21 listopada 2016

Narzędzia #7 (Sysinternals)

Strings

Wyszukiwanie ciągów znaków w plikach binarnych, Możemy wyszukiwać łańcuchy tekstowe nie tylko w standardzie ASCII, ale też UNICODE.

Poniżej przedstawiam fragment wyniku, jaki uzyskamy poprzez wyszukiwanie w aplikacji Notepad++. Zakresem naszego zainteresowania są tylko ciągi tekstowe dłuższe, niż 50 znaków i kodowaniu UNICODE.

F:\Programy\SysinternalsSuite>strings.exe -o -n 50 -u "notepad++.exe"

Strings v2.53 - Search for ANSI and Unicode strings in binary images.
Copyright (C) 1999-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

1260736:This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version.
1261222:This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License for more details.
1261698:You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 675 Mass Ave, Cambridge, MA 02139, USA.
1263624:Select a folder to add in Folder as Workspace panel
1263728:A sub-folder of the folder you want to open exists.
1263832:Please remove it from the panel before you add this one.
1264576:WaitForSingleObject problem in backupCurrentBuffer()!
1264856:WaitForSingleObject problem in deleteCurrentBufferBackup()!
1312232:Find: Found the 1st occurrence from the top. The end of the document has been reached.
1312408:Find: Found the 1st occurrence from the bottom. The beginning of the document has been reached.
1312600:Are you sure you want to replace all occurrences in :
1312776:Replace: Cannot replace text. The current document is read only.
1313192:Count: The regular expression to search is malformed.
1313376:Mark: The regular expression to search is malformed.

Handle

To konsolowa aplikacja, która pozwala dowiedzieć się, jakie uchwyty Handle posiada dany proces. Otrzymamy listę wszystkich obiektów m.in.:

  • uchwyty do konsoli,
  • uchwyty do plików,
  • uchwyty rejestrów,
  • uchwyty do obiektów synchronizacji “synchronization primitives“,
  • uchwyty wątków i procesów.

Poniżej zaprezentowany przykład wywołania dla aplikacji typu hello world. Warto zwrócić uwagę, ile uchwytów potrzebuje aplikacja, która dostarcza tylko jedną linijkę tekstu na ekran konsoli.

F:\Programy\SysinternalsSuite>handle.exe -a -p 427784

Nthandle v4.1 - Handle viewer
Copyright (C) 1997-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

    4: Event
    8: WaitCompletionPacket
    C: IoCompletion
   10: TpWorkerFactory
   14: IRTimer
   18: WaitCompletionPacket
   1C: IRTimer
   20: WaitCompletionPacket
   24: <Unknown type>
   28: Directory     \KnownDlls
   2C: Directory     \KnownDlls32
   30: Event
   34: Event
   38: File          C:\Windows
   3C: Event
   40: WaitCompletionPacket
   44: IoCompletion
   48: TpWorkerFactory
   4C: IRTimer
   50: WaitCompletionPacket
   54: IRTimer
   58: WaitCompletionPacket
   5C: <Unknown type>
   60: Directory     \KnownDlls32
   64: Event
   68: Event
   6C: File          F:\W_Trakcie\RE\TestoweApp\OUT\Hello1
   70: File          \Device\ConDrv
   74: File          \Device\ConDrv
   78: ALPC Port
   7C: File
   80: File          \Device\ConDrv
   84: File          \Device\ConDrv
   88: <Unknown type>
   8C: <Unknown type>
   90: <Unknown type>
   94: <Unknown type>
   98: <Unknown type>
   9C: <Unknown type>
   A0: <Unknown type>
   A4: Key           HKLM\SYSTEM\ControlSet001\Control\Nls\CustomLocale
   A8: <Unknown type>
   AC: IoCompletion
   B0: Directory     \Sessions\2\BaseNamedObjects
   B4: TpWorkerFactory
   B8: IRTimer
   BC: WaitCompletionPacket
   C0: IRTimer
   C4: WaitCompletionPacket
   C8: Key           HKLM\SYSTEM\ControlSet001\Control\Nls\Sorting\Versions
   CC: Key           HKLM\SYSTEM\ControlSet001\Control\Session Manager

PipeList

Wyświetla wszystkie Named pipes, jakie istnieją w systemie.

F:\Programy\SysinternalsSuite>pipelist.exe

PipeList v1.02 - Lists open named pipes
Copyright (C) 2005-2016 Mark Russinovich
Sysinternals - www.sysinternals.com

Pipe Name                                    Instances       Max Instances
---------                                    ---------       -------------
InitShutdown                                      3               -1
lsass                                             4               -1
ntsvcs                                            3               -1
scerpc                                            3               -1
Winsock2\CatalogChangeListener-64-0               1                1
epmapper                                          3               -1
Winsock2\CatalogChangeListener-2cc-0              1                1
LSM_API_service                                   3               -1
atsvc                                             3               -1
TermSrv_API_service                               3               -1
Ctx_WinStation_API_service                        3               -1
Winsock2\CatalogChangeListener-458-0              1                1
eventlog                                          3               -1
Winsock2\CatalogChangeListener-444-0              1                1
wkssvc                                            4               -1
SessEnvPublicRpc                                  3               -1
spoolss                                           3               -1
Winsock2\CatalogChangeListener-89c-0              1                1
WiFiNetworkManagerTask                            1               -1
trkwks                                            3               -1
srvsvc                                            4               -1
vmware-usbarbpipe                                 1               -1
vmware-authdpipe                                  1               -1
Winsock2\CatalogChangeListener-354-0              1                1
MsFteWds                                          3               -1
Winsock2\CatalogChangeListener-35c-0              1                1
ROUTER                                            3               -1
PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER            1               -1
W32TIME_ALT                                       3               -1
TDLN-133260-41                                    1                2
TGitCache-0000000002a03e72                       19               -1
TGitCacheCommand-0000000002a03e72                 4               -1
gecko-crash-server-pipe.221396                    1                1
ProtectedPrefix\LocalService\FTHPIPE              1                1
TDLN-356524-41                                    1                2
TDLN-398516-41                                    1                2