Author: clownshed
Subject: Win 7 virtual blank fields
Posted: 10 September 2013 at 2:32pm
Hi all,
Subject: Win 7 virtual blank fields
Posted: 10 September 2013 at 2:32pm
Hi all,
Watched Marks malware hunting presentation and have run procexp on a Win 7 virtual machine that concerns me.
There are a whole host of processes running which have no data within the company name or Description fields. Some of these are MS processes (winlogon, lsm, crss, ssonsvr, smss) there are a few more as well from different vendors. I also note that the Path displays [error opening process]. NB I am a Domain Admin, but I have also right clicked it and run as Admin to be sure.
The machine in question is a virtual running on HyperV , and it boots from a gold image then wipes out at the end of the night, ready to build again - rationale for this being that if the machine is compromised it would wipe out the malware each time.
My question is, why am I getting no data on these processes? Is this because it's a virtual machine? Thats the only thing I can think of, but it seems worying to me that these processes are reported as being alive, but on closer inspection they dont seem to be running.
My main concern here is to make sure that if there is any malware in place, that I can find it, but I cant find anything online about why I am seing blank data for these processes. I really hope someone on the forum can help.
NB, this machine also gives the error for proc mon where it just spawns hundreded of instances until the system runs out of memory. can post more on that in the relvant forum if it helps!
Brilliant suite of tools btw. Used to use psexec back when I did penetration testing. Great to have an excuse to use these bad boys again ;-)
P