parsing output from tools

From: H C (keydet89at_private)
Date: Tue May 28 2002 - 18:35:05 PDT

  • Next message: Robert Buckley: "New Stacheldraht?"

    I recently had the opportunity to review some data
    from a supposedly "hacked" box.  One of the things I
    ran into was the difficulty of parsing through data
    from various tools.  For example, to get a good
    picture of what's going on on an NT/2K system, I'd run
    handle.exe, pslist.exe, listdlls.exe, fport.exe and
    'netstat -an'.  But how to parse through all that?  I
    found that printing it out and going back and forth
    between pages could be tedious.
    What I did was write a script called ''. 
    It's located here:
    You use it like run each tool, redirecting
    the output to a file.  When you run handle.exe, the
    command looks like this:
    handle > handle.log
    (NOTE: In this iteration of the script, file names are
    hard coded.)
    When you launch the script, it will parse through the
    data and return an HTML file containing tables for
    each process.  The tables contain the process name and
    PID, the commandline for the process, the user
    context, and (if any) open ports and connections.
    I'm providing for those who want to use it.  I thought
    that after reading many of the posts here that it
    might be useful.
    Do You Yahoo!?
    Yahoo! - Official partner of 2002 FIFA World Cup
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Wed May 29 2002 - 08:37:41 PDT