I recently had the opportunity to review some data from a supposedly "hacked" box. One of the things I ran into was the difficulty of parsing through data from various tools. For example, to get a good picture of what's going on on an NT/2K system, I'd run handle.exe, pslist.exe, listdlls.exe, fport.exe and 'netstat -an'. But how to parse through all that? I found that printing it out and going back and forth between pages could be tedious. What I did was write a script called 'procdmp.pl'. It's located here: http://patriot.net/~carvdawg/perl.html You use it like this...you run each tool, redirecting the output to a file. When you run handle.exe, the command looks like this: handle > handle.log (NOTE: In this iteration of the script, file names are hard coded.) When you launch the script, it will parse through the data and return an HTML file containing tables for each process. The tables contain the process name and PID, the commandline for the process, the user context, and (if any) open ports and connections. I'm providing for those who want to use it. I thought that after reading many of the posts here that it might be useful. __________________________________________________ Do You Yahoo!? Yahoo! - Official partner of 2002 FIFA World Cup http://fifaworldcup.yahoo.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Wed May 29 2002 - 08:37:41 PDT