Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Not all processes are scanned #21

Closed
greenozon opened this issue Oct 27, 2024 · 24 comments
Closed

Not all processes are scanned #21

greenozon opened this issue Oct 27, 2024 · 24 comments

Comments

@greenozon
Copy link

Even if I ran cmd.exe as Admin, the tool can't access some processes
are there any clues why is that?

eg:

HollowsHunter v.0.3.9 (x64)
Built on: Feb 24 2024

using: PE-sieve v.0.3.9.0

Default scan deployed.
>> Scanning PID:    0 : [System Process]
[!] Could not access: 0
>> Scanning PID:    4 : System
[!] Could not access: 4
>> Scanning PID:  324 : smss.exe

...........


>> Scanning PID: 15492 : chrome.exe
>> Scanning PID: 12572 : Clock7.exe
[-] Section 0:  out ouf bounds, skipping...
>> Scanning PID: 8664 : chrome.exe
>> Scanning PID: 7260 : chrome.exe
>> Scanning PID: 11164 : chrome.exe
>> Scanning PID: 15860 : chrome.exe
>> Scanning PID: 15032 : chrome.exe
[!] Could not access: 15032
>> Scanning PID: 16868 : audiodg.exe
[!] Could not access: 16868
>> Scanning PID: 15672 : chrome.exe
>> Scanning PID: 15868 : chrome.exe
[!] Could not access: 15868
>> Scanning PID: 11204 : chrome.exe
>> Scanning PID: 9192 : chrome.exe
[!] Could not access: 9192
>> Scanning PID: 7560 : WmiPrvSE.exe
>> Scanning PID: 5088 : dllhost.exe
[!] Could not access: 5088
>> Scanning PID: 14892 : dllhost.exe
[!] Could not access: 14892
>> Scanning PID: 9836 : TOTALCMD64.EXE
>> Scanning PID: 16220 : cmd.exe
>> Scanning PID: 4220 : conhost.exe
>> Scanning PID: 7912 : hollows_hunter.exe
--------
SUMMARY:
Scan at: 10/27/24 11:34:01 (1730021641)
Finished scan in: 55333 ms. = 55.333 sec. = 0.922217 min.
[*] Total scanned: 175
[*] Total suspicious: 0

the first two I guess are OK, but what about the rest?

@greenozon
Copy link
Author

Do I need to run the tool on even higher priv, eg https://github.com/nfedera/run-as-trustedinstaller ?

@hasherezade
Copy link
Owner

Hi @greenozon ! Yes, clearly Admin is not enough and HH doesn't have the privilege to access those processes. Can you check with which privileges each of them run? What exactly is your Windows version? Do you have any AV/EDR software installed? Sometimes such products block access to specific processes.

@greenozon
Copy link
Author

Thanks for reply! I dont have any AV/EDR
I'm using old good W7x64SP1
I'll check what priv are those processes using

@greenozon
Copy link
Author

greenozon commented Oct 28, 2024

details:

C:\Windows\system32\AUDIODG.EXE 0x9d8
User: NT AUTHORITY\LOCAL SERVICE

about "Could not access" errors for chrome.exe and opera.exe - wow! each time I ran the tool and tried to find the PID using ProcExplorer - I was not able to find those! I've also seen that those chrome/opera are constantly creating and deleting processes
might it be the case?
Also a side note: all chrome/opera processes are running under my local (non-admin) user
so might it be the case that you start scanning it and during scan this process was killed by browser due to it internal kitchen?

and last question on this case:

Scanning PID: 12572 : Clock7.exe
[-] Section 0: out ouf bounds, skipping...

could you explain a bit more pls
this is an extremly small (1 KB PE64) digital clock nice tool - shows transparent clock on the Desktop

@greenozon
Copy link
Author

and one more question: could you print more info in case of [!] Could not access issue?
eg getlasterror() or so..

@hasherezade
Copy link
Owner

@greenozon - I will add better error reporting. In the meanwhile, could you please try scanning each of the problematic processes with PE-sieve? It is an engine used by HollowsHunter. It scans only one process at the time, but has extended reporting of errors.
It is very much possible that it cannot access the process because it terminated before the scan completed.
Regarding Clock7.exe - can you share this application? I will take a look.

@greenozon
Copy link
Author

Gave it a try
but generally the thing is that the pe-sieve tool works with a single PID per run
it means I can't catch taht nasty open/close issue with this tool...
BTW, while reading logs out of it I've seen

[-] Could not set debug privilege

is it just an informational msg or you are skipping some deeper functionality?

Clock7 attached
hope you'll enjoy this small piecee of mastership!

btw, the tool did not tell more info besides as before... ([-] Section 0: out ouf bounds, skipping...)

