12:12 p.m.
I’ll help you track it down. Can you send the output of the deskscan command?
Specifically, does notepad.exe show up in the list of threads attached to the
0\WinSta0\Default desktop?
MHL
--------------------------------------------------
Michael Ligh (@iMHLv2)
GPG: http://mnin.org/gpg.pubkey.txt
Blog: http://volatility-labs.blogspot.com
On Mar 31, 2014, at 3:49 PM, Bridgey <adam.bridge(a)yahoo.com> wrote:
Hi all,
I have an interesting scenario where Volatility seems to be telling me a process
isn't there.
Using Volatility 2.3.1, memory sample is from Win7SP1x86 (in a virtualbox VM) with
pagefile turned off and 512MB RAM.
Win7SP1x86.png (attached) clearly shows the Win7 desktop with notepad open and DumpIt.exe
running.
Output from pslist shows:
$ python volatility-read-only/vol.py -f memdumps/MEMTEST-PC-20140331-131312/*.raw
--profile=Win7SP1x86 pslist
Volatility Foundation Volatility Framework 2.3.1
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start
Exit
---------- -------------------- ------ ------ ------ -------- ------ ------
------------------------------ ------------------------------
0x839afa20 System 4 0 79 437 ------ 0 2014-03-31
13:12:08 UTC+0000
0x84836278 smss.exe 268 4 2 29 ------ 0 2014-03-31
13:12:08 UTC+0000
0x84f1b5c0 csrss.exe 344 336 8 333 0 0 2014-03-31
13:12:12 UTC+0000
0x84ef7d40 wininit.exe 380 336 4 79 0 0 2014-03-31
13:12:12 UTC+0000
0x84ef67a0 csrss.exe 392 372 7 187 1 0 2014-03-31
13:12:12 UTC+0000
0x84f04030 winlogon.exe 432 372 5 115 1 0 2014-03-31
13:12:13 UTC+0000
0x84e5fa80 services.exe 460 380 15 183 0 0 2014-03-31
13:12:13 UTC+0000
0x84f4d818 lsass.exe 468 380 7 444 0 0 2014-03-31
13:12:13 UTC+0000
0x84f4e7f8 lsm.exe 476 380 10 142 0 0 2014-03-31
13:12:13 UTC+0000
0x84fd6bc0 svchost.exe 596 460 14 353 0 0 2014-03-31
13:12:15 UTC+0000
0x84fe2af0 VBoxService.ex 660 460 11 107 0 0 2014-03-31
13:12:16 UTC+0000
0x84ff7bb0 svchost.exe 712 460 11 229 0 0 2014-03-31
13:12:16 UTC+0000
0x85127858 svchost.exe 760 460 16 341 0 0 2014-03-31
13:12:17 UTC+0000
0x85197cc8 svchost.exe 888 460 21 433 0 0 2014-03-31
13:12:19 UTC+0000
0x851cf510 svchost.exe 936 460 45 796 0 0 2014-03-31
13:12:20 UTC+0000
0x847fe030 svchost.exe 1036 460 16 244 0 0 2014-03-31
13:12:21 UTC+0000
0x8511b388 svchost.exe 1128 460 17 350 0 0 2014-03-31
13:12:22 UTC+0000
0x851fe390 spoolsv.exe 1232 460 12 287 0 0 2014-03-31
13:12:23 UTC+0000
0x85212c30 svchost.exe 1268 460 24 316 0 0 2014-03-31
13:12:23 UTC+0000
0x852e3030 taskhost.exe 1744 460 10 173 1 0 2014-03-31
13:12:29 UTC+0000
0x852f2bc8 dwm.exe 1816 888 5 73 1 0 2014-03-31
13:12:30 UTC+0000
0x852f39d0 explorer.exe 1828 1788 34 876 1 0 2014-03-31
13:12:30 UTC+0000
0x84fe16d0 VBoxTray.exe 1940 1828 11 94 1 0 2014-03-31
13:12:32 UTC+0000
0x85335a48 GrooveMonitor. 1948 1828 4 96 1 0 2014-03-31
13:12:32 UTC+0000
0x84f34030 SearchIndexer. 1092 460 14 683 0 0 2014-03-31
13:12:40 UTC+0000
0x8537ad40 notepad.exe 1164 1828 1 64 1 0 2014-03-31
13:12:42 UTC+0000
0x8527fd40 SearchProtocol 1848 1092 8 275 0 0 2014-03-31
13:12:43 UTC+0000
0x853a08a0 SearchFilterHo 1780 1092 5 80 0 0 2014-03-31
13:12:43 UTC+0000
0x84eed030 DumpIt.exe 1844 1828 2 37 1 0 2014-03-31
13:13:12 UTC+0000
0x85104638 conhost.exe 540 392 2 58 1 0 2014-03-31
13:13:12 UTC+0000
notepad.exe can be seen: PID = 1164. Parent process is explorer and session is 1 - just
as I'd expect.
However, when I ran the windows plugin there was no sign of notepad in the output
(windows.txt attached).
Further, using the screenshot plugin it shows exactly what I'd expect except the
notepad process is missing! (session_1.WinSta0.Default.png attached).
If anybody has any ideas as to why this situation occurs I'd be really interested.
A 7z'd version of the dump is only 82MB and it doesn't contain anything sensitive
so I can make it available if needs be.
<Win7SP1x86.png><windows.txt><session_1.WinSta0.Default.png>_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users