Help
Erm... oops. My bad. Dates are still being used there to break those ties. The reason that's not visible in the output is that the date being used for comparison purposes has a resolution of 100 nanosecond increments; while the date displayed has a resolution of only one second.
Billy3
pevFind - Question and Answer thread https://bitbucket.org/BillyONeal/pevfind
#16
- Bleepin Engineer GRADUATE
-
- Group: Malware Response Instructor
- Posts: 10,413
- Joined: 17-January 08
- Gender:Male
- Location:Cleveland, Ohio
Posted 18 January 2012 - 01:27 AM
Back to top
#17
- Member
-
- Group: Security Colleague
- Posts: 96
- Joined: 16-January 10
- Gender:Male
Posted 20 January 2012 - 10:42 PM
Billy O, on 18 January 2012 - 01:27 AM, said:
Erm... oops. My bad. Dates are still being used there to break those ties. The reason that's not visible in the output is that the date being used for comparison purposes has a resolution of 100 nanosecond increments; while the date displayed has a resolution of only one second.
Billy3
Billy3
Can you provide an example please?
#18
- Bleepin Engineer GRADUATE
-
- Group: Malware Response Instructor
- Posts: 10,413
- Joined: 17-January 08
- Gender:Male
- Location:Cleveland, Ohio
Posted 20 January 2012 - 11:36 PM
----a-w- 2012-01-05 08:22:58 . 2010-11-08 13:31:28 C:\Windows\system32\RTEEG64A.dll Real date is 2012-01-05 08:22:58 and 200 nanoseconds
----a-w- 2012-01-05 08:22:58 . 2010-11-08 13:31:28 C:\Windows\system32\RTEED64A.dll Real date is 2012-01-05 08:22:58 and 100 nanoseconds
Nanoseconds aren't indicated in the output.
Billy3
----a-w- 2012-01-05 08:22:58 . 2010-11-08 13:31:28 C:\Windows\system32\RTEED64A.dll Real date is 2012-01-05 08:22:58 and 100 nanoseconds
Nanoseconds aren't indicated in the output.
Billy3
#19
- Member
-
- Group: Security Colleague
- Posts: 96
- Joined: 16-January 10
- Gender:Male
Posted 22 January 2012 - 03:01 AM
Thanks!
Can I use pevFind to search and enumerate keys/values from the registry?
Can I use pevFind to search and enumerate keys/values from the registry?
This post has been edited by thisisu: 22 January 2012 - 04:45 AM
#20
- Bleepin Engineer GRADUATE
-
- Group: Malware Response Instructor
- Posts: 10,413
- Joined: 17-January 08
- Gender:Male
- Location:Cleveland, Ohio
Posted 22 January 2012 - 03:36 PM
Not at the moment.
Billy3
Billy3
#21
- Member
-
- Group: Security Colleague
- Posts: 96
- Joined: 16-January 10
- Gender:Male
Posted 23 January 2012 - 01:45 AM
Hi Billy,
First, thanks again for taking the time to answer my questions
Does pevFind have any functions for listing services and/or drivers?
I noticed the subprogram SC but is it only for creating, deleting, stopping, starting purposes?
First, thanks again for taking the time to answer my questions
Does pevFind have any functions for listing services and/or drivers?
I noticed the subprogram SC but is it only for creating, deleting, stopping, starting purposes?
This post has been edited by thisisu: 23 January 2012 - 01:55 AM
#22
- Bleepin Engineer GRADUATE
-
- Group: Malware Response Instructor
- Posts: 10,413
- Joined: 17-January 08
- Gender:Male
- Location:Cleveland, Ohio
Posted 23 January 2012 - 02:52 AM
No, it doesn't do anything like that. Files only. The assumption was that if you needed to look at services, you could just use Windows' own sc.exe. The rudimentary support I threw in there was a sort of escape hatch for cases where sc.exe was borked for some reason.
Consider sc.exe + grep
As for registry searching, there's always regedit, which does have rudimentary support for that. Bobbi Fleckman has written a tool called RegSearch, which you can find around in various places. JPShortStuff also has a tool which I think can do what you need, SystemLook. None of these tools though are designed for command line use -- generally speaking the thinking has been that it's a bad idea to drive automated operation based on something as ... random as a regsearch.
Billy3
Consider sc.exe + grep
As for registry searching, there's always regedit, which does have rudimentary support for that. Bobbi Fleckman has written a tool called RegSearch, which you can find around in various places. JPShortStuff also has a tool which I think can do what you need, SystemLook. None of these tools though are designed for command line use -- generally speaking the thinking has been that it's a bad idea to drive automated operation based on something as ... random as a regsearch.
Billy3
#23
- Member
-
- Group: Security Colleague
- Posts: 96
- Joined: 16-January 10
- Gender:Male
Posted 26 January 2012 - 05:30 PM
Billy O, on 23 January 2012 - 02:52 AM, said:
Consider sc.exe + grep
Thanks! using sc.exe and grep now. Liking it
Quote
--timeout Timeout after x number of ms.
When this switch is present, pevFind starts a second thread which simply
goes to sleep for the required time. After this time, the thread will wake up,
and attempt to ask the main thread to cancel the search. The main thread will
be given an additional 100ms in which to write the results to the resultant
buffer. The errorlevel will be set to 1 in this case -- and the state of the
resultant log will be incomplete, but otherwise valid. If the main thread is
unable to finish in the additional 100ms, the sub-thread will terminate the
program. In this case, errorlevel will be set to 2.
When this switch is present, pevFind starts a second thread which simply
goes to sleep for the required time. After this time, the thread will wake up,
and attempt to ask the main thread to cancel the search. The main thread will
be given an additional 100ms in which to write the results to the resultant
buffer. The errorlevel will be set to 1 in this case -- and the state of the
resultant log will be incomplete, but otherwise valid. If the main thread is
unable to finish in the additional 100ms, the sub-thread will terminate the
program. In this case, errorlevel will be set to 2.
Can you provide some examples of the above?
I think I may need to utilize this switch because some of the searches do not seem to complete even after 1-2 minutes on systems running 512MB RAM or less. Would this help in those cases?
You can see pev.exe constantly changing memory usage in task manager but the search >output never completes properly on some of the more elaborate searches.
#24
- Bleepin Engineer GRADUATE
-
- Group: Malware Response Instructor
- Posts: 10,413
- Joined: 17-January 08
- Gender:Male
- Location:Cleveland, Ohio
Posted 26 January 2012 - 09:21 PM
Quote
some of the searches do not seem to complete even after 1-2 minutes on systems running 512MB RAM or less. Would this help in those cases?
I don't know. 1-2 minutes is longer than it should take... then again there are a lot of things that are done dumb right now. The big problem is that if the timeout is reached the program is terminated.
The switch was added because malware authors were making it hang.
Billy3
