SHA1 of running processes?

system · June 20, 2011, 8:06pm

(imported topic written by JamesN91)

Bes v8

I am having some trouble with the development of relevance that will query all instances of a specific process name and output the SHA1 of the exe tied to that process.

For example, lets pick SVCHOST.exe.

running applications whose ((name of it) starts with "svchost")

For every instance of SVCHOST, how would I output the SHA1?

My end goal is to query particular processes and compare with the known good hashes. Then flag those files that do not have some other unexpected hash. Hashing known files and locations is easy. It is hashing files of unknown locations that is difficult.

jeremylam · June 20, 2011, 10:07pm

(imported comment written by jeremylam)

“Running applications” actually just return file objects, so you can use any file object inspector.

(name of it, sha1 of it) of running applications whose (name of it starts with “svchost”)

system · June 20, 2011, 11:43pm

(imported comment written by JamesN91)

Thanks. Huge help.

I can’t seem to get my check to work. Any ideas?

if 
(sha1 of it) of running applications whose (name of it starts with "svchost") equals "49083ae3725a0488e0a8fbbe1335c745f70c4667"
then 
"FALSE"
else
"TRUE"

Noah · June 21, 2011, 12:04am

(imported comment written by NoahSalzman)

q: (exists sha1 whose (it is “bf15549a7ec01ac505ccac036aba5b9bae688135”) of it) of running applications whose (name of it starts with “svchost”)

A: True