C:\Prg\Hiteq\pe\PeBear>pe-sieve.exe /pid 12920
PID: 12920
Output filter: no filter: dump everything (default)
Dump mode: autodetect (default)
[-] Could not set debug privilege
[*] Using raw process!
[-] Section 0:  out ouf bounds, skipping...
[*] Scanning: C:\Prg\inet\crypto\certs\Clock7.exe
[*] Scanning: C:\Windows\System32\ntdll.dll
[*] Scanning: C:\Windows\System32\kernel32.dll
[*] Scanning: C:\Windows\System32\KERNELBASE.dll
[*] Scanning: C:\Windows\System32\gdi32.dll
[*] Scanning: C:\Windows\System32\user32.dll
[*] Scanning: C:\Windows\System32\lpk.dll
[*] Scanning: C:\Windows\System32\usp10.dll
[*] Scanning: C:\Windows\System32\msvcrt.dll
[*] Scanning: C:\Windows\System32\imm32.dll
[*] Scanning: C:\Windows\System32\msctf.dll
[*] Scanning: C:\Windows\System32\nvinitx.dll
[*] Scanning: C:\Windows\System32\version.dll
[*] Scanning: C:\Windows\System32\advapi32.dll
[*] Scanning: C:\Windows\System32\sechost.dll
[*] Scanning: C:\Windows\System32\rpcrt4.dll
[*] Scanning: C:\Program Files\NVIDIA Corporation\CoProcManager\detoured.dll
[*] Scanning: C:\Program Files\NVIDIA Corporation\CoProcManager\nvd3d9wrapx.dll
[*] Scanning: C:\Windows\System32\setupapi.dll
[*] Scanning: C:\Windows\System32\cfgmgr32.dll
[*] Scanning: C:\Windows\System32\oleaut32.dll
[*] Scanning: C:\Windows\System32\ole32.dll
[*] Scanning: C:\Windows\System32\devobj.dll
[*] Scanning: C:\Program Files\NVIDIA Corporation\CoProcManager\nvdxgiwrapx.dll
[*] Scanning: C:\Windows\winsxs\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.27361_none_145bfe468b8fc347\GdiPlus.dll
[*] Scanning: C:\Windows\System32\uxtheme.dll
[*] Scanning: C:\Windows\System32\dwmapi.dll
[*] Scanning: C:\Windows\System32\CRYPTBASE.dll
Scanning workingset: 199 memory regions.
[*] Workingset scanned in 16 ms.
[+] Report dumped to: process_12920
[*] Dumped module to: C:\Prg\Hiteq\pe\PeBear\\process_12920\140000000.Clock7.exe as VIRTUAL
[*] Dumped module to: C:\Prg\Hiteq\pe\PeBear\\process_12920\77490000.kernel32.dll as UNMAPPED
[*] Dumped module to: C:\Prg\Hiteq\pe\PeBear\\process_12920\7fefd360000.KERNELBASE.dll as REALIGNED
[*] Dumped module to: C:\Prg\Hiteq\pe\PeBear\\process_12920\7fefe9a0000.gdi32.dll as UNMAPPED
[*] Dumped module to: C:\Prg\Hiteq\pe\PeBear\\process_12920\77390000.user32.dll as UNMAPPED
[*] Dumped module to: C:\Prg\Hiteq\pe\PeBear\\process_12920\7fefde20000.ole32.dll as UNMAPPED
[+] Dumped modified to: process_12920
[+] Report dumped to: process_12920
---
PID: 12920
---
SUMMARY:

Total scanned:      28
Skipped:            0
-
Hooked:             6
Replaced:           0
Hdrs Modified:      0
IAT Hooks:          0
Implanted:          0
Unreachable files:  0
Other:              0
-
Total suspicious:   6
---

Clock7.zip

@greenozon
Copy link
Author

Could you also explain the goal of .tag file, eg:

8b90;D3DKMTQueryAdapterInfo->7fefd3501f0;5
8b95;patch_1;3
bde0;D3DKMTGetDisplayModeList->7fefd3501b8;5
bde5;patch_3;3

@hasherezade
Copy link
Owner

Could you also explain the goal of .tag file, eg:

8b90;D3DKMTQueryAdapterInfo->7fefd3501f0;5
8b95;patch_1;3
bde0;D3DKMTGetDisplayModeList->7fefd3501b8;5
bde5;patch_3;3

It is explained on PE-sieve Wiki, check it out: https://github.com/hasherezade/pe-sieve/wiki/3.1.-Investigating-hooks-and-patches

@hasherezade
Copy link
Owner

Clock7 attached hope you'll enjoy this small piecee of mastership!

btw, the tool did not tell more info besides as before... ([-] Section 0: out ouf bounds, skipping...)

Clock7.zip

Thank you! I checked your clock application, it is indeed very nice, looks like written in pure assembly, is it?
Also, I understood why it was showing that message - this executable has atypical alignment of sections. And also, the raw size of the section defined in the header was going beyond the file size.

sections

I fixed my library to better handle such cases, so from now this message is not gonna be shown.

