Author: pvicenti
Subject: Procmon malware analysis
Posted: 15 January 2013 at 4:56pm
Hi,
Process Explorer shows in violet when a module is encrypted or encoded but Procmon doesn't have this feature.
Unfortunately, there are no other filters in Process Monitor that can help you to lead with it.
Something you can try is SpyStudio. You can use it to load a Procmon log (save Procmon log in this way) and then load the log in SpyStudio.
With it you have a useful filter to analyze Malware. You can Include or Exclude calls from a specific caller. If you start removing known callers you will see suspicious calls more clear.
Best Regards,
Peter
Subject: Procmon malware analysis
Posted: 15 January 2013 at 4:56pm
Hi,
Process Explorer shows in violet when a module is encrypted or encoded but Procmon doesn't have this feature.
Unfortunately, there are no other filters in Process Monitor that can help you to lead with it.
Something you can try is SpyStudio. You can use it to load a Procmon log (save Procmon log in this way) and then load the log in SpyStudio.
With it you have a useful filter to analyze Malware. You can Include or Exclude calls from a specific caller. If you start removing known callers you will see suspicious calls more clear.
Best Regards,
Peter