Exetools  

Go Back   Exetools > General > Community Tools

Notices

Reply
 
Thread Tools Display Modes
  #1  
Old 09-02-2019, 17:03
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 181
Rept. Given: 2
Rept. Rcvd 46 Times in 32 Posts
Thanks Given: 59
Thanks Rcvd at 355 Times in 118 Posts
DavidXanatos Reputation: 46
Task Explorer - An Advanced Task Manager for hackers

Since Task explorer went a long way from a first preview build till now, I thought it would better fit into this section of the forum, so lets continue here.

Task Explorer is an advanced Task Manager tool with emphasis on, not just monitoring what applications are running, but on finding out what applications are doing.

Screenshot: https://i.ibb.co/q5406rC/1.png

The UI focuses on expedience and getting real time data of what the processes are doing at any given moment. Relevant data are provided in easy to access (as less clicks as possible) panels, with no need to open windows or windows of sub windows, instead additional information’s for selected entries are shown in the lower half of the panel. Allowing to browse the detailed information’s using arrow keys. And most data are refreshed continuously, as seeing the dynamic of values often grants additional insight.

The Thread Panel contains a stack trace for the selected thread giving even more insight in wat the selected application is doing right now. This is also very useful to debug deadlocks or performance issues. The processes memory can be viewed and edited from the Memory Panel, which provides an advanced memory editor and string search capability. In the Handles Panel all open handles are shown, with useful information’s like file name the current file position and size, these allow to see what a program is actually working on right now disk wise. The Socket Panel shows all open connections/sockets per process providing also data rate information, in the settings one can enable the display of pseudo UDP connections created from ETW data. That is every destination endpoint for UDP packets will be shown as an own entry in the sockets panel allowing to monitor with whom a program is communicating. The Modules Panel shows all loaded dll’s and memory mapped files, allowing to unload them as well as to inject a dll. And many more panels like Token, Environment, Windows, GDI, .NET, etc….
By double clicking on a process, the Task Info panels can be opened in a separate window enabling the viewing of properties of multiple processes simultaneously.

The system monitor aspect of the application is also well developed. The toolbar provides decently sized graphs providing not just CPU usage but also usage of Objects, handles, network and IO/disk access. The system info panels show All Open Files in the system, All Open Sockets by programs, and the services Panel allows viewing and controlling all system services including drives. The performance panels for CPU, Memory, Disk I/O, Network and GPU provide large graphs showing the usage of system resources in a detailed manner.
The System info panel can be collapsed completely providing more space for the Task info panels. So Instead being a panel of the main window, or additionally, the system info panels can be opened in an own window using the appropriate toolbar button.

Task Explorer can be found on my GitHub page: https://github.com/DavidXanatos/TaskExplorer its fully Open Source under the GPLv3.0 and is created using the Qt Framework, making its UI platform independent. As at a later point I intent to port the tool to Linux, creating the first advanced GUI based task manager for Linux ever.

The tool is build using the process hacker library and it uses a self-compiled version of the kprocesshacker.sys driver called xprocesshacker.sys, the driver is signed using a “found” code signing certificate. However if preferred by the user the tool can also use the original kprocesshacker.sys driver however then with some limitations as the driver locks some functionality out if the accessing tool is not digitally signed by the process hacker team.

I would appreciate feedback and improvement suggestions / feature requests...
Reply With Quote
The Following User Gave Reputation+1 to DavidXanatos For This Useful Post:
uranus64 (10-26-2019)
The Following 13 Users Say Thank You to DavidXanatos For This Useful Post:
backdoor_b (01-22-2024), Doit (11-18-2019), goku (09-05-2019), h8er (10-29-2019), innu3ndo (01-05-2021), lordi (09-03-2019), ph03n1x (05-08-2021), sh3dow (05-15-2021), SinaDiR (01-24-2020), uranus64 (10-26-2019), wild (01-28-2020)
  #2  
Old 09-02-2019, 17:06
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 181
Rept. Given: 2
Rept. Rcvd 46 Times in 32 Posts
Thanks Given: 59
Thanks Rcvd at 355 Times in 118 Posts
DavidXanatos Reputation: 46
Most recent build, as of today: https://github.com/DavidXanatos/TaskExplorer/releases/tag/v0.8.5


[0.8.5] - 2019-09-01

This release focuses on bug fixing and usability improvements. An other major change is the use of the own xprocesshacker.sys driver by default, this is required as the original kprocesshacker.sys comes with a DRM that locks some functionality away from tools which are not signed by the process hacker team. With an own driver we can again mess with protected processes and read any memory location.

