Skip to content

Latest commit

 

History

History
193 lines (137 loc) · 7.97 KB

README.md

File metadata and controls

193 lines (137 loc) · 7.97 KB

Process Monitoring Tools for Windows

  It is a program written in Python3 in order to facilitate process analysis and to easily access Windows process tools. In this way, it facilitates malware analysis processes. In addition, processes running in the background can be detected.

 After the program is started, it continues to run in the background. Afterwards, the tools can be accessed on the system tray.

Test15

Test9

Process Monitoring Tools
1) Process Creation : It is a tool that allows to monitor newly created processes in the system.
2) Process Deletion : It is a tool that allows to monitor deleted processes in the system.
3) Process Monitor : Process Monitor is an advanced monitoring tool from Microsoft that shows real-time file system, Registry, and process/thread activity for Windows. [For detailed information https://docs.microsoft.com/en-us/sysinternals/downloads/procmon ]
4) Process Explorer : Process Explorer, owned by the Microsoft, shows you information about which handles and DLL processes are opened or loaded. [For detailed information https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer ]
5) RAMMap : RAMMap, owned by Microsoft, is an advanced physical memory usage analysis tool for Windows Vista and later. [For detailed information https://docs.microsoft.com/en-us/sysinternals/downloads/rammap ]
6) WinObj : WinObj, owned by Microsoft, is a 32-bit Windows NT program that uses the native Windows NT API (provided by NTDLL.DLL) to access and display information in the NT Object Manager's namespace. [For detailed information https://docs.microsoft.com/en-us/sysinternals/downloads/winobj ]
7) Autoruns : Autoruns, owned by Microsoft, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and when you start various built-in Windows applications like Internet Explorer, Explorer and media players. [For detailed information https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns ]

Test10

Process Creation

  It is a tool that allows to monitor newly created processes in the system. The command line is colored to make it easier to visualize.

Test12

Process Deletion

  It is a tool that allows to monitor deleted processes in the system. The command line is colored to make it easier to visualize.

Test13

Startup

  The program can be used to start itself automatically when the computer starts. However, for security reasons, it does not start itself with administrator privileges. Autostart can be canceled if desired.

Test11

The Compiled Version of the Program Can be Downloaded from the Links Below.

Test6

"Process Monitoring Tools (for Windows x64) [Download]"
process_monitor_tools_for_Windows.rar --> zip password: #AkG_*_2022#
Link = https://drive.google.com/file/d/1l5opbERUFIepCA9OnNHWnTgraAc-icmb/view?usp=sharing
"Process Monitoring Tools (for Windows x64) [Youtube]"
You can follow the link below to watch the running version of the program.
Link = https://www.youtube.com/watch?v=lcp7Gis7c00

Requirements

  Required libraries: wmi, colorama, pyinstaller, pystray, pillow

pip install wmi
pip install colorama
pip install pyinstaller
pip install pystray
pip install pillow

  "pyinstaller" will be used to make the code one piece executable

Settings

process_monitoring_tools.py (Default Settings for Directory Structure)

class SETTINGS:
    PROGRAM_TITLE:        str  = "Process Monitoring Tools"
    PROGRAM_NAME:         str  = "process_monitoring_tools.exe"
    SYSTEM_TRAY_ICON:     str  = "images\\systemtray.png"
    SYSTEM_TRAY_TITLE:    str  = "Process Monitoring Tools"
    WAIT_TIME:          float  = 0.01
    DEVELOPPER:           str  = "ABDULKADIR GUNGOR"
    PROCESS_CREATION:     list = ( "Process Creation", "programs\\process_creation.exe")
    PROCESS_DELETION:     list = ("Process Deletion", "programs\\process_deletion.exe")
    PROCESS_MONITOR:      list = ("Process Monitor", "programs\\ProcessMonitor\\Procmon64.exe")
    PROCESS_EXPLORER:     list = ("Process Explorer", "programs\\ProcessExplorer\\procexp64.exe")
    PROCESS_RAMMAP:       list = ("RAMMap", "programs\\RAMMap\\RAMMap64.exe")
    PROCESS_WINOBJ:       list = ("WinObj", "programs\\WinObj\\Winobj64.exe")
    PROCESS_AUTORUNS:     list = ("Autoruns","programs\\Autoruns\\Autoruns64.exe" )
    PROCESS_CMD:          list = ("CMD", "cmd")

process_creation.py (Default Settings for Colors)

class ProcessWatcher():
    COLOR_DATE = Fore.RED
    COLOR_NAME = Fore.GREEN
    COLOR_OWNER = Fore.CYAN
    COLOR_ID = Fore.YELLOW
    COLOR_PRIORITY = Fore.YELLOW
    COLOR_SESSIONID = Fore.YELLOW
    COLOR_COMMANDLINE = Fore.WHITE

process_deletion.py (Default Settings for Colors)

class ProcessWatcher():
    COLOR_DATE = Fore.RED
    COLOR_NAME = Fore.GREEN
    COLOR_OWNER = Fore.CYAN
    COLOR_ID = Fore.YELLOW
    COLOR_PRIORITY = Fore.YELLOW
    COLOR_SESSIONID = Fore.YELLOW
    COLOR_COMMANDLINE = Fore.WHITE

Compilation

[Language : Python 3.8.5]

pyinstaller --onefile  --icon=images\process_monitoring_tools.ico process_monitoring_tools.py # [Main program]
pyinstaller --onefile  --icon=images\process.ico process_creation.py  # [Tool] After compiling, put it in the programs folder.
pyinstaller --onefile  --icon=images\process.ico process_deletion.py  # [Tool] After compiling, put it in the programs folder.

The folder structure that should be according to the default settings after compilation

  If the folder structure is not correct, the program will not work properly.

process_monitoring_tools.exe ----.
                                 |----images\systemtray.png
                                 |----programs\process_creation.exe
                                 |----programs\process_deletion.exe
                                 |----programs\Autoruns\*
                                 |----programs\ProcessExplorer\*
                                 |----programs\ProcessMonitor\*
                                 |----programs\RAMMap\*
                                 |----programs\WinObj\*

An Example of Using the Program

  The program can be used not only for malware analysis but also for many purposes. Capturing and deciphering the information of the "Microsoft Edge" that sends data in the background.

Screenshot [1]

Test5

Screenshot [2]

Test4

Some Screenshot of the Working of the Program

Screenshot [1]

a2

Screenshot [2]

a1

Legal Warning

  Run your tests on virtual machines. The responsibility for illegal use belongs to the user. Shared for educational purposes.