First let me find a short definition what we have to understand under a process and a thread. A process is an instance of a computer program that is being executed. It’s a set of threads and their shared memory. A thread is a sequenze of the order to be executed in the cpu. Sounds a bit confusing, isnt’it?
A simple way to view processes is windows taskmanger, but it’s a bit limited in functionality and there are more advanced tools like process explorer from sysinternals or process hacker which is a great opensource tool. The advantage of process explorer is thats a microsoft tool and officially digitaly signed by them.
Let’s open a cmd and start a hidden powershell by typing the following command:
powershell -w hidden -c dir c:\ -recurse
Now a powershell process is running on our machine, but without a window. Process Explorer shows us a cmd.exe with a childprocess called conhost.exe
Let’s doubleclick conhost.exe and explore some usefull functionalities of process explorer.
In the Image tab we can see useful informations like the full path of the executable, the command line field which exactly shows the previous command we’ve typed in and the parent process. Another cool feature is the VirusTotal field. After clicking on submit a hashvalue of the binary will be created and checked against the virustotal database. The value 0/68 means that the binary hash value is known and was checked with 68 different Antivirus Engines. 0 means that none of them sees a potential danger. A return value of n/a would imply that the hash value isn’t known yet by virustotal and the binary should be uploaded for further analysis.
Another interessting function is the TCP/IP and the Strings tab. If the binary should do any network connections we would see them there. With help of the strings it’s possible to read out which strings are stored in the memory of a specific process. In case of a cmd.exe we can find which commands where typed.
Next thing we want to have a short look on ist the Threads tab. Everytime a process needs some CPU power we will see activity there. From that tab we have also the possibility to suspend or kill a task. Forexample if we open a notepad and suspend that task, notepad will be in a frozen state.
If we suspend a task there is always a way back. Forexample we can suspend a task and then create a memory dump and reactivate it by clicking on Resume. If we kill the task, there’s no way back! Another tool that was slightly covered was procmon from sysinternals. With help of that tool you can monitor the system and get specific traces of certain processes.
If you remember the last exercise and do a dump from the lsass.exe process, you’ll also save some passwords that are stored in the memory. So be careful about that 😉
Some repeating qustions:
What is the lowest PID (Process Identifier) you can observe in the OS?
0 –> Idle process
Get-Process | Sort-Object Id | Select -First 5
You’ll notice that all of the PIDs are divisible by 4. 4 is therefore the first PID available after 0 (which is the Idle process).
Which process is the parent process for most svhost.exe processes?
How many thread you can deserve within notepad.exe process?
Which DLL must be present if you want to configure symbols for Process Explorer?
Which activities Process Monitor CANNOT monitor?
Shared memory access