Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more
Blog Data Security

Process Hacker: Advanced Task Manager Overview

This article is an overview of the tool Process Hacker. This is a popular tool amongst security professionals when analyzing malware as it will display real-time activity of processes and provide a wealth of technical information on how a particular process is behaving.
Neil Fox
5 min read
Last updated June 23, 2023

Contents

    Process Hacker is a great tool for monitoring and investigating processes created by a piece of malware. It is a popular malware analysis tool amongst security professionals as it can extract a wealth of information from processes that are running on a device.

    Discover your weak points and strengthen your resilience: Run a Free Ransomware Readiness Test

    This article will cover the following:

    What is Process Hacker?

    illustration of a computer monitor

    Process Hacker is an open-source tool that will allow you to see what processes are running on a device, identify programs that are eating up CPU resources and identify network connections that are associated with a process. 

    These types of features make Process Hacker an ideal tool for monitoring malware on a device. By seeing what processes are created and being able to identify network connections and interesting strings from memory means that valuable indicators of compromise (IOC’s) can be gathered when triaging a malware infection.

    IP addresses and malicious domains are huge wins during incident response, using Process Hacker to gather this information means that compromised hosts can be identified and proactive blocks can be put in place to contain a malware infection.

    Is Process Hacker Safe?

    Process Hacker is 100% safe to use. Some AV vendors may class it as a ‘Hack Tool’ and for this reason, some organizations may see alerts in their security tools for Process Hacker. This does not mean that it contains a virus.

    The Process Hacker executable I am running on my malware analysis lab has an md5 hash value of ‘B365AF317AE730A67C936F21432B9C71’.

    By searching for this hash value in VirusTotal we can see that some AV vendors have flagged this as malicious:

    So if your organization runs Symantec as its antivirus solution then it will detect Process Hacker as malicious and quarantine the file. If you aren’t running one of the above AV solutions but have an EDR solution in place then it may also detect it as malicious due to 14 vendors classing it as malicious on VirusTotal.

    Use Cases + How Process Hacker Works

    Below is the default display shown for Process Hacker when it is launched on a device:

    The first tab named ‘Processes’ gives an overview of what processes are running on the device which contains the following information:

    • Name of the running process
    • The PID is the process ID, this is a unique number assigned to the process
    • The CPU tab displays the amount of CPU being consumed by the process
    • The I/O total output tab
    • The Private bytes tab
    • The User name tab displays which account was used to launch the process
    • The Description tab displays information relating to what the process is

    The ‘Processes’ tab also color codes the listed processes. By navigating to ‘Hacker’ and then ‘Options’ menu you can identify what each color represents in Process Hacker.

    This then opens the ‘Options’ menu.

    Select the ‘Highlighting’ tab to view what each color represents:

    I won’t cover what each color represents but this is useful to quickly identify what processes are expected system processes compared to say a packed process.

    The image below displays the services identified by Process Hacker, services run in the background and don’t interact with the desktop.

    The ‘Services’ tab displays the following information:

    • Name of identified service
    • Display name of service
    • Type of service identified i.e. Driver
    • Status of service i.e. Running
    • Start type i.e. Boot start
    • Process identifier of service if available

    The ‘Network’ tab is useful for malware analysis as malware will often try to call home to the bad guy’s command and control (c2) infrastructure.

    The ‘Network’ tab displays the following information:

    • Process name and PID
    • Local address
    • Local port used by the process
    • Remote address the process is connecting to
    • Remote port of network connection
    • Protocol used by the process
    • State of identified network connection
    • Owner

    The ‘Disk’ tab displays information relating to files on the device hard drive which are being used:

    The ‘Disk’ tab displays the following information:

    • Process name and PID
    • File location on disk
    • Read rate average in realtime of the hard drive
    • Write rate average in realtime of the hard drive
    • Total rate average  of read and write output
    • I/O priority
    • Response time

    Identify strings from memory

    One of my favorite features of Process Hacker is being able to pull interesting strings from the memory of a process that has been created by a piece of malware.

    When analyzing malware I will often run it within a sandboxed VM designed for safely running malware. During this stage of my analysis, I will always have Process Hacker running, to investigate the memory of a process right click on the process name and select ‘Properties’.

    In the example below I have run a sample of Emotet malware that has created the process ‘smsfwdr.exe’.

    This opens the following window and defaults to the ‘General’ tab:

     

    Select the ‘Memory’ tab.


    Select the ‘Strings…’ button, this will allow you to search for strings in memory.

    Select ‘OK’, this will display all strings in memory for the selected process.

