News:

Masm32 SDK description, downloads and other helpful links
Message to All Guests
NB: Posting URL's See here: Posted URL Change

Main Menu

Malware find the intruder

Started by TouEnMasm, November 14, 2015, 09:20:47 PM

Previous topic - Next topic

TouEnMasm

Hello,
This one is made to find malicious software who want
to mask themself.
He use lists of prog as shown in the task manager
He works with three text files.
********** memopage\ReferenceList.txt
           is the list of prog with no problem,you modify it manually with notepad
********** memopage\ActualList.txt
           is the generated list by find_intruder
********** memopage\SuspectList.txt
           Is the result of the comparison between the ReferenceList and the ActualList.txt

In SuspectList.txt you must find all that is  not usual .
You must made a search on the internet to know what they are.

If they are normal prog (updater and other prog) you can add them to
the ReferenceList.txt with the notepad.
If They are malware,you have perhaps there disk location in the text file.
If not,make a DIR /S/B on c:\ in a DOS windows (cmd.exe).
Delet them from memory with the task manager and erase them from the disk.

The ReferenceList.txt is made under windows 10,you must modify it if you have another system
The SuspectList.txt is shown in the notepad only if there is something unusual.

Made the same thing for driver and services.
The antimalware need at least Win 7

Fa is a musical note to play with CL

jj2007

Impossibile avviare il programma perché VCRUNTIME140.dll non è presente nel computer. Per risolvere il problema, provare a reinstallare il programma.

BTW, it gave me an occasion to hack together the attached little proggie that extracts the message and puts it on the clipboard. Just run it and press right Control, then right-click on the error message or whatever.

TouEnMasm

AH! the man who want to resist again microsoft.:lol:
Courage!!.:shock:
download "vc++ redistributable 2015"
For the baby who don't want to eat his little spoon,here a direct link:
https://www.microsoft.com/fr-fr/download/details.aspx?id=48145
Choose your language if the internet don't do it

Fa is a musical note to play with CL

TWell

#3
Someone of us try not to install unnecessary versions to PC to keep testing environment clean.
For Windows 10 vcruntime140.dll 84 kt is enough but Windows 7 needs more.

TouEnMasm

Quote
For Windows 10 vcruntime140.dll 84 kt is enough but Windows 7 needs more
Have you tested the donwload ?
If I read the needed configuration system given by Microsoft,it is
Quote
Système d'exploitation pris en charge

Windows 10 ; Windows 7 Service Pack 1; Windows 8; Windows 8.1; Windows Server 2003 Service Pack 2; Windows Server 2008 R2 SP1; Windows Server 2008 Service Pack 2; Windows Server 2012; Windows Vista Service Pack 2; Windows XP Service Pack 3
Pour plus d'informations sur la prise en charge du système d'exploitation, consultez la page Compatibilité de Visual Studio 2015. Configuration matérielle requise : •Processeur 1,6 GHz minimum
•1 Go de RAM (1,5 Go en cas d'exécution sur un ordinateur virtuel)
•50 Mo d'espace disque disponible
•Disque dur 5 400 tours/min

Fa is a musical note to play with CL

TWell

In that SuspectList.txt was nothing to suspect.
Mostly drivers and virusscanner files.

TouEnMasm

Quote
In that SuspectList.txt was nothing to suspect.
You are happy ..this time.
You can just made a copy paste (with Notepad) of this list in the ReferenceList.txt and the next time you will don't see them.

Fa is a musical note to play with CL

jj2007

Quote from: TWell on November 15, 2015, 01:57:09 AMSomeone of us try not to install unnecessary versions to PC to keep testing environment clean.

Indeed :t

zedd151

Doesn't seem to want to run under XP pro sp3. 

TouEnMasm


Quote
Doesn't seem to want to run under XP pro sp3.
XP pro sp3 is given usable with the "vc++ redistributable 2015"
Have you downloaded them ?

Fa is a musical note to play with CL

TWell

Can't run in XP of course. Exe needs least OS version 6.0.
K32GetProcessImageFileNameA was missing from kernel32.dll

TouEnMasm

Quote
Can't run in XP of course. Exe needs least OS version 6.0. ?
https://msdn.microsoft.com/fr-fr/library/windows/desktop/ms683217(v=vs.85).aspx
Minimum supported client  Windows XP [desktop apps only]

I am a little lost with the various version of xp .
I am adding now the same thing for the drivers and the services and the minimal system supported will be win 7.
The usefull thing in "find the intruder" is that an anti-Malware couldn't delet services and drivers.
There is need of the user with administrator rights to delet them.
That will be too bad for XP.
Fa is a musical note to play with CL

TWell

Do you notice this?
QuotePsapi.lib on Windows Server 2008, Windows Vista, Windows Server 2003, and Windows XP
So that problem was in psapi with that program.
kernel32.dll function list here and here

TouEnMasm

Made the same thing for driver and services.
The antimalware need at least Win 7
he can show you all changes in the loaded modules,the installed drivers and all the services
I have a problem with Bamcof.exe
He install a service named Bamcof that i have uninstalled.
Without doing Nothing he return,any help ?
Fa is a musical note to play with CL