From Collaborative RCE Tool Library
File Monitoring Tools
| Tool name: | Buster Sandbox Analyzer |
| ||
|---|---|---|---|---|
| Author: | Buster | |||
| Website: | http://bsa.qnea.de | |||
| Current version: | 1.03 | |||
| Last updated: | December 07, 2009 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Free | |||
| Description: | Buster Sandbox Analyzer is a tool that has been designed to analyze the behaviour of sandboxed processes and the changes made to system and then evaluate if they are malware suspicious. The changes made to system can be of several types: file system changes, registry changes and port changes. A file system change happens when a file is created, deleted or modified. Depending of what type of file has been created (executable, library, javascript, batch, etc) and where was created (what folder) we will be able to get valuable information. Registry changes are those changes made to Windows registry. In this case we will be able to get valuable information from the modified value keys and the new created or deleted registry keys. Port changes are produced when a connection is done outside, to other computers, or a port is opened locally and this port starts listening for incoming connections. From all these changes we will obtain necessary information to evaluate the "risk" of some of the actions taken by sandboxed applications. Watching all these operations in an easy and safe manner is possible thanks to Sandboxie (http://sandboxie.com), an excellent tool created by Ronen Tzur. Even if Buster Sandbox Analyzer´s main goal is to consider if sandboxed processes have a malware behaviour, the tool can be used also to simply obtain a list of changes made to system, so if you install a software you will know exactly what installs and where. Additionally apart of system changes we can consider other actions as malware suspicious: keyboard logging, end the Windows session, load a driver, start a service, connect to Internet, etc. All the above operations can be considered as not malicious but if they are performed when it´s not expected, that´s something we must take in consideration. Therefore it´s not only important to consider what actions are performed. It´s also important to consider if it´s reasonable certain actions are performed. | |||
| Also listed in: | File System Diff Tools, Network Monitoring Tools, Registry Diff Tools, Registry Monitoring Tools, X86 Sandboxes | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | SysAnalyzer |
| ||
|---|---|---|---|---|
| Author: | David Zimmer (iDefense Labs) | |||
| Website: | http://labs.idefense.com/files/labs/releases/previews/SysAnalyzer/ | |||
| Current version: | ||||
| Last updated: | January 19, 2007 | |||
| Direct D/L link: | http://labs.idefense.com/software/download/?downloadID=15 | |||
| License type: | GPL2 | |||
| Description: | SysAnalyzer is an automated malcode run time analysis application that monitors various aspects of system and process states. SysAnalyzer was designed to enable analysts to quickly build a comprehensive report as to the actions a binary takes on a system. SysAnalyzer can automatically monitor and compare: * Running Processes * Open Ports * Loaded Drivers * Injected Libraries * Key Registry Changes * APIs called by a target process * File Modifications * HTTP, IRC, and DNS traffic SysAnalyzer also comes with a ProcessAnalyzer tool which can perform the following tasks: * Create a memory dump of target process * parse memory dump for strings * parse strings output for exe, reg, and url references * scan memory dump for known exploit signatures Full GPL source for SysAnalyzer is included in the installation package. | |||
| Also listed in: | Disk Monitoring Tools, Registry Monitoring Tools, Network Monitoring Tools, Install Monitoring Tools, API Monitoring Tools, Memory Dumpers | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | FileMon |
| ||
|---|---|---|---|---|
| Author: | Mark Russinovich and Bryce Cogswell | |||
| Website: | http://www.microsoft.com/technet/sysinternals/FileAndDisk/Filemon.mspx | |||
| Current version: | 7.04 | |||
| Last updated: | November 1, 2006 | |||
| Direct D/L link: | N/A | |||
| License type: | Free | |||
| Description: | FileMon monitors and displays file system activity on a system in real-time. Its advanced capabilities make it a powerful tool for exploring the way Windows works, seeing how applications use the files and DLLs, or tracking down problems in system or application file configurations. Filemon's timestamping feature will show you precisely when every open, read, write or delete, happens, and its status column tells you the outcome. FileMon is so easy to use that you'll be an expert within minutes. It begins monitoring when you start it, and its output window can be saved to a file for off-line viewing. It has full search capability, and if you find that you're getting information overload, simply set up one or more filters. Note: Filemon and Regmon have been replaced by Process Monitor on versions of Windows starting with Windows 2000 SP4, Windows XP SP2, Windows Server 2003 SP1, and Windows Vista. Filemon and Regmon remain for legacy operating system support, including Windows 9x. | |||
| Also listed in: | (Not listed in any other category) | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | LSOF |
| ||
|---|---|---|---|---|
| Author: | Victor A. Abell | |||
| Website: | http://people.freebsd.org/~abe/ | |||
| Current version: | ||||
| Last updated: | ||||
| Direct D/L link: | N/A | |||
| License type: | Free / Open Source | |||
| Description: | The lsof (LiSt Open Files) diagnostic and forensics tool lists information about any files that are open by processes currently running on the system. It can also list communications sockets open by each process. | |||
| Also listed in: | Network Monitoring Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Process Monitor |
| ||
|---|---|---|---|---|
| Author: | Mark Russinovich and Bryce Cogswell | |||
| Website: | http://www.microsoft.com/technet/sysinternals/FileAndDisk/processmonitor.mspx | |||
| Current version: | 2.7 | |||
| Last updated: | September 18, 2009 | |||
| Direct D/L link: | http://download.sysinternals.com/Files/ProcessMonitor.zip | |||
| License type: | Free | |||
| Description: | Process Monitor is an advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. It combines the features of two legacy Sysinternals utilities, Filemon and Regmon, and adds an extensive list of enhancements including rich and non-destructive filtering, comprehensive event properties such session IDs and user names, reliable process information, full thread stacks with integrated symbol support for each operation, simultaneous logging to a file, and much more. Its uniquely powerful features will make Process Monitor a core utility in your system troubleshooting and malware hunting toolkit. | |||
| Also listed in: | Process Monitoring Tools, Registry Monitoring Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | SandboxDiff |
| ||
|---|---|---|---|---|
| Author: | majoMo (Rui Morais) | |||
| Website: | N/A | |||
| Current version: | 2.0 | |||
| Last updated: | May 13, 2010 | |||
| Direct D/L link: | Locally archived copy | |||
| License type: | Freeware | |||
| Description: | 'SandboxDiff' allows tracking changes in Registry and Files when using 'Sandboxie' (an amazing application created by Ronen Tzur). All Registry entries and File system created/modified by a program sandboxed (or any action sandboxed) are monitored and listed with SandboxDiff. Very useful when users want (before to install an application) to know all changes made by the installer in Registry and File system. | |||
| Also listed in: | File System Diff Tools, Install Monitoring Tools, Monitoring Tools, Registry Diff Tools, Registry Monitoring Tools | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
| Tool name: | Sandboxie |
| ||
|---|---|---|---|---|
| Author: | Ronen Tzur | |||
| Website: | http://www.sandboxie.com | |||
| Current version: | 3.42 | |||
| Last updated: | December 1, 2009 | |||
| Direct D/L link: | N/A | |||
| License type: | Shareware | |||
| Description: | Sandboxie runs your programs in an isolated space which prevents them from making permanent changes to other programs and data in your computer. You can also access all the changes that were made during the program execution. | |||
| Also listed in: | File System Diff Tools, Network Monitoring Tools, Registry Diff Tools, Registry Monitoring Tools, X86 Sandboxes | |||
| More details: | Click here for more details, screenshots, related URLs & comments for this tool! (or to update its entry) | |||
Feed containing all updates and additions for this category.
Feed containing all updates and additions for this category, including sub-categories.
