A process is an instance of a program that has been executed in the system. Each process in memory has a private isolated memory space. A process contains the execution code and the data that is required to complete the execution of the code, such as files, DLLs, and user input. All this data and code are located in a memory space allocated for this process.
Many processes can be in the memory at the same time. All the processes are listed in one structure called _EPROCESS
in the memory of the running Windows operating system.
Each entry of the _PROCESS
structure holds one process with its metadata; the process name, its executable path, parent process, start time, and in some cases, the exit time. The metadata can be used as an indication of the presence of malicious activity if the parent process of a well-known process is different. For example, the lsass.exe
process has parent process of Explorer.exe
, while its parent process should be Wininit.exe
. We can assume here...