Windows User Guide.odt Guide
User Manual:
Open the PDF directly: View PDF 
.
Page Count: 9
| Download | |
| Open PDF In Browser | View PDF |
ISEC5000 - Computer Security Project Windows User guide Written by Timothy Covich I hope the solution that I have come up with will suit the needs of the client. The goal of this application is to gather information about the system, and the calls it is making in the background unbeknown to the user. It will output captured information into several formats, inducing a human readable format. There will be two ways to run the programs. The first will be to run the python scripts directly, the second will be a pre-compiled packaged windows executable that will be a simple click and run. Included files for Windows are as follows: 1. tracermon.py Tracermon is the heart of the program. It runs everything, sorts the outputs, and does all the statistical analysis. 2. tracermon-x86.exe This is a precompiled executable for Windows OS allowing for simple click-and-execute functionality for the above tracermon.py. This should avoid the need of installing any python framework and allow standalone operation. It has been built as a 32-bit application for compatibility reasons, allowing it to run on 32-bit Windows Operating Systems as well as 64-bit Windows Operating Systems. (Built using Python 3.7.1 32-bit) 3. 4. 5. 6. 7. This however, is not the primary method of running this app. It should always be run via the multiplayer.py in the root project directory. Make sure to run as Administrator. Procmon.exe Process Monitor — A GUI program written and released by Microsoft (and SysInternals) to show everything that any application is doing in the background. Used to gather information in lieu of something like strace. config.pmc The configuration file for Procmon. Listdlls.exe A command-line program also written by Microsoft (and SysInternals), that will output DLLs being used but current running applications. Windows User Guide.pdf This document, in all its glory. REDIST folder This folder will contain all the additional files and applications you would need to run on a fresh machine. Includes the Microsoft VC Redistributable Packages (x86 and x64), the Python 3.7.1 x64) setup, Procmon and ListDlls. Extra: 8. REDIST \ debug-killme.exe Mostly for my sanity. A debug executable to use when the program hangs. Will terminate the ListDlls process and allow the program to continue. Installation Guide This project runs using the Python frameworks, and specifically Python 3 implementation. Most versions of Python 3 should work, however, this has mainly been tested with Python 3.4 and 3.7. 1. Python 3.7 Included is the ‘python-3.7.1.exe’. Install that if your current system does not have a Python3 install currently (Python 3.7 is used here, although any python 3 variant should be fine). Note: see https://www.python.org/downloads/ for more information *Check the ‘Add Python 3.7 to PATH’ for easier python use You can simply use the ‘Install Now” feature, unless you wish to customise your path, or use other options. You will need to install the ‘pip’ functionality (which is checked by default) 2. Microsoft Visual Redistributable Package Included is the ‘vc_redist.x86.exe’, which should be all you need to run Python3. Note: see https://www.microsoft.com/en-US/download/details.aspx?id=52685 for more information *This is the type of error you get when you try to run python without having the vc redist installed 3. Installing the needed extra 2 addons for python — psutil and pandas from Windows Command Line Interface > python -m pip install psutil > python -m pip install pandas *This is the screen you get if you don't have these addons installed and try to run tracermon. *installing the addons. Running Details NOTE: To use the Windows portion of this project, you will need to be running a command prompt with elevated privileges, otherwise you will get popups asking you to confirm programs running multiple times. You will need to either have set your python 3 executable path already (allowing you to call just python, or python3 (depending on how it’s been setup)), or to point toward the python 3 executable yourself manually. EG: $> python tracermon.py or $> “C:\Program Files x86\Python 3\python.exe” tracermon.py Furthermore, you can give the program a custom run-time EG: $> python tracermon.py 30 In which the program will collect information for thirty seconds, before processing. Without adding any timeframe, the program will by default run for 10 seconds. Once the application has run its course, you can find all the information from the capture in organised folders within the “working” directory. They are sorted in a ISO 8601-style standard (YEAR-MONTH-DAY-HOUR-MINUTE-SECOND) into folders, so you should always be able to find your latest output. Each folder will contain several files, including a ‘raw.pml’ which contains raw-unreadable information, an ‘output.csv’ which contains all the captured data in a comma separated value style output, and a ‘statistics.txt’ which contains an overview of all calls and accompanying DLLs. Authors Notes: The statistics output is not sorted by PID at this time. They are listed in the order that they appear in the RAW output and the CSV output. I am not sure if this is an issue at this time, but I did not think it necessary or worth the extra in-program time/cycles. The way it is now, it