To be able to monitor so many system functions at once, Procmon probably uses a driver to do that. So I went looking for Procmon's driver using GMER, and found PROCMON23.SYS.
I didn't see PROCMON23.SYS inside the Sysinternals directory, so I guess it'll be inside the PE structure. Sure enough, when I use PE Explorer to open up Procmon, I found it inside the BINRES directory in the RESOURCE section.
Extracted out the driver, and analysed using NikPEViewer. It's a 32 bit driver.
Then proceeded to analysis using IDA. It registers itself as a filter driver...
Creates a filter communication port at \ProcessMonitor23Port and starts the filter.
Procmon 64 bit
When running Procmon in 64-bit systems, another process called Procmon64.exe is created. This isn't found anywhere in the Sysinternals folder.
 |
| Procmon in 64-bit Windows |
This implies that its 64-bit image is being stored in its 32-bit executable. Hence, I looked up the second entry under the BINRES section, and sure enough, it's a PE file:
 |
| Location of Procmon 64 bit image |
 |
| Procmon's 64 bit image |
Initially I thought it was the 64-bit Procmon driver...turned out that it is the 64-bit Procmon executable. And of course, the 64-bit driver is hidden inside the 64 bit executable's resource section.
 |
| Procmon 64 bit driver |
No comments:
Post a Comment