Forum Support > Software Problems and Questions
Notification or Log for Process Protecter
Yuki:
Can you suggest some search terms to find PP entry (if any) in the log file?
It's too large to find that entry and some terms I entered picked too many words up.
Thanks.
sinlam:
--- Quote from: Yuki on July 30, 2014, 10:37:34 AM ---Okay, so I can check whitelist.log to see whether PP blocked attempt for code injection.
BTW, I found another log files in %AppData%, but they are almost empty.
What the difference with those in %ProgramData%?
--- End quote ---
For application that is running under User account, the log will be written in %AppData%
For application that is running under SYSTEM account, the log will be written in %ProgramData%
If you are not running under User account, this explains why it is empty.
sinlam:
--- Quote from: Yuki on July 30, 2014, 11:12:26 AM ---Can you suggest some search terms to find PP entry (if any) in the log file?
It's too large to find that entry and some terms I entered picked too many words up.
Thanks.
--- End quote ---
You can search for the keyword, "Protected Process". I think the current information in the log may not be that useful.
If you are keen to test process protector further, you can try the following:
1. If you have a test console to inject your code into the memory, you will get access denied when you are trying to do so.
2. If you are using a penetration code such as metaspoilt, after you managed to get into the system, you can try to migrate the protected process. The attacker will get access denied and in some cases, it may even make the attacker machine hang.
Yuki:
--- Quote from: sinlam on July 31, 2014, 02:51:08 AM ---For application that is running under User account, the log will be written in %AppData%
For application that is running under SYSTEM account, the log will be written in %ProgramData%
If you are not running under User account, this explains why it is empty.
--- End quote ---
Thanks, I understood what they are and why it was empty.
--- Quote from: sinlam on July 31, 2014, 03:43:12 AM ---You can search for the keyword, "Protected Process". I think the current information in the log may not be that useful.
--- End quote ---
There's no hit when I serched "Protected Process".
Does this mean no injection occured?
--- Quote from: sinlam on July 31, 2014, 03:43:12 AM ---If you are keen to test process protector further, you can try the following:
1. If you have a test console to inject your code into the memory, you will get access denied when you are trying to do so.
2. If you are using a penetration code such as metaspoilt, after you managed to get into the system, you can try to migrate the protected process. The attacker will get access denied and in some cases, it may even make the attacker machine hang.
--- End quote ---
Sorry, I'm not a techy man so can't, though I want to use metasploit in the future.
I hope some skilled people demonstrates this.
Pedersen:
--- Quote from: sinlam on July 31, 2014, 03:43:12 AM ---
--- Quote from: Yuki on July 30, 2014, 11:12:26 AM ---Can you suggest some search terms to find PP entry (if any) in the log file?
It's too large to find that entry and some terms I entered picked too many words up.
Thanks.
--- End quote ---
You can search for the keyword, "Protected Process". I think the current information in the log may not be that useful.
If you are keen to test process protector further, you can try the following:
1. If you have a test console to inject your code into the memory, you will get access denied when you are trying to do so.
2. If you are using a penetration code such as metaspoilt, after you managed to get into the system, you can try to migrate the protected process. The attacker will get access denied and in some cases, it may even make the attacker machine hang.
--- End quote ---
Care sinlam :D Dont give users some bad ideas that can ruin their pc :D
Navigation
[0] Message Index
[#] Next page
[*] Previous page
Go to full version