The used leaked signing certificate does not seam to raise to many read flags eider, virus total:
xprocesshacker.sys 4 false positivs https://www.virustotal.com/gui/file/ac2ed32418c81cf97dd6a53e258b4066952affbb768e66ebaaf57643d5f145ec/detection
vs
original kprocesshacker.sys 13 false positivs https://www.virustotal.com/gui/file/220a2dcf4d597f9208c0e7fd7057a91e88e118d420f20aac8e75ae3e39a7ac22/detection
In fact we get much less than process hacker does.


Added
  • multi graph widget (optional individual CPU plots and individual GPU Node plots)
  • plot background/text/grid colirs can now be changed
  • added close (WM_CLOSE) and quit command (WM_QUIT)
  • added option for rates/deltas and cpu/gpu usage to show an empty string instead of '0'
  • added option to highlicht the x top resource users per column
  • reduced GUI cpu load by 20% by improved issuing of cell updates in the process tree model
  • added window title and status columns
  • added toolbar option to quickly adjust the refresh rate
  • added options to tray menu

Changed
  • system plots now set the proper length
  • all tool bar drop down buttons have now a default action
  • now the xprocesshacker.sys is used by default

Fixed
  • fixed issues with changing graph length
  • fixed bad color contrast of sellected items
  • fixed a crash (race condition) when closing
  • fixed issues with cycle based cpu usage calculation
  • fixed major issue with process stat display
  • fixed isue with PrivateBytesDelta column
  • fixed issue with asynchroniouse username resolution
  • fixed cpu time columns showing a wrong value
  • fixed broken protection columns DEP and ASLR
  • fixed broken file info columns size and modification time
Reply With Quote
The Following 7 Users Say Thank You to DavidXanatos For This Useful Post:
h8er (10-29-2019), Insid3Code (09-03-2019), lordi (09-03-2019), niculaita (09-04-2019), sh3dow (05-15-2021), uranus64 (10-26-2019), WRP (09-03-2019)
  #3  
Old 09-09-2019, 17:55
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 181
Rept. Given: 2
Rept. Rcvd 46 Times in 32 Posts
Thanks Given: 59
Thanks Rcvd at 355 Times in 118 Posts
DavidXanatos Reputation: 46
New Release: https://github.com/DavidXanatos/TaskExplorer/releases/tag/v0.9.0

This releases added some new useful insights into the operating system and adds firewall event monitoring to be able to show blocked connection attempts.

[0.9.0] - 2019-09-09
Added

added windows firewall monitor to show blockes connection atempts
added network column to processes, showing if a process is or was using network sockets
added toolbar button to set persistence to 1h
added toolbar menu to quickly change item persistence
added kernel object tab to system panel, including the pool table and otehr informations
added nt object browser sub tab
added atom table view to the kernel objects tab

Changed

The system info Drivers tab is now moved to a sub tab of the new kernel objects tab
the stack trace section of the thread window can now be colapsed

Fixed

fixed issue disabling network adapter graphs did not work
fixed driver view module info was not loaded
Reply With Quote
The Following 6 Users Say Thank You to DavidXanatos For This Useful Post:
chants (09-13-2019), h8er (10-29-2019), niculaita (09-10-2019), uranus64 (10-26-2019), wilson bibe (09-14-2019), WRP (09-11-2019)
  #4  
Old 09-16-2019, 00:45
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 181
Rept. Given: 2
Rept. Rcvd 46 Times in 32 Posts
Thanks Given: 59
Thanks Rcvd at 355 Times in 118 Posts
DavidXanatos Reputation: 46
New release: https://github.com/DavidXanatos/TaskExplorer/releases/tag/v0.9.25

