Process Hacker is a great tool for monitoring and investigating processes created by a piece of malware. It is a popular malware analysis tool amongst security professionals as it can extract a wealth of information from processes that are running on a device.
This article will cover the following:
What is Process Hacker?
Process Hacker is an open-source tool that will allow you to see what processes are running on a device, identify programs that are eating up CPU resources and identify network connections that are associated with a process.
These types of features make Process Hacker an ideal tool for monitoring malware on a device. By seeing what processes are created and being able to identify network connections and interesting strings from memory means that valuable indicators of compromise (IOC’s) can be gathered when triaging a malware infection.
IP addresses and malicious domains are huge wins during incident response, using Process Hacker to gather this information means that compromised hosts can be identified and proactive blocks can be put in place to contain a malware infection.
Is Process Hacker Safe?
Process Hacker is 100% safe to use. Some AV vendors may class it as a ‘Hack Tool’ and for this reason, some organizations may see alerts in their security tools for Process Hacker. This does not mean that it contains a virus.
The Process Hacker executable I am running on my malware analysis lab has an md5 hash value of ‘B365AF317AE730A67C936F21432B9C71’.
By searching for this hash value in VirusTotal we can see that some AV vendors have flagged this as malicious:
So if your organization runs Symantec as its antivirus solution then it will detect Process Hacker as malicious and quarantine the file. If you aren’t running one of the above AV solutions but have an EDR solution in place then it may also detect it as malicious due to 14 vendors classing it as malicious on VirusTotal.
Use Cases + How Process Hacker Works
Below is the default display shown for Process Hacker when it is launched on a device:
The first tab named ‘Processes’ gives an overview of what processes are running on the device which contains the following information:
- Name of the running process
- The PID is the process ID, this is a unique number assigned to the process
- The CPU tab displays the amount of CPU being consumed by the process
- The I/O total output tab
- The Private bytes tab
- The User name tab displays which account was used to launch the process
- The Description tab displays information relating to what the process is
The ‘Processes’ tab also color codes the listed processes. By navigating to ‘Hacker’ and then ‘Options’ menu you can identify what each color represents in Process Hacker.
This then opens the ‘Options’ menu.
Select the ‘Highlighting’ tab to view what each color represents:
I won’t cover what each color represents but this is useful to quickly identify what processes are expected system processes compared to say a packed process.
The image below displays the services identified by Process Hacker, services run in the background and don’t interact with the desktop.
- Name of identified service
- Display name of service
- Type of service identified i.e. Driver
- Status of service i.e. Running
- Start type i.e. Boot start
- Process identifier of service if available
The ‘Network’ tab is useful for malware analysis as malware will often try to call home to the bad guy’s command and control (c2) infrastructure.
The ‘Network’ tab displays the following information:
- Process name and PID
- Local address
- Local port used by the process
- Remote address the process is connecting to
- Remote port of network connection
- Protocol used by the process
- State of identified network connection
The ‘Disk’ tab displays information relating to files on the device hard drive which are being used:
The ‘Disk’ tab displays the following information:
- Process name and PID
- File location on disk
- Read rate average in realtime of the hard drive
- Write rate average in realtime of the hard drive
- Total rate average of read and write output
- I/O priority
- Response time
Identify strings from memory
One of my favorite features of Process Hacker is being able to pull interesting strings from the memory of a process that has been created by a piece of malware.
When analyzing malware I will often run it within a sandboxed VM designed for safely running malware. During this stage of my analysis, I will always have Process Hacker running, to investigate the memory of a process right click on the process name and select ‘Properties’.
In the example below I have run a sample of Emotet malware that has created the process ‘smsfwdr.exe’.
This opens the following window and defaults to the ‘General’ tab:
Select the ‘Memory’ tab.
Select ‘OK’, this will display all strings in memory for the selected process.
To make identification of malware IOC’s easier I like to search using regular expressions by clicking the ‘Filter’ button and selecting ‘Regex (case-insensitive)’.
I can then enter a regex pattern, in this example, I am looking for IP addresses and have used the following regex:
This then returns any strings that match the regex pattern. In the image below we can see some false positives, however, there are a number of IP addresses attempting to connect to the bad guys c2 infrastructure over the HTTP protocol.
This is a great use case for Process Hacker as I can now check if these IP addresses are blocked by my company’s security controls and perform checks to make sure no devices are talking to these IP addresses.
I could also use other regex patterns to look for other information such as URLs:
Identify network traffic from running processes
When analyzing a piece of malware you may want to see what connections are being made by a particular process to help understand how the malware behaves.
Using the same piece of malware from the previous use case I have selected the network tab and on the right-hand side entered the name of the process I am interested in, ‘smsfwdr’.
This has filtered out all other processes from Process Hacker and is now only displaying network traffic for this one process.
This is another great way of identifying malicious c2 IP addresses along with the local and destination ports used by the bad guys.
How to Install Process Hacker
Process Hacker can be downloaded from the official website where you will find a link to the download page.
From the download section, you are given the option of choosing to download a setup file or portable binary, in this example, I have chosen the setup executable.
Once you have downloaded the setup file, double click the executable and select ‘Run’.
You will then be prompted by the UAC popup to allow Process Hacker to make changes to your device, select ‘Yes’.
Choose the location you wish to install Process Hacker to and select ‘Next’:
Select the components you wish to install and select ‘Next’, by default all are selected.
Choose the location of the program’s shortcuts and select ‘Next’:
Select any additional tasks:
Select ‘Finish’ to complete the install and launch Process Hacker:
I’m a big fan of Process Hacker and use it whenever I am performing behavioral analysis on a piece of malware. If you found this article informative then check out these blog posts of mine which cover some of my favorite malware analysis tools and a recent piece I completed on Autoruns which is a great tool for identifying how malware will attempt to persist on a compromised device.
If you would like more information on how to protect your organization from malware then this post on malware protection will be of interest along with Varonis’ Threat Detection Response which aims to drastically reduce the time to detect and respond to cyberattacks.