New freeware tool released: Advanced Process Manipulation

Discussion in 'other anti-trojan software' started by Wayne - DiamondCS, May 15, 2003.

Thread Status:
Not open for further replies.
  1. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Yes, another freeware utility in the same month! :)

    http://www.diamondcs.com.au/index.php?page=apm
    110kb full install, NT4/2K/XP only

    Enjoy!
     
  2. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    neato, lets hope it is used for good and not evil ;)

    I wish I could drag the border between the two main areas to make one bigger at the expense of the other.

    PS. what stops me from loading my own trojans with this thing?
     
  3. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    > lets hope it is used for good and not evil
    I don't see how it could be used for 'evil' ?

    > what stops me from loading my own trojans with this thing?
    You could only use it to load a DLL on your own computer (or other computer you have physical access to), so why would you want to load a trojan? APM requires a human user to make it function, it can't be used in an automated manner. If you want to attack somebodys computer and want to use APM against it you'll need physical access to that computer, but then if that's the case why bother using APM - why not just start deleting files with the command prompt, you have physical access already ... :)

    I understand your concern but fail to see how APM could be abused in such a manner, or used for anything bad -- its essentially an anti-trojan tool after all.

    Here's an example - APM vs the Cold Fusion stealth trojan - http://www.diamondcs.com.au/index.php?page=apm-example
     
  4. UNICRON

    UNICRON Technical Expert

    Joined:
    Feb 14, 2002
    Posts:
    1,935
    Location:
    Nanaimo BC Canada
    sounds good.
     
  5. Patrice

    Patrice Registered Member

    Joined:
    Apr 15, 2003
    Posts:
    571
    Location:
    Antarctica
    Great work DCS!!! :D

    I wasn't aware until now, that there are trojans which can hide themselves in other processes. Damn it... :eek:

    Now, I will begin to try to understand all the dll's on my computer.

    Best regards,

    Patrice
     
  6. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Patrice, A useful page about how & what TDS3 can or is capable of doing just in case you forgot :D

    http://tds.diamondcs.com.au/index.php?page=features
     
  7. Ph33r_

    Ph33r_ Guest

    Heh I always used an extension for the Windows Task Manager (NT/2000).
    http://www.codeguru.com/system/TaskManagerEx.html

    Even though I never got a Virus/Trojan Infection yet I do use it for other purposes… ;)
     
  8. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,875
    Location:
    New England
    This is a nice tool! Lots to play with in here. :D

    Thanks Wayne!! :cool:
     
  9. controler

    controler Guest

    Hello

    I am trying this new software but I am getting problems.
    When I try to drag and expand the window, I get double windows on the bottom.
    When i try right click on a process and select one of the options,
    the programs is hanging for me.
    I am using Windows XP Home.
     
  10. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Hi Controler, Did you read the manual? There are certain processes that you cannot control.

    Quote:

    Caution: Programs are typically not designed with the idea in mind that modules can be attached later and take control over them (as APM does). That is, APM is capable of making programs do things that their author(s) did not intend for them to do. Although you will rarely encounter any problems when using APM against target processes, please keep this in mind when manipulating them with APM. You use this tool at your own risk.

    Limitations:

    System Processes
    APM isn't able to work inside system processes such as smss.exe, csrss.exe, winlogon.exe, services.exe and so on. However, you shouldn't encounter any problems when using APM with application processes, such as Notepad or Calculator that come with the Windows operating system.
     
  11. controler

    controler Guest

    Excuse me!!!! ?

    Did you read my post? I am sure you are not telling me a program should hang. I tried other processes besides system. I do know better than to try mess with XP system files.The problem is most likely my computer since I have not reformatted in a while.
    I think I understand now. If a trojan attaches itself to a system process this program is of no use? It will only work when applications DLL have been infected?
     
  12. Ph33r_

    Ph33r_ Guest

  13. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
    Sorry Controler, I missed your meaning as you did not state the actual processes that APM "hung" on :( I have had no problem with non -system processes in XP.

    I am sure Wayne will answer your last question. :D
     
  14. controler

    controler Guest

    Hi pilli

    That is ok. I am only trying to find what I can.
    here is a copy of my system info. Maybe this will help/

    OS Name   Microsoft Windows XP Home Edition
    Version   5.1.2600 Service Pack 1 Build 2600
    OS Manufacturer   Microsoft Corporation
    System Name   HEWLETT-5K1589J
    System Manufacturer   Hewlett-Packard
    System Model   HP Pavilion Notebook PC
    System Type   X86-based PC
    Processor   x86 Family 6 Model 11 Stepping 1 GenuineIntel ~1133 Mhz
    BIOS Version/Date   Insyde Software IB.M1.10, 12/3/2002
    SMBIOS Version   2.3
    Windows Directory   C:\WINDOWS
    System Directory   C:\WINDOWS\System32
    Boot Device   \Device\HarddiskVolume2
    Locale   United States
    Hardware Abstraction Layer   Version = "5.1.2600.1106 (xpsp1.020828-1920)"
    User Name   HEWLETT-5K1589J\Owner
    Time Zone   Central Daylight Time
    Total Physical Memory   256.00 MB
    Available Physical Memory   42.11 MB
    Total Virtual Memory   826.41 MB
    Available Virtual Memory   434.81 MB
    Page File Space   586.93 MB
    Page File   C:\pagefile.sys
     
  15. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    In TDS detection list is Rootkit.yyt 1.0 by a Chinese trojan maker yyt_hac. This uses CreateRemoteThread and SetWindowsHookEx to inject "hider" DLLs inside MANY processes, including csrss.exe and explorer.exe. With the DLL inside most important places, the "rootkit" (not a real kernel level, driver rootkit) can patch calls to important Windows API calls, most importantly those which are used for listing files, processes, and netstat output.

    Simply, this will mean the running trojan, RtKit.exe doesnt show up in ANY process lister, not even APM's list. APM does however see the DLLs in some cases, and I was successfully able to remove this trojan with nothing other than APM and a standard process lister - and the delete key :D

    I DID encounter some stability problems, however this is not a real problem under the NT architecture, and I simply loaded another APM process and kept trying to unload DLLs as needed. Soon, the RTKIT.EXE process was available to kill, and that being deleted I simply rebooted and removed the rest of the files, and the registry key. DEAD trojan ! :D

    This wouldn't have been possible without APM, so it is available to the public. While it may have some problems, it is needed in a sense. Optix Pro 1.3 (and 1.31) use this method, as do other trojans that are already available or on the way, to hide files, registry keys and netstat output. So this tool should be any NT 2K XP users best friend until some serious anti rootkit development can be made by AV vendors, and AT vendors :) Keep an eye on what is loaded in your poor explorer.exe's memory ! and of course other processes..
     
  16. Gavin - DiamondCS

    Gavin - DiamondCS Former DCS Moderator

    Joined:
    Feb 10, 2002
    Posts:
    2,080
    Location:
    Perth, Western Australia
    @controler

    Im not exactly sure if Windows XP HOME edition even supports the same things XP Pro does o_O

    It might not - being the Win9x equivalent version of XP.. we will see what we can see :)
     
  17. Khaine

    Khaine Registered Member

    Joined:
    Oct 2, 2002
    Posts:
    127
    Thanks to all you DiamondCS blokes, this is an excellant little tool :)
     
Thread Status:
Not open for further replies.