Process Hacker 2 is an excellent tool for monitoring and investigating processes initiated by malware. It is a popular malware analysis tool among security professionals because it can extract a wealth of information from device processes.
Process Hacker is a powerful tool for controlling processes and services on your computer.
A powerful process termination and memory searching/editing tool that is free and open source.
What is Process Hacker?
Process Hacker is an open-source tool that lets you see what processes are running on a device, identify programs that are hogging CPU resources, and identify network connections associated with a process.
Because of these features, Process Hacker is an excellent tool for monitoring malware on a device. When triaging a malware infection, you can gather valuable indicators of compromise (IOCs) by seeing what processes it creates and being able to identify network connections and interesting strings from memory.
Also, using Process Hacker to gather IP addresses and malicious domains is a huge win during incident response because it allows identifying hosts that you cannot trust and put in a place to contain a malware infection.
Is Process Hacker Safe to Use?
Process Hacker is completely safe to use. Some antivirus vendors may classify it as a ‘Hack Tool,’ and as a result, some organizations may receive Process Hacker alerts in their security tools. This does not imply that it is malicious.
The md5 hash value of the Process Hacker executable I’m running in my malware analysis lab is ‘B365AF317AE730A67C936F21432B9C71’
If your company uses Symantec as its antivirus solution, then it will identify Process Hacker as malicious and quarantined. Additionally, If you don’t have any of the above AV solutions but do have an EDR solution, it may detect it as malicious due to 14 vendors classifying it as malicious on VirusTotal.
Features of Process Hacker 2:
- Processes are highlighted in a tree view.
- View detailed performance graphs and process statistics.
- Process tooltips are comprehensive and display context-specific information.
- Choose multiple processes and terminate, suspend, or resume.
- (Only 32-bit) Bypass nearly all types of process protection.
- Restart Processes
- Remove all working sets of processes.
- Set priority, affinity, and virtualization.
- Create process dumps.
- To terminate processes, you can use a variety of methods.
- Disconnect processes from debuggers.
- View process heaps.
- View GDI handles.
- Inject DLLs.
- View the status of DEP and even enable/disable it.
- View environment variables.
- Process security descriptors can be viewed and edited.
- View image properties like imports and exports.
- View complete token details, such as user, owner, primary group, session ID, elevation status, and more.
- View token groups
- View privileges and can even enable, disable, or remove them as needed.
- Token security descriptors can be viewed and edited.
- View all modules and mapped files in a single list.
- Unload DLLs
- View and open file properties in Windows Explorer
- View a list of virtual memory
- Use a hex editor to read and modify memory.
- Dump memory to a file
- Free memory.
- Scan for strings.
- View process handles, complete with attribute highlighting.
- Look for handles (and DLLs and mapped files).
- Close handles.
- (Only 32-bit) Protected and Inherit handle attributes by setting it.
- Rather than numerically, granted access to handles can be viewed symbolically.
- When supported, view detailed object properties.
- Object security descriptors can be viewed and edited.
- View a complete list of all services.
- Create services
- Services can be started, stopped, paused, continued, or deleted.
- Change the service properties
- View service dependents and dependencies.
- Service security descriptors can be viewed and edited.
- View the network connections list
- Close any network connections
- Use tools like whois, traceroute and ping.
Process Hacker’s Operation + Use Cases
- The first tab, titled ‘Processes,’ provides an overview of the processes that are currently running on the device and contains the following information:
- The Name of the currently running process.
- The process ID, or PID, is a special number assigned to the process.
- The CPU tab shows how much CPU is being used by the process.
- The total output I/O tab.
- The Private bytes tap.
- The account used to begin the process is displayed in The Username tab.
- The Description tab displays information about the process.
- The listed processes are also color coded in the ‘Processes’ tab. In Process Hacker, you can find out what each color represents by going to the ‘Hacker’ and then ‘Options’ menus.
- This brings up the ‘Options’ menu.
- To find out what each color represents, go to the ‘Highlighting’ tab:
However, I won’t go into detail about what each color represents, but this is useful for quickly identifying which processes the system processes expects as opposed to packed processes.
- The following information is displayed on the ‘Services’ tab:
- The Name of the identified service.
- Display the service’s name.
- Type of service identified e.g drivers
- Service Status e.g Running
- Start type e.g Boot start
- If available, the Process identifier of the service.
- The ‘Network’ tab is useful for malware analysis because malware frequently attempts to communicate with the bad guy’s command and control (c2) infrastructure.
The ‘Network’ tab shows the following data:
- PID and Process name
- Local address
- Local port utilized by the process.
- Remote address to which the process is connecting.
- The network connection’s Remote port.
- The protocol utilized by the process.
- The current State of the identified network connection.
- The ‘Disk’ tab displays information about files on the device’s hard drive that are currently in Use:
It will display the following information on the ‘Disk’ tab:
- PID and Process name
- Disk location of a File
- The hard drive’s Average read rate in real time
- The hard drive’s Average write rate in real time
- The Average total rate of read and write output
- I/O priority
- Response time
How to Install Process Hacker 2
You can download and install Process Hacker from the official website, which includes a link to the download page.
- In the download section, you have the option of downloading a setup file or a portable binary; in this example, I chose the setup executable.
- After downloading the setup file, double-click the executable and select ‘Run.’
- The UAC popup will then prompt you to allow Process Hacker to make changes to your device; select ‘Yes’.
- Accept the License Agreement by clicking the ‘Next’ button.
- Select the location where you want to install Process Hacker and click ‘Next’.
- Select the components you want to install and press the ‘Next’ button; by default, it select’s all.
- Select ‘Next’ after determining the location of the program’s shortcuts.
- Choose any additional tasks.
- To finish the installation and launch Process Hacker.