Using Sockey Spy on process which only runs for very short period ?

Discussion in 'Port Explorer' started by Defenestration, Apr 6, 2006.

Thread Status:
Not open for further replies.
  1. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    I'm sure I've read this information somewhere (possibly in the PE manual), but for the life of me I can't find it again.

    I want to use Socket Spy on a process which only runs for a short period. The problem is that I don't get a chance to add the process to the spy list of SS due to it having ended too soon.

    Can anyone enlighten me on how to do this ?
     
  2. gottadoit

    gottadoit Security Expert

    Joined:
    Jul 12, 2004
    Posts:
    601
    Location:
    Australia
    Defenestration,
    Do you start the process yourself or is it started by an already running process ?

    Its easy if you are starting it yourself, sloader is what you are looking for
    If the process is being started by an already running program then you just need something that does execution control (at a kernel level). There are quite a few to choose from and the process may well be visible in the tasklist (with a PID) at the time you get the execution prompt.
     
  3. Defenestration

    Defenestration Registered Member

    Joined:
    Jul 17, 2004
    Posts:
    1,086
    Thanks gottadoit. SLoader was the program I was thinking about but couldn't remember.

    In this instance it was a process being started by another process.

    I tried doing it with SSM, but since it stops the app before it executes it has no PID.

    I solved the problem by using app control from my software firewall, since this allows the app to run, but doesn't give it Internet access until the alert is clicked which gives plenty of time to add the process to Socket Spy's list. I don't know why I didn't think of doing it before. Must've had a moment :)
     
Thread Status:
Not open for further replies.