-
Notifications
You must be signed in to change notification settings - Fork 1
Methods
Process information is gathered using CIM over WMI. While CIM and WMI are practically the same insofar as information is considered, with Microsoft seemingly moving away from WMI, CIM cmdlets were used instead of traditional WMI cmdlets. The goal of Vynae isn't to replace in-depth process examination applications, but instead, to provide essential information at a glance. As such, Vynae limits the information shown to specific key data. The key information gathered about a process are its ID, PPID, Executable Path, and Command Line options.
Vynae can also trace PPIDs from any given process, and it will trace the parent processes back to the earliest active process. In reverse, Vynea can additionally trace spawned processes, e.g. listing all processes spawned by a given process.
Vynae also displays network information when applicable. This information includes local and remote IPv6 and IPv4 connections and ports and connection status. Optionally, Vynae can only display processes with network connections or connections with a specific status.
Vynae can be used to compare hash values of process executables to a list of known malicious programs. The list is sourced from MalwareBazaar, but any hashes can be added or used as long as they are placed in the 'Hashes.txt' file. Vynae will scan all processes by default but can be set to only scan specific processes. Vynae will alert on processes without executable paths in addition to processes that match hashes.
Vynae now supports service scanning. Service scanning supports all of the network filters and also allows for filtering by name or status, i.e. Running/Stopped. Service reports will also include related process ID and parent process ID, and display networking information if desired.
EDIT: Keeping this in, but most design problems with Vynae were solved with the massive overhaul and rewrite. While Vynae provides solutions for some common process gathering challenges, it doesn't cover the whole spectrum of process investigation. Vynae was originally developed as a small process tracing tool useable in the shell environment. While it has come far from its origin, Vynae still suffers from some design flaws and lack of expandability. For example, while Vynae supports some level of search customizability (Displaying only processes with network connections, for example), it doesn't allow for all filters to be used with all parameters. For example, there is currently not an option to only hash network connected processes.
Additionally, Vynae only supports output via transcription. While transcription is useful in of itself, it leaves a fair bit to be desired when it comes to formatting. Although, it is possible to redirect the console stream to write to a file, maintaining the formatting.