Suspicious Process Behavior Analysis Tool v1.0
Supports 32-bit NT OS (2k, XP/MCE, 2k3, Vista...)
(c)2009 Brock Williams
This is a simple yet effective PoC (Proof Of Concept) designed as a usermode (Ring3) process inspection tool used to profile "power" levels of all currently running processes. Any malware that is potentially a threat to a system will most definitely end up using one or more of the scanned techniques listed below. SPBAT will detect all mentioned concepts and allow them to be reversed via a built-in right click menu with options. Do not think that SPBAT is not powerul because it does not use a traditional kernel driver, internally it does not use standard methods of process and module enumeration (PSAPI and Toolhelp32 libraries aren't used) and any process calls that it makes are emulated via my Symbiote module which can only be potentially tampered with from kernel mode when this program is not "specifically" targeted. Emulated Symbiote functions do not make any Win32 API calls internally, instead only the interrupt services and inline assembly logic is used thus keeping function returns reliable and integrity uncompromised in usermode even from the most low-level usermode hooking libraries that hook system APIs.
Note: No code injection or hooking is used in this software.
Object Detection (
*** Hide Process Object (Process name is not listed in process viewers as it hides from the Windows API)
(Option to terminate process included)
*** \Device\PhysicalMemory Object (Basically the equivalent of \dev\kmem in Unix which allows usermode programs to map kernel memory from Ring3)
(Option to invalidate Physical Memory section handle used in every mapping call included)
*** Loading kernel Image into a Process i.e: LoadLibrary("ntoskrnl.exe");
(Option to forcefully unload module from the remote process included, even if it's statically bound or "pinned" via GetModuleHandleEx(GET_MODULE_HANDLE_EX_FLAG_PIN...) unloading will be successful)
*** SeDebugPrivilege (Allows programs to open handles to System processes)
(Option to disable this privilege within the remote process included)
Download it here http://bugczech.fu8.com/bin/spbat_bin.zip