SocketSpy vs. changing PID's

Discussion in 'Port Explorer' started by spy1, Jun 16, 2003.

Thread Status:
Not open for further replies.
  1. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    I'd like to use the SocketSpy feature to monitor various programs, but I'm finding that - if you want to capture things from the get-go (as soon as whatever program launches) - you can't really do that if the PID of said program changes every time it's started.

    So, if you know what ports a program uses while in operation, can you somehow set those to be watched with the SocketSpy feature ahead of time - before the program you want to monitor is launched?

    I see no other way (with PE, anyway) to monitor an app at its' start-up to see what (or if) gets sent or received when the app starts.

    So, what do you do in a case like this if you want to accomplish the above? Pete
     
  2. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Sounds like you want to profile the startup of an application ... the best way to do this is with a debugger :)

    Currently, Port Explorer doesn't have a "load and watch" feature, but adding such a feature would be possible and wouldn't involve too much effort, so we may consider such an option for the next update to PE.

    Until then, one trick you can try is to load the target process into a debugger so that it is loaded in memory (but not running). You'll then have its process ID showing in Task Manager and the debugger - simply add that PID to Socket Spy, then allow the loaded process to run. You'll get the exact result you're after, the only downside is that you have to run the target in the context of a debugger, but that shouldn't cause you any problems unless the target has anti-debug routines.

    Cheers,
    Wayne
     
  3. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
    Yes, indeed - I'd love a "load & watch" feature added to PE!

    Think how it would simplify checking apps for adware, "phone-home" spyware, scumware, you-name-it-ware!

    Thank you! Pete
     
  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,878
    Location:
    New England
    Excellent idea and I'm sure it'd be quite popular, too! :)
     
  5. Wayne - DiamondCS

    Wayne - DiamondCS Security Expert

    Joined:
    Jul 19, 2002
    Posts:
    1,533
    Location:
    Perth, Oz
    Load and watch trick

    I'll leave it up to Jason as to whether or not we add a 'load and watch' feature, but if we do it wont be for at least a month or so as there aren't any scheduled updates for Port Explorer in the extreme near future due to upcoming release of Wormguard4.

    However, the debugger trick is very easy to use, doesnt require any prior knowledge of disassemblers/debuggers, and the trick works virtually the same as if we added this as a feature. For a nice free debugger (we regularly use it, I've made several contributions to Oleh's bug list that have since been fixed) try OllyDbg, download at OllyDbg (1mb). No install, just unzip to a path of your choice, ie. c:\olly\, and run ollydbg.exe

    To do a 'load and watch'...
    1. Go to the File | Open menu (in OllyDbg), and select your target exe. OllyDbg will load and disassemble the process (but no code will be run).
    2. Use a process list tool such as Windows Task Manager to get the process ID of your target exe (even as a debuggee it is its own process, seperate to that of the debugger).
    3. Go to Port Explorer's Socket Spy and add that process ID to the spy list.
    4. Go back to OllyDbg and press F9 (or the Debug | Run menu).

    That's all - your target will now be running and Socket Spy will capture all data from that process. You shouldn't encounter any problems as long as the target doesn't use anti-debug tricks (some packers also have anti-debug code built in, although common ones like UPX, ASPack, PECompact etc don't).

    Have fun! :)

    PS. I'll have a new toy for you to play with in about an hour or so, it'll be available in the Port Explorer Member's Area, and is basically a very simple loader that allows you to 'load and watch' with Port Explorer (and without using any debuggers).

    [an hour later]
    Ok, done - see here :)

    Cheers,
    Wayne
     
Thread Status:
Not open for further replies.