Running Process Enumeration
Process enumeration is a technique commonly used by malware, particularly Remote Access Trojans (RATs), to collect information about active processes running on a compromised system. By identifying processes such as security software, analysis tools, or critical system components, malware can make informed decisions to evade detection, disable defenses, migrate into other processes, dump memory for post-exploitation activities, or escalate privileges.
In less sophisticated attacks, especially those conducted by so-called "script kiddies" this functionality is often abused to disrupt the user experience by forcefully terminating processes such as web browsers, document editors, or even system-critical processes (particularly on older systems like Windows XP). Such actions can cause data loss, user frustration, and system instability, serving no strategic purpose other than harassment or psychological disruption.
This technique typically involves querying system APIs to retrieve details such as process names, process IDs, parent-child relationships, command-line arguments, elevation status, and memory usage. However, process enumeration can also be achieved through alternative methods.
Featured Windows APIs
Associated Code Snippets
| Id | Name | Language | Author | Published Date |
|---|---|---|---|---|
| 9 | Enumerate Process via Error / Exception |
 Delphi
|
DarkCoderSc | 22 hours, 57 minutes ago. |
| 8 | Get Process Name via QueryFullProcessImageName |
Delphi
|
DarkCoderSc | 23 hours, 11 minutes ago. |
| 2 | Enumerate Process via CreateToolhelp32Snapshot |
Delphi
|
DarkCoderSc | 2 days, 19 hours ago. |