Many security professionals have the need to perform analysis when Malware, Trojans or strange behavior is reported on a system. Lets take a look at the Sysinternals autorun.exe for performing this analysis. The goal of this blog posting is to try demonstrate the benefits of the application. Today, I’ll install Sysinternals onto my system in order to properly execute my startup analysis.
1- Download Sysinternals from the Microsoft TechNet site at http://technet.microsoft.com/en-us/sysinternals/bb842062.aspx
2. I wanted to be able to execute any of the sysinternals suite right from my command line while I was anywhere on the system. So I extracted the entire suite to C:\Windows\Sysinternals and then updated my system path by going to my computer and right clicking then adding my path to the “path” setting in the environment settings.
3. Once I’ve installed all the Sysinternals suite of tools, the next thing that an examiner would need to do is run through a process of looking through the system. Below, I’ll outline the steps someone might take to perform such an analysis.
System Startup Analysis Process
Determine what is set to run at start up – *WARNING – Modifying any entries may make your system unstable – use at your own risk.
1. In Sysinternals, a tool called autoruns.exe allows us to examine what is starting up on the system. Once executed, the tool will examine the system to show us all the startup locations of many of the different windows areas as shown in Figure 1A.
- Logon Startups
- Explorer Hooks (Enhancements such as right click functions, filters etc.)
- Internet Explorer Helper objects, search hooks and Extensions
- Scheduled Tasks
- Book Execute
- Image Hijacks
- Application Initialization
- Known DLLS
- Win Logon
- Winsock Providers
- Print monitors
- LSA Providers
- Network Providers
- Sidebar Gadgets
2. In order to review the system, we’d need to go through each tab to ensure that everything that is set to run or launch in these different areas appear to be legitimate. You’ll also want to unhide the windows features by going to “Options” and deselecting the Windows Features hide function. One feature of the sysinternals tool that I enjoyed is the capability to see what files are being called that no longer exist. Files that don’t exist will probably just slow launch times and create lags when they are attempted to be executed and can be safely removed in many cases. I also find that navigation through each tab is a little cumbersome, so I really liked the “Everything” tab which shows all the different areas in one single long list as shown in Figure 1B.
3. When first launched, the Autoruns executable will only show us items that are loaded in the current user. We’ll need to rotate through each of the system users to ensure we cover all the things that are loaded in each user’s context. This can be achieved from the top menu item “User” and then select each of the users the system has and then review them using the “Everything” tab or drill into areas of interest.
4. If further investigation into the registry is needed, simply double click on an entry and the software will take you directly to the registry entry where startup of the particular entry is defined as shown in Figure 1C.
5. If you feel that one of the displayed entries is not right or you need additional information, you can also click the entry then go to the menu “Entry” and then click “search online” or simply press control-M as a shortcut and it will launch a browser search to your default browser search engine.
6. Another great feature of the Autoruns tool is to enable “Verify Code Signatures” which will help pinpoint potentially erroneous software by using the Microsoft authentication signature technology. Once you’ve enabled the feature the next time you display a different user, the “(Verified)” message will be next to each application in the publisher tab.
7. After looking through the tool, we should take a look at anything that is “not found” or “Unverified” and either assess their applicability to the system or remove them if un-needed. Again, I want to warn you that if you remove anything that is essential for the system the system may malfunction or be unable to boot properly so be cautious.
In my next blog entry, we’ll look at Process Hacker for doing a similar analysis.