Detecting Running Process: EnumProcess API

Created the Monday 18 March 2019. Updated 9 months, 3 weeks ago.

Anti-monitoring is a technique used by malware to prevent security professionals from detecting and analyzing it. One way that malware can accomplish this is by using the EnumProcess function to search for specific processes, such as ollydbg.exe or wireshark.exe, which are commonly used by security professionals to monitor and analyze running processes on a system.

By detecting these processes and taking evasive action, such as terminating itself or encrypting its own code, malware can prevent security professionals from gaining visibility into its activities and disrupt their efforts to analyze it.

Technique Identifiers

U0109 U0405 U1306

Technique Tags

EnumProcess function Ollydbg.exe Wireshark.exe Monitoring Analysis

Featured Windows API's

Below, you will find a list of the most commonly used Windows API's that are currently utilized by malware authors for current evasion technique. This list is meant to provide an overview of the API's that are commonly used for this purpose. If there are any API's that you feel should be included on this list, please do not hesitate to contact us. We will be happy to update the list and provide any additional information or documentation that may be helpful.

Code Snippets

//source: https://docs.microsoft.com/en-us/windows/win32/psapi/enumerating-all-processes
#include <windows.h>
#include <stdio.h>
#include <tchar.h>
#include <psapi.h>

// To ensure correct resolution of symbols, add Psapi.lib to TARGETLIBS
// and compile with -DPSAPI_VERSION=1

void PrintProcessNameAndID( DWORD processID )
{
    TCHAR szProcessName[MAX_PATH] = TEXT("<unknown>");

    // Get a handle to the process.

    HANDLE hProcess = OpenProcess( PROCESS_QUERY_INFORMATION |
                                   PROCESS_VM_READ,
                                   FALSE, processID );

    // Get the process name.

    if (NULL != hProcess )
    {
        HMODULE hMod;
        DWORD cbNeeded;

        if ( EnumProcessModules( hProcess, &hMod, sizeof(hMod), 
             &cbNeeded) )
        {
            GetModuleBaseName( hProcess, hMod, szProcessName, 
                               sizeof(szProcessName)/sizeof(TCHAR) );
        }
    }

    // Print the process name and identifier.

    _tprintf( TEXT("%s  (PID: %u)\n"), szProcessName, processID );

    // Release the handle to the process.

    CloseHandle( hProcess );
}

int main( void )
{
    // Get the list of process identifiers.

    DWORD aProcesses[1024], cbNeeded, cProcesses;
    unsigned int i;

    if ( !EnumProcesses( aProcesses, sizeof(aProcesses), &cbNeeded ) )
    {
        return 1;
    }


    // Calculate how many process identifiers were returned.

    cProcesses = cbNeeded / sizeof(DWORD);

    // Print the name and process identifier for each process.

    for ( i = 0; i < cProcesses; i++ )
    {
        if( aProcesses[i] != 0 )
        {
            PrintProcessNameAndID( aProcesses[i] );
        }
    }

    return 0;
}

Detection Rules

                                    rule Detect_EnumProcess: AntiDebug {
    meta: 
        description = "Detect EnumProcessas anti-debug"
        author = "Unprotect"
        comment = "Experimental rule"
    strings:
        $1 = "EnumProcessModulesEx" fullword ascii
        $2 = "EnumProcesses" fullword ascii
        $3 = "EnumProcessModules" fullword ascii
    condition:   
        uint16(0) == 0x5A4D and filesize < 1000KB and any of them 
}

                                    rule:
  meta:
    name: check for windows sandbox via process name
    namespace: anti-analysis/anti-vm/vm-detection
    authors:
      - "@_re_fox"
    scope: function
    att&ck:
      - Defense Evasion::Virtualization/Sandbox Evasion::System Checks [T1497.001]
    mbc:
      - Anti-Behavioral Analysis::Virtual Machine Detection [B0009]
    references:
      - https://github.com/LloydLabs/wsb-detect
    examples:
      - 773290480d5445f11d3dc1b800728966:0x140001140
  features:
    - and:
      - match: enumerate processes
      - string: "CExecSvc.exe"

Additional Resources

External Links

The resources provided below are associated links that will give you even more detailed information and research on current evasion technique. It is important to note that, while these resources may be helpful, it is important to exercise caution when following external links. As always, be careful when clicking on links from unknown sources, as they may lead to malicious content.

Enumerating All Processes - Win32 apps | Microsoft Docs