Wednesday, October 7, 2009

Autoruns for Windows v9.55 Published: October 1, 2009

http://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

Introduction

This utility, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and shows you the entries in the order Windows processes them. These programs include ones in your startup folder, Run, RunOnce, and other Registry keys. You can configure Autoruns to show other locations, including Explorer shell extensions, toolbars, browser helper objects, Winlogon notifications, auto-start services, and much more. Autoruns goes way beyond the MSConfig utility bundled with Windows Me and XP.

Autoruns' Hide Signed Microsoft Entries option helps you to zoom in on third-party auto-starting images that have been added to your system and it has support for looking at the auto-starting images configured for other accounts configured on a system. Also included in the download package is a command-line equivalent that can output in CSV format, Autorunsc.

You'll probably be surprised at how many executables are launched automatically!

Screenshot

Autoruns


Usage

See the November 2004 issue of Windows IT Pro Magazine for Mark's article that covers advanced usage of Autoruns . If you have questions or problems, visit the Sysinternals Autoruns Forum.

Simply run Autoruns and it shows you the currently configured auto-start applications as well as the full list of Registry and file system locations available for auto-start configuration. Autostart locations displayed by Autoruns include logon entries, Explorer add-ons, Internet Explorer add-ons including Browser Helper Objects (BHOs), Appinit DLLs, image hijacks, boot execute images, Winlogon notification DLLs, Windows Services and Winsock Layered Service Providers. Switch tabs to view autostarts from different categories.

To view the properties of an executable configured to run automatically, select it and use the Properties menu item or toolbar button. If Process Explorer is running and there is an active process executing the selected executable then the Process Explorer menu item in the Entry menu will open the process properties dialog box for the process executing the selected image.

Navigate to the Registry or file system location displayed or the configuration of an auto-start item by selecting the item and using the Jump menu item or toolbar button.

To disable an auto-start entry uncheck its check box. To delete an auto-start configuration entry use the Delete menu item or toolbar button.

Select entries in the User menu to view auto-starting images for different user accounts.

More information on display options and additional information is available in the on-line help.

Autorunsc Usage

Autorunsc is the command-line version of Autoruns. Its usage syntax is:

Usage: autorunsc [-a] | [-c] [-b] [-d] [-e] [-g] [-h] [-i] [-l] [-m] [-n] [-p] [-r] [-s] [-v] [-w] [-x] [user]

-a Show all entries.
-b Boot execute.
-c Print output as CSV.
-d Appinit DLLs.
-e Explorer addons.
-g Sidebar gadgets (Vista and higher).
-h Image hijacks.
-i Internet Explorer addons.
-l Logon startups (this is the default).
-m Hide signed Microsoft entries.
-n Winsock protocol and network providers.
-p Printer monitor drivers.
-r LSA providers.
-s Autostart services and non-disabled drivers.
-t Scheduled tasks.
-v Verify digital signatures.
-w Winlogon entries.
-x Print output as XML.
user Specifies the name of the user account for which autorun items will be shown.

Download Autoruns and Autorunsc
(576 KB)

Run Autoruns now from Live.Sysinternals.com

Syser Kernel Debugger & Syser Win32 Debugger

Syser Debugger


Syser Kernel Debugger is designed for Windows NT Family based on X86 platform. It is a kernel debugger with full-graphical interfaces and supports assembly debugging and source code debugging.
Softice is left. Syser will continue.

1. Supports multi-CPU and Intel Hyper-Threaded processors
2. Supports Microsoft Windows 2000, Windows xp,Windows 2003 or Windows Vista operation system
3. Supports VMWare and Virtual PC
4. Source code debugging supports syntax coloring.
5. Supports color disassembly
6. Commands are Softice-compatible


Syser Kernel Debugger

(full-graphical SoftIce)

Trace windows driver

with source code

Syser Kernel Debugger

In VMWare 5.5

Syser Kernel Debugger

In Virtual 2007

Process Explorer VS Process Hacker

Process Hacker Functions

1) Process Dump
2) DLL Inject / Unload
3) Driver Load / Unload
4) Scan PEid….
5) Full Memory Dump
6) Hidden Process View
7) Memory View / Editor



