Extending Sysinternals Process Explorer

Author: Ivo Ivanov

Summary

In this post, we will look at a simple utility  for adding new functionality to Process Explorer.

Download available here.

Process Explorer

I’ve been using Process Explorer on a daily basis and I love it.  While working with on a several projects and investigating malware, I often find myself in a situation where I need to suspend a specific process  and terminate all its child processes. Process Explorer is a very handy utility and has these functions built-in as  “Kill” and “Suspend” which are available under the “Process” menu.  At the time of writing of this post, there isn’t an atomic action which would allow the user to select a process and then suspend it and terminate all its child processes in one go.

Process Explorer New Features Request

Two weeks ago I have submitted a request for a new feature here, but since I haven’t got any replies to my post, it is very likely that I’m probably one of the very few people that needed that feature.

My next thought was that I should probably code it and add this feature to Process Explorer, but how do I do that without having Process Explorer’s source code?

My company InfoProcess offers a product (Application Customisation Framework – ACF SDK) whose job is to allow customisation of existing applications at binary level, so Process Explorer looked as a great candidate to put into practice ACF SDK and extend one of my favourite utilities.

This weekend I decided that I could probably afford to spend a day or so and try to put together a simple utility that adds a few new features to Process Explorer by utilising ACF SDK and here is the result of that.

I have added four new features to the process  view context menu available through right click within the process view.

  1. Suspend Process and Kill Child Processes. This is a combination of the existing “Suspend” process and “Kill” individual processes actions.
  2. Kill Child Processes – This is very similar to “Kill Process Tree”, but as opposed to the built-in feature, it does not terminate the parent (container) process.
  3. Open File Location – It opens the Explorer where the selected process is located.
  4. Open Elevated Command Prompt in Location – This feature opens an elevated command prompt in the process location.

This what the standard process context menu looks like:

And this is what we get after running the customisation launcher ProcExpExtensions.exe. Notice the new menu items.

ProcExpExtensions.exe  hosts the ACF SDK runtime environment and manages code injection into Process Explorer. It is also detecting launching of Process Explore using WMI.
Although ACF SDK is shipped with several components for detecting newly launched processes and one of them is a kernel mode driver, it is important to note that there are no kernel mode drivers involved in this specific implementation.

What you need to do is just simply unzip the archive and run ProcExpExtensions.exe. After you run ProcExpExtensions.exe an tray icon should appear in the notification area.

The sample Extensions for Process Explorer supports 32-bit and 64- bit of Windows platform. Currently IA64 is not supported.

How it works?

ProcExpExtensions.exe uses two helper processes (ProcExpExt32.exe and ProcExpExt64.exe) that serve as DLL injection hosts for 32-bit and 64-bit platform. Actual customisation code is implemented in PeSat32.dll and PeSat64.dll.  Depending on the Process Explorer process platform (i.e. 32-bit or 64-bit) the injection hosts implant PeSat32.dll  or PeSat64.dll into procexp.exe or procexp64.exe accordingly.

If you look at Process Explorer module list you would see that there are two DLLs that get injected. For 64-bit platforms these are – AcfSatellite64.dll and PeSat64.dll as shown below.

As I mentioned, the utility uses code injection and it is important that you make sure these DLLs are whitelisted in the AV you are using, so they wouldn’t get blocked.

This is a freeware and no commercial license is required as long as the ACF SDK binaries are solely used within the context of the Extensions for Sysinternals Process Explorer.

I’ve spent a bit over a day working on this utility, so I cannot guarantee that it is bug-free. Also the main goal is to show how ACF SDK could help for customising applications.

I hope these features may be useful for other people too.

The utility is available for download here.