ATTENTION: You are viewing a page formatted for mobile devices; to view the full web page, click HERE.

Special User Sections > N.A.N.Y. 2010

NANY 2010 Teaser: Crush MCP (Master Control Program)

<< < (2/11) > >>

Crush:
I see that there are a lot of very interesting informations in the system like the Filenames, Processcreationtime, Usertime, IO-Informations how many read/writes, how much datas have been transferred, memoryusage and much more. This could give useful hints if a task could be an intruding sniffer or similar - perhaps you could optimize your system with knowledge about the shutdown-priorities or IO-usage. I´ll try to track as many informations I can get from the processes.

Perry Mowbray:
Hey Crush: yes this is a neat idea (not that the other one wasn't). I like the idea that I can look back and see when things happened so that I can fix up problems.

Maybe even mash in some of the filesystem data about the actual files? Changes in versions? How would you capture automatic updates, where the programme downloads and runs and updates files?

f0dder:
Hey Crush, I don't mean to discourage you, but as mouser already mentioned you'll need a low-level (driver) hook in order to prevent NastyCodeTM from running - simply scanning with toolhelp/psapi every X milliseconds leaves too much of a gap for malware to run (and making the wait-time too slow will end up chewing too many CPU cycles). Also, if the malware injects itself into a running process, starts through a buffer overflow in flash/acrobatreader/whatever or loads as a service through svchost, you'll have a hard time catching it this way.

So instead of trying to keep a system clean by doing usermode app whitelisting, it's probably better to focus on the logging part - less chance of killing benign processes that way, too :)

Crush:
The main idea was only to stop all processes that start while surfing or working with a single application after a defined moment. At first I only wanted to create a popup-blocker by new windows.

But you´re right, it´s too time consuming when I track all datas I want to check. The MCP shall not be an Antivirus or Spywarekiller. It´s intended to be a help finding suspicious processes starting without your knowledge in the background, remove perhaps some annoying tasks at low-level and get a deeper view in the behaviour of programs and tasks. It can help you to find malware by its behaviour - even if your Antivirus/Spywaredetectors are not knowing them. You´ll never be able to find dll injections or manipulated executables without reference hashes to clean original files (this could be a new idea  :-\).
If you´re really running malware while working it perhaps can stop these programs fast enough to prevent or stop making damage somehow or at least helps you to lead your attention to the process if the file accession of some processes are getting extremely exhaustive.

I needed several hours only to create the main process class containing all interesting informations and I don´t know how much time the rest will need. So if there´s not enough time a black/whitelist or other features will be included later. The time to new year is too short to code a complex program.

Perry Mowbray:
The time to new year is too short to code a complex program.
-Crush (December 21, 2009, 05:44 AM)
--- End quote ---

You're good Crush: just get the first bit done and the rest can happen later  :)

Navigation

[0] Message Index

[#] Next page

[*] Previous page

Go to full version