Process Hacker Download : http://processhacker.sourceforge.net/

Processes

Process Hacker can terminate, suspend, resume, restart and set the priority of processes. Processes are highlighted to provide additional information such as whether they are elevated or in a job. More interesting things you can do with processes includes injecting DLLs and even replacing security tokens (XP only).
Processes Threads

Threads

It can also terminate, suspend, resume and set the priority of threads. Symbolic start addresses are provided, and double-clicking a thread will show its call stack. Additionally, GUI threads (threads which have made at least one call to a GUI function) are highlighted.

Modules

It can display the modules loaded by each process and their properties. It can also find the address of any exported function in a module, change page protection of the module's memory region, and read the module's memory.

Token

Token It can display each process' primary token and its user, source, groups and privileges. It even allows you to enable and disable privileges.

Memory

It can display (using VirtualQueryEx()) the memory regions in a process' virtual memory space, and even read/write data using a built-in hex editor.
Memory Memory Editor

Handles

It can display the handles opened by processes and can close them.
Handles

Search

Process Hacker also supports saving memory search results and even intersecting (finding common items between) two sets of search results!
Memory Search Search Results






Friday, September 11, 2009

AntNumber

11
12
1121
122111
112213
12221131
1123123111
12213111213113
11221131132111311231
12221231123121133112213111

What is the next?
Hint : AntNumber

Thursday, September 10, 2009

Digital Sigining

Step 1) Non Packing - MFC Project

Anti-VirusVersionDateResult
a-squared4.5.0.242009.09.09-
AhnLab-V35.0.0.22009.09.08-
AntiVir7.9.1.122009.09.08-
Antiy-AVL2.0.3.72009.09.09-
Authentium5.1.2.42009.09.08-
Avast4.8.1351.02009.09.08-
AVG8.5.0.4092009.09.09-
BitDefender7.22009.09.09-
CAT-QuickHeal10.002009.09.09-
ClamAV0.94.12009.09.09-
Comodo22042009.09.09-
DrWeb5.0.0.121822009.09.09-
eSafe7.0.17.02009.09.08-
eTrust-Vet31.6.67262009.09.08-
F-Prot4.5.1.852009.09.08-
F-Secure8.0.14470.02009.09.09-
Fortinet3.120.0.02009.09.09-
GData192009.09.09-
IkarusT3.1.1.72.02009.09.09-
Jiangmin11.0.8002009.09.08-
K7AntiVirus7.10.8392009.09.08-
Kaspersky7.0.0.1252009.09.09-
McAfee57352009.09.08-
McAfee+Artemis57352009.09.08-
McAfee-GW-Edition6.8.52009.09.08-
Microsoft1.50052009.09.08-
NOD3244082009.09.09-
Norman6.01.092009.09.08-
nProtect2009.1.8.02009.09.08-
Panda10.0.2.22009.09.08-
PCTools4.4.2.02009.09.07-
Prevx3.02009.09.09-
Rising21.46.20.002009.09.09-
Sophos4.45.02009.09.09-
Sunbelt3.2.1858.22009.09.09-
Symantec1.4.4.122009.09.09-
TheHacker6.3.4.3.3982009.09.09-
TrendMicro8.950.0.10942009.09.08-
VBA323.12.10.102009.09.08-
ViRobot2009.9.9.19242009.09.09-
VirusBuster4.6.5.02009.09.08-