    To make identification of malware IOC’s easier I like to search using regular expressions by clicking the ‘Filter’ button and selecting ‘Regex (case-insensitive)’.

    I can then enter a regex pattern, in this example, I am looking for IP addresses and have used the following regex:

    (?:(?:\d|[01]?\d\d|2[0-4]\d|25[0-5])\.){3}(?:25[0-5]|2[0-4]\d|[01]?\d\d|\d)(?:\/\d{1,2})?

    This then returns any strings that match the regex pattern. In the image below we can see some false positives, however, there are a number of IP addresses attempting to connect to the bad guys c2 infrastructure over the HTTP protocol.

    This is a great use case for Process Hacker as I can now check if these IP addresses are blocked by my company’s security controls and perform checks to make sure no devices are talking to these IP addresses.

    I could also use other regex patterns to look for other information such as URLs:

    ([A-Za-z]+://)([-\w]+(?:\.\w[-\w]*)+)(:\d+)?(/[^.!,?”<>\[\]{}\s\x7F-\xFF]*(?:[.!,?]+[^.!,?”<>\[\]{}\s\x7F-\xFF]+)*)?

    Identify network traffic from running processes

    When analyzing a piece of malware you may want to see what connections are being made by a particular process to help understand how the malware behaves.

    Using the same piece of malware from the previous use case I have selected the network tab and on the right-hand side entered the name of the process I am interested in, ‘smsfwdr’.

    This has filtered out all other processes from Process Hacker and is now only displaying network traffic for this one process.

    This is another great way of identifying malicious c2 IP addresses along with the local and destination ports used by the bad guys.

    How to Install Process Hacker

    Process Hacker can be downloaded from the official website where you will find a link to the download page.

    From the download section, you are given the option of choosing to download a setup file or portable binary, in this example, I have chosen the setup executable.

    Once you have downloaded the setup file, double click the executable and select ‘Run’.

    You will then be prompted by the UAC popup to allow Process Hacker to make changes to your device, select ‘Yes’.

    Accept the License Agreement by selecting ‘Next’:

    Choose the location you wish to install Process Hacker to and select ‘Next’:

    Select the components you wish to install and select ‘Next’, by default all are selected.

    Choose the location of the program’s shortcuts and select ‘Next’:

    Select any additional tasks:

    Select ‘Finish’ to complete the install and launch Process Hacker:

    Final Thoughts:

    I’m a big fan of Process Hacker and use it whenever I am performing behavioral analysis on a piece of malware. If you found this article informative then check out these blog posts of mine which cover some of my favorite malware analysis tools and a recent piece I completed on Autoruns which is a great tool for identifying how malware will attempt to persist on a compromised device.

    If you would like more information on how to protect your organization from malware then this post on malware protection will be of interest along with Varonis’ Threat Detection Response which aims to drastically reduce the time to detect and respond to cyberattacks.

    What you should do now

    Below are three ways we can help you begin your journey to reducing data risk at your company:

    1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
    2. Download our free report and learn the risks associated with SaaS data exposure.
    3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
    Neil Fox
    Neil Fox Neil is a cyber security professional specializing in incident response and malware analysis. He also creates cyber security content for his YouTube channel and blog at 0xf0x.com.

    Try Varonis free.

    Get a detailed data risk report based on your company’s data.
    Deploys in minutes.
    Get started View sample

    Keep reading

    Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

    how-to-use-volatility-for-memory-forensics-and-analysis
    How to Use Volatility for Memory Forensics and Analysis
    how-to-use-volatility-for-memory-forensics-and-analysis
    Neil Fox
    April 12, 2022
    This article will cover what Volatility is, how to install Volatility, and most importantly how to use Volatility.
    memory-forensics-for-incident-response
    Memory Forensics for Incident Response
    memory-forensics-for-incident-response
    Neil Fox
    July 26, 2021
    When responding to a cybersecurity incident I’ve always found memory forensics to be a great skill to have. By capturing the memory of a compromised device you can quickly perform…
    11-best-malware-analysis-tools-and-their-features
    11 Best Malware Analysis Tools and Their Features
    11-best-malware-analysis-tools-and-their-features
    Neil Fox
    January 27, 2021
    An overview of 11 notable malware analysis tools and what they are used for, including PeStudio, Process Hacker, ProcMon, ProcDot, Autoruns, and others.
    what-is-x64dbg-+-how-to-use-it
    What is x64dbg + How to Use It
    what-is-x64dbg-+-how-to-use-it
    Neil Fox
    January 27, 2021
    Learn more about x64dbg as a malware analysis tool with our full-length guide and tutorial. Contact us for free trials and tutorials in malware protection.