Know which EXE your computer is running with description

z3r0aCc3Ss · Post by **z3r0aCc3Ss** » 10 Sep 2009, 22:46

Many of the times we don't know which EXE's our computer is running.
Also, many people use Ctrl+Alt+Del and terminate unknown EXE which they do not know, but it is essential for some or the other purposes.
Terminating essential EXE, sometimes, results in severe condition. So, how to identify which EXE is important and which is not???
Here is the useful site where you can find all the important information about your EXE file.

Code: Select all

http://www.what-is-exe.com/

Just search which EXE your computer is running and find out more information about it.
It will help you in getting some information before you terminate them.

z3r0aCc3Ss · Post by **z3r0aCc3Ss** » 10 Sep 2009, 22:52

Ohh ya, and before I forget, it shows .exe as well as .dll and .ocx files

Post by **DNR** » 10 Sep 2009, 23:45

Process Explorer will display properties for processes running in windows, you can also 'search online' from the right click menu.

Besides checking the .exe name, make sure the .exe is located in the proper directory - viruses can have the same name as legit files on your computer - as long as they are located in different directory than the real one.

DNR

Post by **DNR** » 11 Sep 2009, 11:18

yea thats where "threads" and "Strings" feature in process explorer helps looking for weird hooks.

Here is a memory 'dump' of my USB broadband modem, you can follow the scripting of the USB modem initializing and making the call - Note - the blocked out PASSWORD which was in plaintext!

TaskbarCreated
CUsageBrowser
clientId=sm08april&appId=vzam&password=XXXXX08Feb&serviceName=accountInfo&subServiceName=poundData
Accept: text/*
User-Agent: Smith Micro
Content-Type: application/x-www-form-urlencoded
https://mobile.vzw.com/services/vzam/poundData
..
Here you can see all the hooks it uses in its process; files and directories you can explore..

Updates\SMUpdate.exe
-U"%s" -P"%s"
&app=
?mid=
SHELL32.DLL
Microsoft Access
.EXE
\shell\Open\command
SOFTWARE\Clients\Mail\%s\shell\open\command
SOFTWARE\Clients\Mail
The stored MDN is different.(%s, %s)
VZWQAD_GetServicePlan
QuickAccessDial.dll
GetVZWServicePlan(%s, %s)
..
EnableAllUserConnection
RemoteDefaultGateway
BindMsNetClient
ShareMsFilePrint
SecondaryWINS
PrimaryWINS
SecondaryDNS
PrimaryDNS
CopyLanProxy
BypassProxyServer
ProxyServerAddress
AutoConfigScript
AutoDetectProxySettings
Research In Motion
ipdetect
FirstAccount
Number
APN
Password
Username
System\Accounts.ini
<local>
LAN
Connections\%s
exe
path
SOFTWARE\AirPrime
Connections
DApassword
DAusername
password
TRUE
{REALMIN}
Sierra Wireless AirCard 555 Modem
SearchList
SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DNSSuffixList
..
System\CONNECT.BMP
Software\Smith Micro
HideLinksInHelpMenu
System\Menu.ini
Run
URL
InternetGetConnectedState
InternetAutodial
WININET.DLL
MAPI32.DLL
MAPISendMail
Profiles\
\Application Data\Microsoft\Network\Connections\Pbk\rasphone.pbk
ALLUSERSPROFILE
rasapi32.dll
rasdlg.dll
RasGetEntryPropertiesA
rnasmm.dll
rnaui.dll
RasDialA
RasEnumConnectionsA
RasDialDlgA
RasGetCredentialsA
CSRas::RasGetEntry RasGetEntryProperties(%s) - returned: %
IpDnsFlags
NegotiateMultiLinkAlways
ms_server
UseRasCredentials
..

In the above you can look for unusual hooks like to a strange directory or a misnamed file (purposely misspelled to look like the legit file). This program already given full rights by the firewall to dial out - can have a side hook with a infected .dll
rasapi32.dll
rasdlg.dll
rnasmm.dll
Any of those can easily be redirected to 'rasmm.dll' recoded in this program or just find the valid rnasm.dll and replace it with a infected file.

By reading the strings you can visualize the processes, hooks and information leakage in an application.

DNR