I’ll paste some output tonight to share. Thanks!

 

Regards,

 

 

Lee Armet | Senior Forensic Investigator | Global Security & Investigations | TD Bank Group

O:416-982-6855 | M:647-242-0002

 

From: Michael Hale Ligh [mailto:michael.hale@gmail.com]
Sent: Thursday, August 16, 2012 2:20 PM
To: phocean; Armet, Lee
Cc: vol-users@volatilityfoundation.org
Subject: Re: [Vol-users] Interesting finding

 

So the weird PID is because the pid column is fixed width for an unsigned short (since the maximum pid is 65535) however the EPROCESS.UniqueProcessId is actually defined as an unsigned int. So what happened is psscan (process pool scanner) picked up a possible structure whose UniqueProcessId value is larger than any valid PID and it gets shortened to "14...5" to fit in the column. I suppose we should fix it so that the whole unsigned int can fit even though those entries are likely to be false positives or a real EPROCESS structure but the pid member has been overritten. 

 

But yes the False in pslist, thrdproc, etc is strange. Does the pslist command work on your image? Also can you paste the full command-line your're using (not just the output)? 

 

Thanks,

MHL

On Thu, Aug 16, 2012 at 1:47 PM, phocean <0x90@phocean.net> wrote:

Personally no, but they will probably more competent people who will answer.

The most surprising is not weird PID but that most processes are hidden from pslist.

Isn't it just a bug or can you tell more about the context ?

 

--- phocean

 

 

 

 

Le 16 août 2012 à 17:51, "Armet, Lee" <Lee.Armet@td.com> a écrit :



Anyone ever see this?

 

0x2253cfb9                     14...5 False  True   False    False   False

 

 

Volatile Systems Volatility Framework 2.2_alpha

Offset(P)  Name                    PID pslist psscan thrdproc pspcdid csrss

---------- -------------------- ------ ------ ------ -------- ------- -----

0x05760020 System                    4 True   True   True     True    False

0x19863d21 svchost.exe             804 False  True   False    False   False

0x18fa330d pdfPro5Hook.ex         3832 False  True   False    False   False

0x18a9d585 cmd.exe                3052 False  True   False    False   False

0x2eac4d45 svchost.exe             724 False  True   False    False   False

0x1d844541 taskhost.exe           3308 False  True   False    False   False

0x190203a9 ISUSPM.exe             3956 False  True   False    False   False

0x18b2d26a System                    4 False  True   False    False   False

0x0c1577ed sppsvc.exe             3276 False  True   False    False   False

0x190b1335 svchost.exe             796 False  True   False    False   False

0x13473a2d wininit.exe             504 False  True   False    False   False

0x2253cfb9                     14...5 False  True   False    False   False

0x22e79729 wuauclt.exe            2908 False  True   False    False   False

0x21442a21 ccSvcHst.exe           3040 False  True   False    False   False

0x18f75c35 BrStMonW.exe           3936 False  True   False    False   False

0x19044359 SearchIndexer.         2588 False  True   False    False   False

0x22209305 svchost.exe            1332 False  True   False    False   False

0x1900a539 BrCcUxSys.exe          1136 False  True   False    False   False

0x227df30d svchost.exe            1764 False  True   False    False   False

0x3accbd3d explorer.exe           3492 False  True   False    False   False

0x18f980a5 pptd40nt.exe           3772 False  True   False    False   False

 

Regards,

 

 

Lee Armet | Senior Forensic Investigator | Global Security & Investigations | TD Bank Group

 

 

 


NOTICE: Confidential message which may be privileged. Unauthorized use/disclosure prohibited. If received in error, please go to www.td.com/legal for instructions.
AVIS : Message confidentiel dont le contenu peut être privilégié. Utilisation/divulgation interdites sans permission. Si reçu par erreur, prière d'aller auwww.td.com/francais/avis_juridique pour des instructions.

_______________________________________________
Vol-users mailing list
Vol-users@volatilesystems.com
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

 


_______________________________________________
Vol-users mailing list
Vol-users@volatilityfoundation.org
http://lists.volatilesystems.com/mailman/listinfo/vol-users