calls, most importantly those which are used for listing files, processes, and netstat output.

Simply, this will mean the running trojan, RtKit.exe doesnt show up in ANY process lister, not even APM's list. APM does however see the DLLs in some cases, and I was successfully able to remove this trojan with nothing other than APM and a standard process lister - and the delete key

I DID encounter some stability problems, however this is not a real problem under the NT architecture, and I simply loaded another APM process and kept trying to unload DLLs as needed. Soon, the RTKIT.EXE process was available to kill, and that being deleted I simply rebooted and removed the rest of the files, and the registry key. DEAD trojan !

This wouldn't have been possible without APM, so it is available to the public. While it may have some problems, it is needed in a sense. Optix Pro 1.3 (and 1.31) use this method, as do other trojans that are already available or on the way, to hide files, registry keys and netstat output. So this tool should be any NT 2K XP users best friend until some serious anti rootkit development can be made by AV vendors, and AT vendors Keep an eye on what is loaded in your poor explorer.exe's memory ! and of course other processes..

[Gavin - DiamondCS]

@controler

Im not exactly sure if Windows XP HOME edition even supports the same things XP Pro does

It might not - being the Win9x equivalent version of XP.. we will see what we can see

[Khaine]

Thanks to all you DiamondCS blokes, this is an excellant little tool