Step 2) Themida



Anti-VirusVersionDateResult
a-squared4.5.0.242009.09.09-
AhnLab-V35.0.0.22009.09.08-
AntiVir7.9.1.122009.09.08TR/Crypt.TPM.Gen
Antiy-AVL2.0.3.72009.09.09-
Authentium5.1.2.42009.09.08W32/Heuristic-210!Eldorado
Avast4.8.1351.02009.09.08-
AVG8.5.0.4092009.09.09-
BitDefender7.22009.09.09-
CAT-QuickHeal10.002009.09.09(Suspicious) - DNAScan
ClamAV0.94.12009.09.09-
Comodo22032009.09.09Heur.Pck.Themida
DrWeb5.0.0.121822009.09.09-
eSafe7.0.17.02009.09.08-
eTrust-Vet31.6.67262009.09.08-
F-Prot4.5.1.852009.09.08W32/Heuristic-210!Eldorado
F-Secure8.0.14470.02009.09.09Suspicious:W32/Malware!Gemini
Fortinet3.120.0.02009.09.09-
GData192009.09.09-
IkarusT3.1.1.72.02009.09.09-
Jiangmin11.0.8002009.09.08-
K7AntiVirus7.10.8392009.09.08-
Kaspersky7.0.0.1252009.09.09-
McAfee57352009.09.08-
McAfee+Artemis57352009.09.08Suspect-29!85A01CC38DEF
McAfee-GW-Edition6.8.52009.09.08Heuristic.LooksLike.Win32.Suspicious.J
Microsoft1.50052009.09.08-
NOD3244082009.09.09-
Norman6.01.092009.09.08-
nProtect2009.1.8.02009.09.08-
Panda10.0.2.22009.09.08-
PCTools4.4.2.02009.09.07Packed/Themida.RGa
Prevx3.02009.09.09Medium Risk Malware
Rising21.46.20.002009.09.09-
Sophos4.45.02009.09.09Sus/ComPack-C
Sunbelt3.2.1858.22009.09.09-
Symantec1.4.4.122009.09.09-
TheHacker6.3.4.3.3982009.09.09W32/Behav-Heuristic-064
TrendMicro8.950.0.10942009.09.09-
VBA323.12.10.102009.09.08-
ViRobot2009.9.9.19242009.09.09-
VirusBuster4.6.5.02009.09.08-

Step 3) Themida + Digital Sigining



Anti-VirusVersionDateResult
a-squared4.5.0.242009.09.09-
AhnLab-V35.0.0.22009.09.08-
AntiVir7.9.1.122009.09.08-
Antiy-AVL2.0.3.72009.09.09-
Authentium5.1.2.42009.09.08W32/Heuristic-210!Eldorado
Avast4.8.1351.02009.09.08-
AVG8.5.0.4092009.09.09-
BitDefender7.22009.09.09-
CAT-QuickHeal10.002009.09.09(Suspicious) - DNAScan
ClamAV0.94.12009.09.09-
Comodo22032009.09.09Heur.Pck.Themida
DrWeb5.0.0.121822009.09.09-
eSafe7.0.17.02009.09.08-
eTrust-Vet31.6.67262009.09.08-
F-Prot4.5.1.852009.09.08W32/Heuristic-210!Eldorado
F-Secure8.0.14470.02009.09.09Suspicious:W32/Malware!Gemini
Fortinet3.120.0.02009.09.09-
GData192009.09.09-
IkarusT3.1.1.72.02009.09.09-
Jiangmin11.0.8002009.09.08-
K7AntiVirus7.10.8392009.09.08-
Kaspersky7.0.0.1252009.09.09-
McAfee57352009.09.08-
McAfee+Artemis57352009.09.08-
McAfee-GW-Edition6.8.52009.09.08-
Microsoft1.50052009.09.08-
NOD3244082009.09.09-
Norman6.01.092009.09.08-
nProtect2009.1.8.02009.09.08-
Panda10.0.2.22009.09.08-
PCTools4.4.2.02009.09.07Packed/Themida.RGa
Prevx3.02009.09.09Medium Risk Malware
Rising21.46.20.002009.09.09-
Sophos4.45.02009.09.09-
Sunbelt3.2.1858.22009.09.09-
Symantec1.4.4.122009.09.09-
TheHacker6.3.4.3.3982009.09.09W32/Behav-Heuristic-064
TrendMicro8.950.0.10942009.09.09-
VBA323.12.10.102009.09.08-
ViRobot2009.9.9.19242009.09.09-
VirusBuster4.6.5.02009.09.08-


http://window31.com/318