This releases added many small convenience features, as well as a few major once.
It now has a DNS cache tab, and the date form the DNS cache are used to more reliably resolve the remote host mane to which a socket was opened. Instead of just using a reverse dns which in the age of CDN's, likecloud flare and blazing fast, is quite useless, the tool correlates new sockets with the system DNS cache this way resolving which host name the process actually requested.
Task explorer can now use the Wait Chain Traversal feature of windows to debug deadlocks of processes.
And as the version approaches 1.0 we have many bug fixed.

[0.9.25] - 2019-09-15
Added

added remote host names resolution for the socket's tabs
added dns cache viever with 60 min persistence
-- the dns cache feature correlates the cached data with open sockets and provides a remote host name more reliable than reverse dns lookups
better formating when copying panels
added column reset option to all lists
added f5 full refresh options
added security explorer
all sub windows now save their geometry
addes Working Set Watch fature to count page faults
added a few more pool informations
added running object table view to kernel objects
added Wait Chain Traversal feature to detect deadlocks
added option to open thread tokens

Changed

when a new process is seen in an ETW or FW event it is now created and some masic infos are loaded
copy cell now can copy multiple cels
when enabling/disablign columns a refresh is triggered right away to fill in the data (in caseuse has set a ver slow refresh rate)
improved menu layout

Fixed

fixed on copy cell did not work properly with multiple items selected
fixed on cppy panel and row copying empty(hiden) columns
fixed process tree horizontal scroll bar position reset on selection in tree
fixed NtQueryInformationFile deadlock in windows 7 when querying \Device\VolMgrControl
fixed issue where some deltas caused a overflow when the counter reset
Reply With Quote
The Following 2 Users Say Thank You to DavidXanatos For This Useful Post:
h8er (10-29-2019), uranus64 (10-26-2019)
  #5  
Old 09-24-2019, 23:17
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 181
Rept. Given: 2
Rept. Rcvd 46 Times in 32 Posts
Thanks Given: 59
Thanks Rcvd at 355 Times in 118 Posts
DavidXanatos Reputation: 46
New release: https://github.com/DavidXanatos/TaskExplorer/releases/tag/v0.9.50
This new build features many usability improvements and some bug fixes.


[0.9.50] - 2019-09-24

Added

critical status added to processes state string
critical processes / threads have an own list color
trying to terminate a critical process or thread wil now display an additional confirmation mesage
ctrl+c now copys the selected rows
formating for copying panels can be set in settings
added additional mitigation informations
added additional informations to geneal process info
-- details sub tab
-- security sub tab
-- app subtab
added job id to job tab
added app infos to process general tab

Changed

resolving symbols for pool limits is only triggered once the kernel objects tab gets opened
all priority settings have now an own groupe in the process tree
no longer keeping a handle open to all threads when thay were not used recently
mitigation informtions are not more verbose

Fixed

all unselected tabs are no longer unnececerly updated at startup
issue with private bytes displaying the wrong value
fixed crash bug in task menu action handling
fixed a minor issue with sid resolving
Reply With Quote
The Following 4 Users Say Thank You to DavidXanatos For This Useful Post:
h8er (10-29-2019), uel888 (09-25-2019), uranus64 (10-26-2019), WRP (09-28-2019)
  #6  
Old 09-30-2019, 03:32
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 181
Rept. Given: 2
Rept. Rcvd 46 Times in 32 Posts
Thanks Given: 59
Thanks Rcvd at 355 Times in 118 Posts
DavidXanatos Reputation: 46
New release: https://github.com/DavidXanatos/TaskExplorer/releases/tag/v0.9.75
This release focuses on bugfixes many many bug fixes, and some usability improvements.

