Is there a proggy that tells you....

Discussion in 'Trojan Defence Suite' started by tempnexus, Dec 5, 2004.

Thread Status:
Not open for further replies.
  1. tempnexus

    tempnexus Registered Member

    Joined:
    Apr 16, 2003
    Posts:
    280
    I had the proggy before but I lost it any how I know it's DiamondCS
    It was meants to tell me how much ram a process was useing, what DLL's are associated with it AND what ports the process has openned and what it's doing.

    Thanks
     
  2. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi tempnexus, Are you thinking about sysinternals Process Explorer? Though that it does not do port to process mapping. DCS Port Explorer does do port to process mapping but not CPU usage etc.

    Pilli
     
  3. dvk01

    dvk01 Global Moderator

    Joined:
    Oct 9, 2003
    Posts:
    3,131
    Location:
    Loughton, Essex. UK
  4. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Could be Derek but that too has no RAM etc. analysis?
     
  5. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Attached is a screenshot example of Process Explorer v8.52 showing the sockets in use by a particular process (my browser in this case...)

    It isn't a system wide view like Port Explorer gives you... but its good enough for some things and its free so its always there when you need it

    Process Explorer does the other things as well...

    You will find the what its doing part in the "Threads" tab, you can click on each thread and get the stack information and make an educated guess
    It is only a snapshot at a point in time, but its not a debugger after all
    If you combine this with what you can get from Filemon and Regmon you can sometimes get a general idea of what the program is doing

    Regards
     

    Attached Files:

    Last edited: Dec 6, 2004
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Yep, Process Explorer is definately one of my faves :D
     
  7. kwesi

    kwesi Registered Member

    Joined:
    May 18, 2004
    Posts:
    82
    Location:
    London
    Hi, gottadoit. Just a little off-topic, but I've known other savvy contibutors, like you, to erase 192 (router?) and 127 (host file?) information when posting.

    I was just curious - presumably the 192 erasure is to avoid hackers targetting specific ports on one's set-up? What about the host file information (if I'm correct that that's what it is!), please?

    I'm hoping by this question to expand my understanding a bit. Thanks.
     
  8. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    I don't know about the savvy contributor bit, I've hardly sent anything compared to the regulars on the forum that help people all the time

    The simple answer is that its easier to be cautious before you have a problem than wait until afterwards
    I erased most of the information because it isn't at the defaults and its easier to be paranoid by default

    I doubt that anyone could successfully use that information to attack my PC given that they would need my external IP address for starters (which isn't shown) and then manage to get a program running on my computer ... possible to do but non-trivial given the various defence layers that are present.

    If I was really being paranoid I wouldn't have shown what browser I am running and used a simple program like ping to show the network ports tab as an example
     
  9. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Pilli,
    I was actually responding to your post where you said that process explorer didn't do port to process mapping

    It does do the port to process mapping as you obviously know....
    I'm not sure when it appeared but I don't remember it being in some of the earlier versions several years ago
    The thread and stack information is relatively new as well and certainly useful
    Figured I might as well check and see if there is a new procexp (its been a while) and its up to 8.60 now...

    I would recommend to anyone to support these guys they have contributed a lot to the public domain for a good long time and thats no small thing these days.
    [ I have no ties to them other than using their free tools (and one I purchased) ]

    The TCP/UDP information is only a few revisions old (since 8.40)
    The thread and stack information has been there since at least 8.20

    http://www.sysinternals.com/ntw2k/freeware/procexp.shtml
     
  10. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Thanks, Yes it does but I suppose I am so used to Port Explorer now I forget about Process Explorersothe functions :)

    Cheers. Pilli
     
  11. ellison64

    ellison64 Registered Member

    Joined:
    Oct 5, 2003
    Posts:
    2,499
    The best programme that ive seen that seems to give you all you want is iarsn taskinfo....
    It also gives you a nice system tray cpu monitor (that actually works)
    http://www.iarsn.com/taskinfo.html
    ellison
     
  12. NetTraveler

    NetTraveler Registered Member

    Joined:
    Nov 16, 2004
    Posts:
    134
    Location:
    Amsterdam Netherlands
    Thank you Gottadoit.. :) Very interesting site.. :)
     
  13. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    TaskInfo didn't give the call stack in previous versions but it looks like it should be able to as of the latest beta version

    Other than that it certainly is the alternative tool to use, both provide all the major functions with TaskInfo giving slightly richer functionality, but then again you would expect that seeing as it isn't free

    http://www.iarsn.com/tihistory.html

    6.0.0.120 TaskInfo2003 Beta-- 27-Nov-2004 Add Thread Start Address and Thread Call Stack with Symbolic Information if possible (WinNT/2K/XP/2003 Only).
     
Thread Status:
Not open for further replies.