can sometimes take longer than the allotted wait time (ie 10 seconds) as getting the DLL information can sometimes take more time than it needs, leading to a delay and extra wait. Tried to get around this with a custom timer. Probably should have given this program a better name. In hindsight the "portmanteau" of 'tracer' and 'process monitor' isn't very sexy. Because of the way windows is compared to Linux, it was initially difficult to get this project off the ground. Linux has a very well put-together system in the form of strace (and its variants). Windows does not have any of this native functionality. As I was given the honour of working on the Windows solution on my own, I went out to try to find a prepackaged solution, in the vein of strace. These solutions technically did exist in the form of NTtrace [http://www.howzatt.demon.co.uk/NtTrace/], straceNT [http://intellectualheaven.com/default.asp? BH=StraceNT], DrMemory [http://www.drmemory.org], plus a couple of others. However, none of these solutions was the magic cure-all for what I needed. They didn't work, crashes on startup, crashed the traced program, could only trace one process and hang the whole machine while doing so, or whatever else. I happened on my current solution after dismissing it earlier. Microsoft’s ‘Process Monitor’ is a beautiful GUI based program that captures calls made by the system and displays them for you in a nice little package. This was not what I was looking for however, needing a streamlined CLI-style implementation. Eventually, I learned that it could be run in a minimal fashion and its contents output in just the right way with some command line trickery. With the gift of hindsight, I could have taken a much different approach to this project. While there is no perfect Windows solution, a DIY solution would likely have been possible given various Microsoft debugging tools and many hours of reading, debugging and possibly reverse-engineering of the Ntdll.dll among other things. This solution of building something from the ground up would have probably taken more time than was given, and I am not sure a working prototype could have been ready in the time-frame. After tweaking and testing I have realised a misstep I have taken, I am only checking for DLL usage at the start of the application running. For an extended run, with things being open and accessed in the background, more DLLs and other applications may be loaded, and this is not taken into account. In a future revision of this application, I would run this at the start (as it is now) and at the end, and during also, giving you a good safety net of all things running. There is a way to list the DLLs that each program is using with a simple command line call: ‘tasklist /m /fi "imagename eq chrome.exe"’ or just ‘tasklist /m’ to list every single program running and their DLLs. This may have been a better way to go in hindsight given the enormous troubles I eventually had with ListDlls. However, I had issues getting this to work from within python. I ran into issues trying to run a CMD via python and piping the output (worked via PowerShell, but couldn't rely on it being on every machine). There may have been a better way to achieve this by writing a file then reading that file again. Tested on Windows 10 x64 and Windows 7 x64. Windows 10 x64 has been my extensive testbed for this project, and have written and tested the majority of the time. I initially had envisioned that it would run on any Windows OS, even going back as far as Windows XP, however, there were complications somewhere and I was never able to solve compatibility issues. Bugs and Quirks: Originally, I had a bug where the DLL output method would just freeze for no reason. I ended up rewriting how it was called in an effort to stop it from hanging. Tested if for a long time while adding new features and squashing bugs… It just sat here, ‘capturing’ and waiting for the ListDLLs processes to close… While it should not be an issue any longer when running the python script directly, I have included a ‘debug-killme.exe’ in the REDIST folder which will simply stop the processes running and allow the trace to continue. I got a popup once or twice telling me that part of my output was corrupt: This doesn't seem to affect the output, or the program running. Occasionally on a fresh machine install, you will get a popup when the program runs which looks similar to this: I am not sure why this shows up as I am using the /accepteula as suggested when running the program myself. A strange bug perhaps? Accept/agree to continue. On a fresh system, you are required to install the MS Visual C++ runtimes: These have been included with the project under the REDIST folder. When trying to run on Windows XP, you are greeted with an error.
Source Exif Data:
File Type : PDF File Type Extension : pdf MIME Type : application/pdf PDF Version : 1.5 Linearized : Yes Author : overlord00 Create Date : 2018:11:08 19:27:51+08:00 Modify Date : 2018:11:08 19:27:51+08:00 XMP Toolkit : Adobe XMP Core 5.4-c006 80.159825, 2016/09/16-03:31:08 Creator Tool : PScript5.dll Version 5.2.2 Producer : Acrobat Distiller 11.0 (Windows) Format : application/pdf Title : Windows User Guide.odt Creator : overlord00 Document ID : uuid:6f67054a-a8d7-4b76-9820-0cdfdda750c0 Instance ID : uuid:216adb6b-4e7b-4f39-96b2-5ca93a38e374 Page Count : 9EXIF Metadata provided by EXIF.tools