Introduction to Process Hacker

00:01

Hello. My name is Dustin and welcome to virtual ization and operating systems.

00:07

Installing process Hacker

00:09

process Hacker is really easy to install. All you need to do is go to process hacker dot source for dot io slash downloads

00:18

down with the installer and then run it.

00:21

We'll walk you through that in just a second, but I did want to mention that you can also run the process hacker tool from a USB device, which is extremely helpful when you need to investigate someone else's computer.

00:33

Um, let's go ahead and hop in here. The first thing I did was actually download a Windows VM, and you can get those

00:43

from Microsoft as, like a developer tool. And if you go to developer dot Microsoft dot com slash

00:51

e n dash us slash Microsoft dash edge slash tools slash of'em you'll get to this machine. You can also just search for Microsoft edge developer tools and that'll take you here. But here you can actually pick a bunch different versions everything from Windows seven,

01:10

8.1 and 10.

01:11

So I went ahead and I downloaded 10 and I did it for a virtual box. If you don't remember, you can go ahead and view the previous section where we actually talked about installing it operating system onto virtual box.

01:23

Pretty easy. Pretty straightforward, though. So once you get that done,

01:29

you can actually let's pop into my Veum.

01:33

And here you go. So you can see this is just a window. 71 I have, um and then we'll go ahead and download the process. Hacker tool. And again, that is from process hacker dot source forged dot io.

01:45

Once you get here, it will tell you a little bit about the program which we have talked about. But you can go ahead and click the download button right here,

01:53

and we're gonna go ahead and get the installer file. That is for any of your regular Windows operating systems. The binaries is for the if you would like to run it from a U. S. B. So just click installer it'll download. And I've already got that here,

02:08

right here, you can see is the process hacker set up so really easy. Like I said, just double click it.

02:15

You do have to accept the agreement just like any software. Next, Leave it the same. Put it into the program files. Next, um, I like to double check, make sure all the plug ins are set up, and with the full installation they are. So go ahead and click. Next.

02:30

Um, if you'd like to rename it in the start menu, you can do that. I just leave it at its default. Next again,

02:37

we will create a desktop shortcut for the current user only. If you do want to create a shortcut for all users, you would mean to run. This is Administrator. You can also have it start up on system startup and minimized in the system tray. You can if you like,

02:53

set the process. Hackers, that default task manager. So you wouldn't have the regular Windows task manager.

03:00

Um, And you can't allow unrestricted access, which, as you can see, is not recommended. So we'll go and just leave it with the desktop shortcut. I don't want to start right away, but we'll click next.

03:09

And there you go. Pretty simple. It's already done. So I'd like to leave that check launch process hacker to, and we will hit, finish and pops right up. So this is quite a bit different. Like I said than the regular Windows tools.

03:24

If we open up just the regular task manager here, we can kind of compare them. So they're both on processes now. The nice thing I really, really liked about the process actor tool is it allows you to filter through the service's and processes that are running a lot simpler than the built in Windows one.

03:42

And you can actually see how things air launched. A CZ well,

03:46

right, the Windows one on here on the left. It's just a bunch of different names. You don't know what launched what and here you can actually see in the process hacker tool that it is kind of a tree of everything. So that's how the things got launched

03:59

in a couple of things we did want to talk about was actually detecting an identifying malware.

04:06

And with the process actor tool, it is pretty easy. There's a few things you want to look for,

04:15

and, um, let's take a look here.

04:17

We're gonna make this a little bit bigger. Sea is conceited.

04:23

You make the description bigger.

04:25

All right. So most malware that you'll run into uses packed, executed ALS and packed, executed ALS are compressed and usually encrypted, executed a LS that get decompressed and decrypted and then reconstructed and memory and mount. Where does this to try and hide from, like your regular

04:44

system tools to see

04:45

what's running

04:46

most malware is not digitally signed, as this usually requires extra work.

04:53

This used to be a pretty common fact. I have run into a lot more forms of mount where now that do have legitimate digital signatures, whether those were stolen where they have their own digital signing server. I'm not sure just to kind of depends on the malware, but you can

05:09

in the process hacker to tool. You can actually look for processes that have a verified signer

05:14

and a verification status to determine which processes are signs. If you see on your regular Windows sign processes, you know it's probably not malware.

05:24

And another thing that's really nice about the process Hacker tool is most Mel. Well, you run into will not quit without a fight. If you

05:32

try and kill it with just the regular task manager, it'll restart. And with that process hacker tool, you can actually

05:41

kill it, using what they call the Terminator and What that does is it tries a bunch of different ways to kill the process so it doesn't re launch. So let's go ahead and take a look here in the process hacker tool to see what we can do to help identify and remove malware.

06:00

Okay, remember I mentioned most. Mauer is not digitally signed, as this requires actual work, so this is a good place to start when you're looking for malware ending process. Hacker tool. You can go ahead and go to um oops, sorry with my VM. Let's go to view,

06:19

and we can actually hide all of the signed processes.

06:25

Now remember, this doesn't guarantee that your mouth if you do have Mauer that it's not sign. It's just most Mauer's not typically signed. But if you click that, that will hide all of the sign processes and just show the unsigned processes.

06:39

So let's go ahead and show all processes again. Another thing that Mauer likes to do is it likes to run hidden. So if you wantto search for hidden processes, if you go to tools, you can just click the hidden processes

06:55

and the normal need to hit scan. It'll scan for the running processes. And it does this based on the process I d

07:01

and you can see we've got two processes that are hidden and they actually show unknowns. You click the Terminate one which this could be assistant process. I don't actually want to add the

07:14

I'm sorry, terminated. But that's where you can see any hidden files.

07:19

So we will go ahead and close that

07:23

and back in our slide show now that you're a little more familiar with the process Hacker tool.

07:33

All right, so we have downloaded and ran that installer, and we've set it up to look for just a couple of different types of mount where so again,

07:43

malware

07:44

that you may run into uses packed execute a bles and those of the compressed and encrypted ones that try and run in memory

07:50

with your normal task manager, you can't search for that with a process hacker, you can. Another thing you can do in process hacker

07:58

is actually search for processes or service. Is that air not signed?

08:03

You can then verify any signed ones

08:05

to determine if those are legitimate.

08:09

And if malware is running in your sous eminent, it's not quitting