[0.9.75] - 2019-09-29
Added

priority columns now show text instead of numbers (except base priority)
added cert display to process security sub tab
ctrl+e now expands all process tree items
added driver config window
added verbose error's dialog
added more status informations

Changed

reduced cpu usage of models
reduced cpu usage of rate counters
moved firewall status resolution to separate threa
reworked thread enumeration to save cpu usage
service and socket tabs are not longer updated when thay are not visible
gpu per proces stat update is now performed on a as needed basis
massivly reduced treeview cpu usage by adaping configuration

Fixed

fixed an issue when on successfuly changing priority still an error was reported
when starting using UAC bypass the process ended up with lower priority,
-- fixed by now always settign higher priority on startup
fixed bug with gpu usage column display
fixed issue "bring in front" was always disable din the process tree
fixed issue where thread start adresses were resolved multiple times unnececerly
fixed crash issue when logging out users
fixed service window not closing when ok was pressed
fixed issue with service to process association
fixed crash bug in reverse dns lookups on win 7
Reply With Quote
The Following 4 Users Say Thank You to DavidXanatos For This Useful Post:
darkBLACK (10-01-2019), h8er (10-29-2019), nimaarek (10-07-2019), uranus64 (10-26-2019)
  #7  
Old 10-18-2019, 18:24
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 181
Rept. Given: 2
Rept. Rcvd 46 Times in 32 Posts
Thanks Given: 59
Thanks Rcvd at 355 Times in 118 Posts
DavidXanatos Reputation: 46
New Release: https://github.com/DavidXanatos/TaskExplorer/releases/tag/v1.0

Finally we arrived at the build v1.0, this build features a extended xprocesshacker.sys that can unprotect (PPL) protected processes.
An other great new feature is a much better remote host name resolution for sockets, instead of just relying on reverse dns (which in the age of CDN's is not very reliable), we monitor ETW events emitted when a process issues a dns query. This way we know what domains every process requested and what IP's it got as answer, hence when observing a new socket we first check in this list for matching entries, when found it is almost certain the socket was opened with the intention to reach the captured domain.

Added

xprocesshacker.sys can now unprotect and re protect protected processes (light)
using ETW Events to monitor what domains individual processes querry
-- enabled more accurate remote hostname column display

Changed

cleaned up PH directory
improved process display for the case when multiple processes are sellected
now using https://github.com/microsoft/krabsetw to monitor ETW events
reworked socket process association
when opening finder the search term ist selected such it can be replaced quickly

Fixed

no longer trying to do reverse dns on adresses that returned no results
Reply With Quote
The Following 6 Users Gave Reputation+1 to DavidXanatos For This Useful Post:
bolo2002 (10-24-2019), copyleft (10-22-2019), Fyyre (10-20-2019), niculaita (10-18-2019), Trit0n (10-25-2019), WRP (10-26-2019)
The Following 10 Users Say Thank You to DavidXanatos For This Useful Post:
0xdeadb0b (11-11-2019), copyleft (10-22-2019), darkBLACK (10-23-2019), Fyyre (10-20-2019), h8er (10-29-2019), niculaita (10-18-2019), Trit0n (10-25-2019), uranus64 (10-26-2019), WRP (10-19-2019)
  #8  
Old 10-24-2019, 23:04
bolo2002 bolo2002 is offline
VIP
 
Join Date: Apr 2002
Posts: 648
Rept. Given: 111
Rept. Rcvd 14 Times in 13 Posts
Thanks Given: 237
Thanks Rcvd at 246 Times in 158 Posts
bolo2002 Reputation: 14
Quote:
Originally Posted by DavidXanatos View Post
New Release: https://github.com/DavidXanatos/TaskExplorer/releases/tag/v1.0

Finally we arrived at the build v1.0, this build features a extended xprocesshacker.sys that can unprotect (PPL) protected processes.
An other great new feature is a much better remote host name resolution for sockets, instead of just relying on reverse dns (which in the age of CDN's is not very reliable), we monitor ETW events emitted when a process issues a dns query. This way we know what domains every process requested and what IP's it got as answer, hence when observing a new socket we first check in this list for matching entries, when found it is almost certain the socket was opened with the intention to reach the captured domain.

