Thursday, September 1, 2016

Using Process Hacker to view non-signed processes

Process Hacker is an open-source process utility for Windows that is similar to the Sysinternals application Process Explorer.  The utility can be found at:

http://processhacker.sourceforge.net/

To view the services “behind” a svchost.exe entry, hover the cursor over the entry and a small dialog box should appear.

process_hacker_1

The majority of the time, malware is not digitally signed.  To view non-signed processes, first add the two columns by right-clicking on an existing column under the Processes tab and selecting the “Choose columns” option.

process_hacker_2

Select “Verification status” and “Verified signer”, and add both to the active columns list.

process_hacker_3

To view only non-signed processes, use the menu option View –> Hide signed processes.

process_hacker_4

An error dialog box may appear:

process_hacker_5

Under Options –> Advanced, enable the selection for “Check images for digital signatures and packing”.  A restart of the application will probably be required.

process_hacker_6

A process entry can be submitted to VirusTotal by using the right-click –> Send to –> virustotal.com option.

process_hacker_7

No comments:

Post a Comment