Strings
Wyszukiwanie ciągów znaków w plikach binarnych, Możemy wyszukiwać łańcuchy tekstowe nie tylko w standardzie ASCII, ale też UNICODE.
Poniżej przedstawiam fragment wyniku, jaki uzyskamy poprzez wyszukiwanie w aplikacji Notepad++. Zakresem naszego zainteresowania są tylko ciągi tekstowe dłuższe, niż 50 znaków i kodowaniu UNICODE.
F:\Programy\SysinternalsSuite>strings.exe -o -n 50 -u "notepad++.exe"
Strings v2.53 - Search for ANSI and Unicode strings in binary images.
Copyright (C) 1999-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
1260736:This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
1261222:This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details.
1261698:You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
1263624:Select a folder to add in Folder as Workspace panel
1263728:A sub-folder of the folder you want to open exists.
1263832:Please remove it from the panel before you add this one.
1264576:WaitForSingleObject problem in backupCurrentBuffer()!
1264856:WaitForSingleObject problem in deleteCurrentBufferBackup()!
1312232:Find: Found the 1st occurrence from the top. The end of the document has been reached.
1312408:Find: Found the 1st occurrence from the bottom. The beginning of the document has been reached.
1312600:Are you sure you want to replace all occurrences in :
1312776:Replace: Cannot replace text. The current document is read only.
1313192:Count: The regular expression to search is malformed.
1313376:Mark: The regular expression to search is malformed.Handle
To konsolowa aplikacja, która pozwala dowiedzieć się, jakie uchwyty Handle posiada dany proces. Otrzymamy listę wszystkich obiektów m.in.:
- uchwyty do konsoli,
- uchwyty do plików,
- uchwyty rejestrów,
- uchwyty do obiektów synchronizacji “synchronization primitives“,
- uchwyty wątków i procesów.
Poniżej zaprezentowany przykład wywołania dla aplikacji typu hello world. Warto zwrócić uwagę, ile uchwytów potrzebuje aplikacja, która dostarcza tylko jedną linijkę tekstu na ekran konsoli.
F:\Programy\SysinternalsSuite>handle.exe -a -p 427784
Nthandle v4.1 - Handle viewer
Copyright (C) 1997-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
4: Event
8: WaitCompletionPacket
C: IoCompletion
10: TpWorkerFactory
14: IRTimer
18: WaitCompletionPacket
1C: IRTimer
20: WaitCompletionPacket
24: <Unknown type>
28: Directory \KnownDlls
2C: Directory \KnownDlls32
30: Event
34: Event
38: File C:\Windows
3C: Event
40: WaitCompletionPacket
44: IoCompletion
48: TpWorkerFactory
4C: IRTimer
50: WaitCompletionPacket
54: IRTimer
58: WaitCompletionPacket
5C: <Unknown type>
60: Directory \KnownDlls32
64: Event
68: Event
6C: File F:\W_Trakcie\RE\TestoweApp\OUT\Hello1
70: File \Device\ConDrv
74: File \Device\ConDrv
78: ALPC Port
7C: File
80: File \Device\ConDrv
84: File \Device\ConDrv
88: <Unknown type>
8C: <Unknown type>
90: <Unknown type>
94: <Unknown type>
98: <Unknown type>
9C: <Unknown type>
A0: <Unknown type>
A4: Key HKLM\SYSTEM\ControlSet001\Control\Nls\CustomLocale
A8: <Unknown type>
AC: IoCompletion
B0: Directory \Sessions\2\BaseNamedObjects
B4: TpWorkerFactory
B8: IRTimer
BC: WaitCompletionPacket
C0: IRTimer
C4: WaitCompletionPacket
C8: Key HKLM\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions
CC: Key HKLM\SYSTEM\ControlSet001\Control\Session ManagerPipeList
Wyświetla wszystkie Named pipes, jakie istnieją w systemie.
F:\Programy\SysinternalsSuite>pipelist.exe
PipeList v1.02 - Lists open named pipes
Copyright (C) 2005-2016 Mark Russinovich
Sysinternals - www.sysinternals.com
Pipe Name Instances Max Instances
--------- --------- -------------
InitShutdown 3 -1
lsass 4 -1
ntsvcs 3 -1
scerpc 3 -1
Winsock2\CatalogChangeListener-64-0 1 1
epmapper 3 -1
Winsock2\CatalogChangeListener-2cc-0 1 1
LSM_API_service 3 -1
atsvc 3 -1
TermSrv_API_service 3 -1
Ctx_WinStation_API_service 3 -1
Winsock2\CatalogChangeListener-458-0 1 1
eventlog 3 -1
Winsock2\CatalogChangeListener-444-0 1 1
wkssvc 4 -1
SessEnvPublicRpc 3 -1
spoolss 3 -1
Winsock2\CatalogChangeListener-89c-0 1 1
WiFiNetworkManagerTask 1 -1
trkwks 3 -1
srvsvc 4 -1
vmware-usbarbpipe 1 -1
vmware-authdpipe 1 -1
Winsock2\CatalogChangeListener-354-0 1 1
MsFteWds 3 -1
Winsock2\CatalogChangeListener-35c-0 1 1
ROUTER 3 -1
PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER 1 -1
W32TIME_ALT 3 -1
TDLN-133260-41 1 2
TGitCache-0000000002a03e72 19 -1
TGitCacheCommand-0000000002a03e72 4 -1
gecko-crash-server-pipe.221396 1 1
ProtectedPrefix\LocalService\FTHPIPE 1 1
TDLN-356524-41 1 2
TDLN-398516-41 1 2