Added

xprocesshacker.sys can now unprotect and re protect protected processes (light)
using ETW Events to monitor what domains individual processes querry
-- enabled more accurate remote hostname column display

Changed

cleaned up PH directory
improved process display for the case when multiple processes are sellected
now using https://github.com/microsoft/krabsetw to monitor ETW events
reworked socket process association
when opening finder the search term ist selected such it can be replaced quickly

Fixed

no longer trying to do reverse dns on adresses that returned no results
Like said Fyyre on (https://forum.exetools.com/showthread.php?t=19038)

excellent work!
your task explorer could even be source closed,i hope your work will not be stolen,it's more than a simple github project.
__________________
I like this forum!
Reply With Quote
  #9  
Old 10-28-2019, 19:44
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 181
Rept. Given: 2
Rept. Rcvd 46 Times in 32 Posts
Thanks Given: 59
Thanks Rcvd at 355 Times in 118 Posts
DavidXanatos Reputation: 46
Quote:
Originally Posted by bolo2002 View Post
your task explorer could even be source closed,i hope your work will not be stolen,it's more than a simple github project.
Making a closed source task explorer would be quite paradoxic as the reason I had to code it in the first place was that the Task Manager I was using since almost two decades was itself closed source and stopped being maintained 7 years ago...
So I really wouldn't want to risk putting others in the same kind of pickle I found my self in.
Reply With Quote
  #10  
Old 10-29-2019, 00:01
bolo2002 bolo2002 is offline
VIP
 
Join Date: Apr 2002
Posts: 648
Rept. Given: 111
Rept. Rcvd 14 Times in 13 Posts
Thanks Given: 237
Thanks Rcvd at 246 Times in 158 Posts
bolo2002 Reputation: 14
Quote:
Originally Posted by DavidXanatos View Post
Making a closed source task explorer would be quite paradoxic as the reason I had to code it in the first place was that the Task Manager I was using since almost two decades was itself closed source and stopped being maintained 7 years ago...
So I really wouldn't want to risk putting others in the same kind of pickle I found my self in.
I understand,it were just to say it,frankly for an open source it's a very well done work.
__________________
I like this forum!
Reply With Quote
  #11  
Old 11-15-2019, 15:05
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 181
Rept. Given: 2
Rept. Rcvd 46 Times in 32 Posts
Thanks Given: 59
Thanks Rcvd at 355 Times in 118 Posts
DavidXanatos Reputation: 46
Maintenance Release with some bug fixes, see change-log.
https://github.com/DavidXanatos/TaskExplorer/releases/tag/v1.0.1

[1.0.1] - 2019-11-15
Changed

improved file handle info retrival
ewt monitoring button is now disabled when running without admin rights

Fixed

memory leak occuring when updating per process handle list
fixed issue with service to process association
Reply With Quote
The Following 3 Users Say Thank You to DavidXanatos For This Useful Post:
darkBLACK (12-01-2019), niculaita (11-15-2019), uranus64 (11-16-2019)
  #12  
Old 12-24-2019, 16:51
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 181
Rept. Given: 2
Rept. Rcvd 46 Times in 32 Posts
Thanks Given: 59
Thanks Rcvd at 355 Times in 118 Posts
DavidXanatos Reputation: 46
Happy Holidays everyone!

I bring you a new build Ho! Ho! Ho!


Download: https://github.com/DavidXanatos/TaskExplorer/releases/tag/v1.0.2

This release adds some improvements and fixes some bugs, as well as updating the used PH-library to a new version.

