A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #22093  by EP_X0FF
 Fri Jan 31, 2014 5:39 am
Recently released new Process Explorer with sort of antimalware feature, however I don't know reasons for release such unfinished and weak feature. This is VirusTotal integration, so it now can check image hash via VT. It is implemented via file mapping and CryptoAPI calls, nothing interesting here.

if you plan use this against malware then

1) How many malware running in own processes you saw in last year? Two years? Five years?
2) It obviosly can't scan injected malware code because usually it is running inside VA of target process as allocated memory not as separate module
3) Even if you want to calculate hashes for files obviously you need raw disk access to bypass possible malware counteraction (at least against ring3 rootkits)
4) Even CryptoAPI can be compromised so why not calculate stupid SHA on your own? Seriously, computing SHA1 is about 150-200 lines of code.

Even if malware is using standalone EXE or DLL it is so trivial to fool PE.

Demo in attach. VirusTotal check "bypass", digital signatures check "bypass" included.

I can only suggest author put in order his code related to processes environment and fix ridiculous bugs usually unfixed for years.

+ some wonderful crashes

https://imagizer.imageshack.us/v2/800x4 ... 3/y6ga.png
https://imagizer.imageshack.us/v2/799x5 ... 1/91vr.png
Attachments
(998.54 KiB) Downloaded 64 times
 #22096  by 0xFFFF
 Fri Jan 31, 2014 10:49 am
Did you run Process Explorer with Administrative Privileges? I had the same problem at first, and it seemed to work fine running the program as a elevated process.
 #22098  by EP_X0FF
 Fri Jan 31, 2014 12:08 pm
If you mean crash then this screenshot is from Windows XP running admin. As for security features of PE this doesn't matter, it tricks well PE running with admin rights and without.