4

I have a list of 1000 processes and I want to identify which of them are legitimate and which are not. I only have the name of the processes and I want to categorize them. Is there any way to get information of those processes programmatically?

If I can at least identify which of them are common processes, that can help me to make a shorter list. I can then search other unknown processes and get their information.

Basically, I need to check a list of windows processes on a Mac/ Linux and I only have the names of the processes. I want to find the complete information of the processes so that I can find out the legitimate processes. There are current 1000 processes in the list and it may increase it in future. I can do it manually for now, but I want to run script to do the check automatically.

rise of a phoenix
  • 53
  • 1
  • 1
  • 6
  • 3
    which language/platform are you using? – pri Jul 28 '15 at 10:38
  • I have not used any language yet. I am comfortable with any language. I want to write a script on Unix, to check the process list programmatically. – rise of a phoenix Jul 28 '15 at 16:53
  • If you're using C/CPP, you can use system() function to execute the console command; Similarly, if you're using Java, you can use Runtime.getRuntime.exec() function. The ps command should do the trick. There are several switches which you can explore and try with ps command. – pri Jul 28 '15 at 17:02
  • What if a legitimate process has the same name as a malicious one? – enkryptor Jun 21 '16 at 13:49

4 Answers4

3

The list of common/legitimate processes will depend on the OS installed. Also, the list will depend on the software you have installed on your machine.

In Windows, you can try
tasklist
In Linux, you can try
ps

You can make a list of trusted applications(which you can do manually or lookup online). Then, after getting the list of running processes programmatically, you can compare the list with your trusted list of processes and display only the remaining processes.

If you feel that some these processes are harmless and legitimate, you can add these processes to your list of trusted applications, so that they won't show up again next time you run your program.

pri
  • 4,438
  • 24
  • 31
  • I think I have not used correct wordings for the question. I need to check a list of windows processes on a Mac/ Linux and I only have the names of the processes. I want to find the complete information of the processes so that I can find out the legitimate processes. There are current 1000 processes in the list and it may increase it in future. I can do it manually for now, but I want to run script to do the check automatically. Basically, I want to write something that would search google for information on the .exe file names. Let me know if you have any question. – rise of a phoenix Jul 28 '15 at 17:04
  • Okay, correct me if I'm wrong, but as far as I understand, you have only a list of processes (of Windows), and you want to run the script on Mac/LINUX machine. But, only the names of processes won't give you a fair idea of their malicious/useful intent. Yes, there are some processes which run on every Windows machine, and then there are some other processes like chrome.exe, which are commonly used. So you can white list these, but apart from these, you'll have to (at least for the first few times), manually check the processes. – pri Jul 29 '15 at 04:35
  • I have found a way to do this. I have written a script to check the process name on http://www.processlibrary.com/en/. I am parsing the html from the website. Thanks for your help – rise of a phoenix Jul 29 '15 at 06:03
3

ProcessExplorer by SysInternals can help with this if you have access to the machine.

You can even submit hashed process data to VirusTotal to give you an idea if it's a legitimate file/process or not.

It also color codes data which I find very helpful.

And you can quickly determine which files are signed.

enter image description here

For a quick tutorial on how to get the most out of ProcessExplorer, check out: http://www.howtogeek.com/school/sysinternals-pro/lesson2/ (images from howtogeek.com)

k1DBLITZ
  • 3,933
  • 14
  • 20
2

There are many heuristics by which you can find what all processes are malicious or not. I'll explain this with some examples:

  1. Malware tends to use common exe names to hide from detection tools. In cases like that, you can check the file location of processes being executed. For example: processes with name svchost.exe should only be launched from \Windows\System32\ directory.

  2. Malware uses advanced techniques like process hollowing, using which they can run svchost.exe or any legit binary(which is like a bypass for the first case). In such case, we can use known windows internals to our advantage. For example: only services.exe can launch legit svchost.exe. So, if any svchost.exe process has a parent who is not services.exe, it is 100% malicious.

  3. Like that there are other heuristics like services.exe and lsass.exe should have only one instance running.

Apart from the above-mentioned techniques, this reference is really awesome for finding suspicious processes in windows.

https://digital-forensics.sans.org/media/SANS_Poster_2018_Hunt_Evil_FINAL.pdf

schroeder
  • 123,438
  • 55
  • 284
  • 319
Ashutosh Raina
  • 369
  • 3
  • 8
1

To get process inforomation programmatically (as you asked), it depends on the language you want to use but also on your processor version (32 or 64 bits).

You can use Python's subprocess module:

import subprocess
cmd = 'WMIC PROCESS get Caption,Commandline,Processid'
proc = subprocess.Popen(cmd, shell=True, stdout=subprocess.PIPE)
for line in proc.stdout:
    print line

Or WMI module for both processor's versions:

import wmi
c = wmi.WMI ()

for process in c.Win32_Process ():
  print process.ProcessId, process.Name

You can also call any command you type in CMD from Python using subprocess module I mentioned before.

As for just isolating the suspicious processes, you need first to list the criterions on which your judgment will be based on.

For example Windows 7 and 8 OS have a hierarchy of processes where we can find usually three or four top-level processes. This makes it easy to see which processes are the parents of others. Wininit, for example, is the ancestor of a large number of processes including multiple instances of the famous svchost.exe process. As this process is too important for Windows OS, malwares use it and they appear in the list of svchost such as svch0st.exe (0 instead of o), svhost.exe (without c) and so on.

So once you have this criterion in head you can sort them in a Python list and display them separately to help you distinguish the suspicious processes.