Hi Ben,

Process Explorer only verifies the signature of the image on disk, not in memory. As these signatures are not generated on a per page basis, it is not possible to use them to verify code in memory.

I plan on releasing a prototype plugin that validates in memory code on Windows next week, alongside my presentation at DFRWS. This is not achieved using the existing digital signatures however, but with hashes built from Windows executables.

I hope this answers your question.

Regards,

Andrew White

On Tue, Jul 30, 2013 at 12:46 PM, sockify <sockify@gmail.com> wrote:

I meant process explorer and the "verified signer" feature

On Tue, Jul 30, 2013 at 8:43 PM, sockify <sockify@gmail.com> wrote:

Hi All

Apologies if this has been addressed already but can't find it in the archives. Is volatility able to verify image signatures similar to how process monitor can? Suspect the answer is no as it's not a live system and may not be running under windows. None of the plugins seem to be able to do this from what I can see, just want to check I'm not missing something.

Cheers

Ben

_______________________________________________
Vol-users mailing list
Vol-users@volatilesystems.com
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users