@hasherezade
Copy link
Owner

@greenozon - finally, I made a new test build - please have a look:

hollows_hunter64_test.zip

It has a new parameter added: /report with the help of which you can define if you want to generate report with details for the executables that failed to be scanned.

report

The report looks like this:

error_Report

@greenozon
Copy link
Author

Thanks a bunch!
the PE-sieve Wiki is really great stuff indeed!

just tried test build, looks good, thanks!

the only thing it does not love teamviewer ;)

image

but it starts to love Clock7.exe !

thanks!

@hasherezade
Copy link
Owner

@greenozon - I am happy that it helped! What did it find in the teamviewer? Can you show me the report? Maybe it has some system shims, or other hooks installed? This is also documented on Wiki: https://github.com/hasherezade/pe-sieve/wiki/1.-FAQ#pe-sieve-gives-me-a-lot-of-false-positives-why
And did the last build help you to find out the reason why those processes could not be accessed by the scan?

@greenozon
Copy link
Author

I"m happy as well!
here are the files for pid 4224
dump_report.json
scan_report.json

@greenozon
Copy link
Author

well, about processes - chrome/opera are being created/closed for no reason during scan, so I guess thats fine

@hasherezade
Copy link
Owner

I"m happy as well! here are the files for pid 4224 dump_report.json scan_report.json

Thank you! Is this report is generated with the option /report 7 (all scanned)?

I see the teamviewer got flagged because the file C:\\Windows\\TEMP\\nsbAFA3.tmp\\TvUpdateInfo.exe - from which the executable was run - could not be retrieved from the disk. It is in the TEMP directory, so I guess it was unpacked there by some installer, run, and then possibly moved to a different location. Such cases are suspicious sometimes, but it is clearly benign here. You can filter this application out from the scan.

What report did you get in case of chrome/opera? Error: Invalid parameter?

@greenozon
Copy link
Author

eg:

 {
  "pid" : 19268,
  "err_message" : "Could not open the process: Invalid Parameter"
 }


 {
  "pid" : 19360,
  "err_message" : "Could not enumerate modules. Could not query the working set. "
 }

(below is OK ( guess as it urnsunder NT AUTHORITY\LOCAL SERVICE)
 {
  "pid" : 16108,
  "err_message" : "Could not open the process: Access Denied"
 }


heh, tv process from windows temp is gone!..
maybe it was some temp process like check for updates/etc

@hasherezade
Copy link
Owner

eg:

 {
  "pid" : 19268,
  "err_message" : "Could not open the process: Invalid Parameter"
 }


 {
  "pid" : 19360,
  "err_message" : "Could not enumerate modules. Could not query the working set. "
 }

(below is OK ( guess as it urnsunder NT AUTHORITY\LOCAL SERVICE)
 {
  "pid" : 16108,
  "err_message" : "Could not open the process: Access Denied"
 }

Thanks! Yes, those processes exited before the scan completed - so it seems as you described. "Could not open the process: Invalid Parameter" - the process has terminated before the scan started, so the PID was invalid; " "Could not enumerate modules. Could not query the working set. " - the PID was valid at the moment of opening the process, but the process has terminated soon after, and it was not possible to query the workingset and the modules.

heh, tv process from windows temp is gone!.. maybe it was some temp process like check for updates/etc

Yes, it must be an updater - as the name says: TvUpdateInfo.exe. And it was probably autodownloaded and dropped in the TEMP.
Ok then, if everything is fine, I am gonna merge those changes soon to the main branch. You will be able to download the updated version from the AppVeyor server.

@greenozon
Copy link
Author

Nice collaboration, that was ton of focus and love, thank you!
feel free to close the ticket

hasherezade added a commit that referenced this issue Oct 31, 2024
@hasherezade
Copy link
Owner

Thank you too! Now the changes are merged, I added some fixes. You can get the latest version from the AppVeyor build server - there is a tab "Artifacts"

@greenozon
Copy link
Author

Thanks,
all of a sudden I've got a crazy idea/question - it is possible to build up the binary on Linux host? (eg Ubuntu)
I've seen the mingw_build.sh shell script but seems it is for mingw/Windows?

@hasherezade
Copy link
Owner

@greenozon - yes, it is possible to build HH on Linux - but of course the produced binary will be dedicated to run on Windows. I did some cleanup recently that fixed compatibility issues, so you can pull the latest version if you wanna try. There is still one problem that I didn't fixed yet - it occurs on the attempt to compile the resource files:

rc_issue

But when I re-run the ./mingw_build.sh for the second time, it continues, and finally we get the binary.

hh_ubuntu

Another issue is that the ETW option won't work - because the KrabsETW library supports Visual Studio only.

@greenozon
Copy link
Author

For some reason I"m not able to build hollow-hunter on Ubuntu using mingw toolchain
I guess it's time for new ticket, right?

and another issue - I see tons of warnings and you pic is super clean, is it from Windows?

@hasherezade
Copy link
Owner

For some reason I"m not able to build hollow-hunter on Ubuntu using mingw toolchain I guess it's time for new ticket, right?

Yes, let's talk about it in another ticket

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants