Results 1 to 2 of 2

Thread: Malware creates new thread, how do I follow it?

  1. #1
    Resource
    Guest

    Malware creates new thread, how do I follow it?

    Hi

    I've got some malware i'm taking apart. It creates about four threads each called svchosts.exe which ARE NOT real svchosts.exe's. They are there own individual processes.

    My problem is, I am trying to trace all the API calls the parent AND child processes are making. However all I can find is applications that will trace the parent process.

    Once the malware parent process creates the new thread/process, the parent stops. Is there an application kind of like strace in linux that offers the "FORK" option to follow forks or new processes created by a parent process in Windows32?

    The main thing it needs to do is follow new processes created by the parent and monitor there API calls.

    Thanks.
    I promise that I have read the FAQ and tried to use the Search to answer my question.

  2. #2
    Teach, Not Flame Kayaker's Avatar
    Join Date
    Oct 2000
    Posts
    4,079
    Blog Entries
    5
    You could try WinDbg .childdbg (Debug Child Processes)


    There is a similar plugin for Olly, Modified Command Line Plugin by anonymouse. Unfortunately the latest version

    http://www.woodmann.com/collaborative/tools/index.php/Modified_Command_Line_Plugin

    doesn't contain the childdbg option, but it's open source and you could add the modification if desired, which is given here:

    https://www.openrce.org/blog/view/1247/childdbg_added_to_my_modified_cmdline_plugin_for_ollydbg


    If using Softice you could set a breakpoint on BaseProcessStart and it should break for each new process instance.

    http://www.woodmann.com/forum/showthread.php?t=12613

    There are probably some other tricks other people use as well.

Similar Threads

  1. Olly 2.0 does not follow a jump properly
    By deamon32 in forum OllyDbg Support Forums
    Replies: 5
    Last Post: May 18th, 2010, 02:18
  2. How to make radare automatically follow the eip?
    By jcyang in forum Tools of Our Trade (TOT) Messageboard
    Replies: 1
    Last Post: November 10th, 2009, 10:31
  3. Good guidelines to follow?
    By d3k in forum The Newbie Forum
    Replies: 8
    Last Post: July 31st, 2008, 18:42
  4. Replies: 10
    Last Post: April 8th, 2008, 00:54

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •