It is a program written in Python3 in order to facilitate process analysis and to easily access Windows process tools. In this way, it facilitates malware analysis processes. In addition, processes running in the background can be detected.
After the program is started, it continues to run in the background. Afterwards, the tools can be accessed on the system tray.
- Process Monitoring Tools
- 1) Process Creation : It is a tool that allows to monitor newly created processes in the system.
- 2) Process Deletion : It is a tool that allows to monitor deleted processes in the system.
- 3) Process Monitor : Process Monitor is an advanced monitoring tool from Microsoft that shows real-time file system, Registry, and process/thread activity for Windows. [For detailed information https://docs.microsoft.com/en-us/sysinternals/downloads/procmon ]
- 4) Process Explorer : Process Explorer, owned by the Microsoft, shows you information about which handles and DLL processes are opened or loaded. [For detailed information https://docs.microsoft.com/en-us/sysinternals/downloads/process-explorer ]
- 5) RAMMap : RAMMap, owned by Microsoft, is an advanced physical memory usage analysis tool for Windows Vista and later. [For detailed information https://docs.microsoft.com/en-us/sysinternals/downloads/rammap ]
- 6) WinObj : WinObj, owned by Microsoft, is a 32-bit Windows NT program that uses the native Windows NT API (provided by NTDLL.DLL) to access and display information in the NT Object Manager's namespace. [For detailed information https://docs.microsoft.com/en-us/sysinternals/downloads/winobj ]
- 7) Autoruns : Autoruns, owned by Microsoft, which has the most comprehensive knowledge of auto-starting locations of any startup monitor, shows you what programs are configured to run during system bootup or login, and when you start various built-in Windows applications like Internet Explorer, Explorer and media players. [For detailed information https://docs.microsoft.com/en-us/sysinternals/downloads/autoruns ]
Process Creation
It is a tool that allows to monitor newly created processes in the system. The command line is colored to make it easier to visualize.
Process Deletion
It is a tool that allows to monitor deleted processes in the system. The command line is colored to make it easier to visualize.
Startup
The program can be used to start itself automatically when the computer starts. However, for security reasons, it does not start itself with administrator privileges. Autostart can be canceled if desired.
- "Process Monitoring Tools (for Windows x64) [Download]"
- process_monitor_tools_for_Windows.rar --> zip password: #AkG_*_2022#
- Link = https://drive.google.com/file/d/1l5opbERUFIepCA9OnNHWnTgraAc-icmb/view?usp=sharing
- "Process Monitoring Tools (for Windows x64) [Youtube]"
- You can follow the link below to watch the running version of the program.
- Link = https://www.youtube.com/watch?v=lcp7Gis7c00
Required libraries: wmi, colorama, pyinstaller, pystray, pillow
pip install wmi
pip install colorama
pip install pyinstaller
pip install pystray
pip install pillow
"pyinstaller" will be used to make the code one piece executable
process_monitoring_tools.py (Default Settings for Directory Structure)
class SETTINGS:
PROGRAM_TITLE: str = "Process Monitoring Tools"
PROGRAM_NAME: str = "process_monitoring_tools.exe"
SYSTEM_TRAY_ICON: str = "images\\systemtray.png"
SYSTEM_TRAY_TITLE: str = "Process Monitoring Tools"
WAIT_TIME: float = 0.01
DEVELOPPER: str = "ABDULKADIR GUNGOR"
PROCESS_CREATION: list = ( "Process Creation", "programs\\process_creation.exe")
PROCESS_DELETION: list = ("Process Deletion", "programs\\process_deletion.exe")
PROCESS_MONITOR: list = ("Process Monitor", "programs\\ProcessMonitor\\Procmon64.exe")
PROCESS_EXPLORER: list = ("Process Explorer", "programs\\ProcessExplorer\\procexp64.exe")
PROCESS_RAMMAP: list = ("RAMMap", "programs\\RAMMap\\RAMMap64.exe")
PROCESS_WINOBJ: list = ("WinObj", "programs\\WinObj\\Winobj64.exe")
PROCESS_AUTORUNS: list = ("Autoruns","programs\\Autoruns\\Autoruns64.exe" )
PROCESS_CMD: list = ("CMD", "cmd")
process_creation.py (Default Settings for Colors)
class ProcessWatcher():
COLOR_DATE = Fore.RED
COLOR_NAME = Fore.GREEN
COLOR_OWNER = Fore.CYAN
COLOR_ID = Fore.YELLOW
COLOR_PRIORITY = Fore.YELLOW
COLOR_SESSIONID = Fore.YELLOW
COLOR_COMMANDLINE = Fore.WHITE
process_deletion.py (Default Settings for Colors)
class ProcessWatcher():
COLOR_DATE = Fore.RED
COLOR_NAME = Fore.GREEN
COLOR_OWNER = Fore.CYAN
COLOR_ID = Fore.YELLOW
COLOR_PRIORITY = Fore.YELLOW
COLOR_SESSIONID = Fore.YELLOW
COLOR_COMMANDLINE = Fore.WHITE
[Language : Python 3.8.5]
pyinstaller --onefile --icon=images\process_monitoring_tools.ico process_monitoring_tools.py # [Main program]
pyinstaller --onefile --icon=images\process.ico process_creation.py # [Tool] After compiling, put it in the programs folder.
pyinstaller --onefile --icon=images\process.ico process_deletion.py # [Tool] After compiling, put it in the programs folder.
The folder structure that should be according to the default settings after compilation
If the folder structure is not correct, the program will not work properly.
process_monitoring_tools.exe ----.
|----images\systemtray.png
|----programs\process_creation.exe
|----programs\process_deletion.exe
|----programs\Autoruns\*
|----programs\ProcessExplorer\*
|----programs\ProcessMonitor\*
|----programs\RAMMap\*
|----programs\WinObj\*
The program can be used not only for malware analysis but also for many purposes. Capturing and deciphering the information of the "Microsoft Edge" that sends data in the background.
Screenshot [1]
Screenshot [2]
Screenshot [1]
Screenshot [2]
Run your tests on virtual machines. The responsibility for illegal use belongs to the user. Shared for educational purposes.