Filtering with Process Monitor

For anyone performing dynamic (live) analysis of malware, an essential tool to have at hand is Windows Sysinternal’s Process Monitor. So why is this a must for malware analysis? The website describes the tool best:
“Proces Monitor is an advanced monitoring tool for Windows that shows real-time file system, registry, and process/thread activity”
It monitors as much or as little activity as you want. It can be used as a very detailed timeline for malware execution, or set to display the activity associated with a targeted process. Plus, all of the output can be exported out to a file for later viewing, which makes life pretty simple.
With that being said, the output from Process Monitor can be a bit overwhelming (to say the least) if you don’t know how to use it. This is due to the fact that hundreds of events can occur per second, and letting malware run for 10-15 minutes will produce hundreds of thousands of events that are logged. Thankfully PM has a range of filters that can include or exclude data from the output.

Filters to Include:

  • WriteFile/CreateFile: These operations are recommended when doing malware analysis. They include events that write and create files, although, I have a few comments about this (I will mention it in the IRP_MJ_CREATE portion)
  • Process Create/Process Start: These operations will include processes that are created and started during execution
  • RegCreateKey/RegDeleteKey: This operation will include registry keys that are created and/or deleted by a process
  • RegSetInfoKey: This operation (in association with RegCreateKey) is where the value for the registry keys get set (Autorun keys will be created, then the value can be found here to see what malicious process it points to)
  • TCPConnect/TCPReceive: These operations will include any TCP connections that malware may try to start while it’s running
  • Load Image: This operation will show what dll’s are loaded during malware execution

Filters to Exclude:

  • Procmon.exe/Procmon64.exe: These will exclude any events related to Process Monitor
  • Profiling: This is an automatic filter built into Process Monitor. Keeping this excluded takes out a lot of unnecessary noise in the logs.
  • Add filters to exclude any monitoring tools or AV running

Additional Filtering Tips:

  • Go to Tools > Process tree to see the processes that are stemmed from the execution. To filter on these, right-click the parent process and select “Add Process and Children to Include Filter”
  • Filter by Operation contains WriteFile
  • Filter by Path contains <malicious executable> to see where it gets saved
  • Filter by Path contains “\Run” to see any registry edits to the numerous AutoRun keys
With these filters, most of the unwanted noise is taken away, and events related to malware are pinpointed. The best part about this, is that even though events are filtered, if/when you go to export, you have an option to export ALL events, not just the filtered ones. After analysis (after logging is turned off) filtering by process name or PID is helpful for narrowing down what a malicious executable does. There’s also the option for highlighting certain events/processes to help point them out.
All-in-all, Process Monitor is a powerfully overwhelming tool unless you know how to utilize it for all it’s worth. It takes a good amount of time, practice, and experience to narrow down exactly what you want to get out of the logs (it took me about 6 months), but using these filters is a good start for dynamically analyzing malware

Leave a Reply

Your email address will not be published. Required fields are marked *