Malware hunting toolbox for Windows

A collection of tools, useful for hunting down malware on your computer. Some of them provide convenient export options, the reports of which can be sent for additional digital forensics and investigations. Under constant expansion.

Tools:

  1. Sysinternals, available at https://docs.microsoft.com/en-us/sysinternals/. Or more convenient location – https://live.sysinternals.com/. Awesome advanced system utility tools, developed by Mark Russinovich. From that plethora of tools, the most convenient are probably the following 6. More details for each tool and how it can be used for hunting malware will be available soon [hopefully :)]
    1. Process Explorer [information about which handles and DLLs processes have opened or loaded].
    2. Autoruns [shows the currently configured auto-start applications as well as the full list of Registry and file system locations available for auto-start configuration].
    3. Sigcheck [Useful for getting version number, timestamp information, and digital signature details, including certificate chains].
    4. Process monitor [shortened as Procmon, it provides advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity. Its the spiritual successor of Filemon and Regmon].
    5. System monitor [also known sysmon, used for gathering as information about process creations, network connections, and changes to file creation time].
    6. Strings [useful for scanning a suspicious file for UNICODE (or ASCII) strings of a default length of 3 or more UNICODE (or ASCII) characters].
  2. Symantec Diagnostic tools, available at: https://support.symantec.com/en_US/article.TECH170735.html. Used for its Threat analysis scan – providing basic scan, expanded assessment for Support [not needed to perform if Symantec Endpoint software is not in use]. Useful options are Basic scan and Scan for root kits. The threat analysis provides information on potential risks, autorun details, process and registry load points. After that the report cam be exported as sdbz file. and used for further analysis.
  3. GMER, available at http://www.gmer.net/. Best used for rootkit detection. It scans for hidden processes, hidden threads, hidden modules, hidden services, hidden files, hidden disk sectors (MBR), hidden Alternate Data Streams, hidden registry keys, drivers hooking SSDT, drivers hooking IDT, drivers hooking IRP calls, inline hooks.