View Single Post
  #7  
Old 10-18-2019, 18:24
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 179
Rept. Given: 2
Rept. Rcvd 46 Times in 32 Posts
Thanks Given: 58
Thanks Rcvd at 350 Times in 116 Posts
DavidXanatos Reputation: 46
New Release: https://github.com/DavidXanatos/TaskExplorer/releases/tag/v1.0

Finally we arrived at the build v1.0, this build features a extended xprocesshacker.sys that can unprotect (PPL) protected processes.
An other great new feature is a much better remote host name resolution for sockets, instead of just relying on reverse dns (which in the age of CDN's is not very reliable), we monitor ETW events emitted when a process issues a dns query. This way we know what domains every process requested and what IP's it got as answer, hence when observing a new socket we first check in this list for matching entries, when found it is almost certain the socket was opened with the intention to reach the captured domain.

Added

xprocesshacker.sys can now unprotect and re protect protected processes (light)
using ETW Events to monitor what domains individual processes querry
-- enabled more accurate remote hostname column display

Changed

cleaned up PH directory
improved process display for the case when multiple processes are sellected
now using https://github.com/microsoft/krabsetw to monitor ETW events
reworked socket process association
when opening finder the search term ist selected such it can be replaced quickly

Fixed

no longer trying to do reverse dns on adresses that returned no results
Reply With Quote
The Following 6 Users Gave Reputation+1 to DavidXanatos For This Useful Post:
bolo2002 (10-24-2019), copyleft (10-22-2019), Fyyre (10-20-2019), niculaita (10-18-2019), Trit0n (10-25-2019), WRP (10-26-2019)
The Following 10 Users Say Thank You to DavidXanatos For This Useful Post:
0xdeadb0b (11-11-2019), copyleft (10-22-2019), darkBLACK (10-23-2019), Fyyre (10-20-2019), h8er (10-29-2019), niculaita (10-18-2019), Trit0n (10-25-2019), uranus64 (10-26-2019), WRP (10-19-2019)