[1.0.2] - 2019-12-24

Added
settign for reverse DNS to disable it when desired
when flushing dns cache the dns cache retention is reset as well

Changed
most "unknown" values now shows teh numeric value encountered
updated PHlib to version 3.0.2812

Fixed
an issue with the DNS cache monitoring
fixed issue with etw event tracking for UDP traffic
fixed issue with thread service tag not being resolved properly
Reply With Quote
The Following User Gave Reputation+1 to DavidXanatos For This Useful Post:
arlequim (12-30-2019)
The Following 5 Users Say Thank You to DavidXanatos For This Useful Post:
arlequim (12-30-2019), copyleft (12-24-2019), darkBLACK (12-30-2019), Doit (12-25-2019), wilson bibe (12-24-2019)
  #13  
Old 01-23-2020, 17:01
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 181
Rept. Given: 2
Rept. Rcvd 46 Times in 32 Posts
Thanks Given: 59
Thanks Rcvd at 355 Times in 118 Posts
DavidXanatos Reputation: 46
This build focuses on greatly improving the tracking of process starts and display of meaningful process trees. This is accomplished by monitoring the appropriate ETW events and using this information to list short lived processes that otherwise would fall between the refresh intervals of the regular enumeration method.
A new setting "Retain parent Processes" makes task explorer keep terminated processes listed as long as there are still child or (grand,...)grandchild processes running. A new toolbar button allows to quickly switch between a list view and a tree view while retaining the list sort order.
The new build also features other UI improvements most notably a Dark Mode for those who likes it.

Download: https://github.com/DavidXanatos/TaskExplorer/releases/tag/v1.1

[1.1.0] - 2020-23-01

Added

added Dark Theme Support
added ETW monitoring of the processProvider
-- allows to capture all process cration events henc elisting of very short lived processes
-- using ETW data to set image path and command line when the process closed before we could inspect it
added option to keep processes listed indefinetly as long as thay have still running children.
added functionality to find some types of hidden processes, also usefull to find some already terminated processes
added tool bar button to switch between the tree view and a list view more convinient as the last choose list sort column is remembered

Changed

the handle tab is now present twice once as it was and once providing only an open file list

Fixed

handle types are now sorted properly i.e. "[All]" is first
fixed bug where in the unifyed list view switching to tree view was not possible
fixed issue with some values not being initialized in CWinMainModule
fixed High DPI scaling issues
Reply With Quote
The Following 7 Users Say Thank You to DavidXanatos For This Useful Post:
alekine322 (08-15-2020), darkBLACK (05-31-2024), deepzero (01-23-2020), SinaDiR (01-24-2020), val2032 (01-23-2020), wild (01-28-2020), wilson bibe (01-23-2020)
  #14  
Old 01-24-2020, 15:20
cybercoder cybercoder is offline
Friend
 
Join Date: Aug 2005
Posts: 114
Rept. Given: 2
Rept. Rcvd 11 Times in 8 Posts
Thanks Given: 22
Thanks Rcvd at 46 Times in 31 Posts
cybercoder Reputation: 11
I tried to compile this today and it all went well apart from a couple of resources that seemed to be missing? I did however manage to compile if I removed the references from the resources.qrc file..
Reply With Quote
  #15  
Old 01-24-2020, 16:13
DavidXanatos DavidXanatos is offline
Family
 
Join Date: Jun 2018
Posts: 181
Rept. Given: 2
Rept. Rcvd 46 Times in 32 Posts
Thanks Given: 59
Thanks Rcvd at 355 Times in 118 Posts
DavidXanatos Reputation: 46
Quote:
Originally Posted by cybercoder View Post
I tried to compile this today and it all went well apart from a couple of resources that seemed to be missing? I did however manage to compile if I removed the references from the resources.qrc file..
Ups... I just committed the 3 missing png files sorry about that.
Reply With Quote
The Following User Says Thank You to DavidXanatos For This Useful Post:
cybercoder (01-24-2020)
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
China cracking down on hackers rox General Discussion 8 03-09-2010 05:08
Simple Task [make loader for UPX target]... diablo2oo2 General Discussion 1 12-30-2004 07:03


All times are GMT +8. The time now is 21:27.


Always Your Best Friend: Aaron, JMI, ahmadmansoor, ZeNiX, chessgod101
( 1998 - 2024 )