Good question, I didn't cover this part in the blog. The difference you're seeing has to do with the fact that User X was logged into the console and then you connected via RDP as User X. In this case, applications in both sessions would run as User X. Thus there's no need for isolation and the two are merged together. In the example used in the blog, User X was logged into the console and User Y logged in via RDP. That way the attacker was able to connect and use the system without the user at the console being aware (I'm sure you noticed when you logged into RDP as User X, it "stole" the display away from the console user). So what we did was analyze User Y's session and saw it included rdpclip.exe and RDPDD.dll, telling us User Y was logged in over RDP and not the console. If User Y was logged in from the console *and* at some point RDP, and had started applications on both sessions, we wouldn't really have a good way to determine which application was started from which session.

On Thu, Oct 4, 2012 at 6:31 PM, Brett Cunningham <brettcu@gmail.com> wrote:

I RDP'ed into another VM, opened notepad, regedit and cmd in order to reenact the sessions plugin. I didn't get the expected output as was on the blog post (http://volatility-labs.blogspot.com/2012/09/movp-11-logon-sessions-processes-and.html). It shows up under the main RDP console ID. I'm guessing that this is because I'm using WinXP and it doesn't support multiple logins. Is this the reason?

$ vol.py sessions -f ~/vmware/VD/VD.vmem --profile=WinXPSP2x86
Volatile Systems Volatility Framework 2.2_rc2
**************************************************
Session(V): f7b0f000 ID: 0 Processes: 27

PagedPoolStart: bb800000 PagedPoolEnd bbbfffff
Process: 656 csrss.exe 2012-09-27 01:15:38
Process: 680 winlogon.exe 2012-09-27 01:15:38
Process: 724 services.exe 2012-09-27 01:15:38

Process: 736 lsass.exe 2012-09-27 01:15:38
Process: 888 vmacthlp.exe 2012-09-27 01:15:39
Process: 900 svchost.exe 2012-09-27 01:15:39
Process: 984 svchost.exe 2012-09-27 01:15:39

Process: 1076 svchost.exe 2012-09-27 01:15:39
Process: 1120 svchost.exe 2012-09-27 01:15:39
Process: 1196 svchost.exe 2012-09-27 01:15:40
Process: 1412 spoolsv.exe 2012-09-27 01:15:41

Process: 1544 svchost.exe 2012-09-27 01:15:50
Process: 1616 jqs.exe 2012-09-27 01:15:50
Process: 1652 PortReporter.ex 2012-09-27 01:15:50
Process: 1820 vmtoolsd.exe 2012-09-27 01:15:53

Process: 1880 VMUpgradeHelper 2012-09-27 01:15:53
Process: 508 alg.exe 2012-09-27 01:16:01
Process: 1512 explorer.exe 2012-09-27 18:39:34
Process: 1156 wscntfy.exe 2012-09-27 18:39:35

Process: 1472 VMwareTray.exe 2012-09-27 18:39:58
Process: 628 jusched.exe 2012-09-27 18:39:59
Process: 1312 cmd.exe 2012-09-27 18:51:10
Process: 2040 jucheck.exe 2012-09-27 18:51:17

Process: 252 wuauclt.exe 2012-09-29 17:28:35
Process: 824 rdpclip.exe 2012-09-29 17:28:43
Process: 388 notepad.exe 2012-10-04 22:24:31
Process: 268 regedit.exe 2012-10-04 22:24:34

Image: 0x829596a0, Address bf800000, Name: win32k.sys
Image: 0x82abc2d8, Address bf000000, Name: dxg.sys
Image: 0x829d66e0, Address bffa0000, Name: ATMFD.DLL
Image: 0x82955e20, Address bff60000, Name: RDPDD.dll

Image: 0xbeff009c, Address c07bd878, Name:
**************************************************
Session(V): f7b6f000 ID: 3 Processes: 2
PagedPoolStart: bb800000 PagedPoolEnd bbbfffff

Process: 1032 csrss.exe 2012-09-29 17:28:42
Process: 2004 winlogon.exe 2012-09-29 17:28:42
Image: 0x82b83788, Address bf800000, Name: win32k.sys
Image: 0x8299eb70, Address bf000000, Name: dxg.sys

Image: 0x82b9de80, Address bf012000, Name: vmx_fb.dll
Image: 0x82a084c8, Address bffa0000, Name: ATMFD.DLL
Image: 0xbeff009c, Address c07bdb78, Name:
**************************************************

Session(V): f7b43000 ID: 1 Processes: 0
PagedPoolStart: bb800000 PagedPoolEnd bbbfffff

_______________________________________________
Vol-users mailing list
Vol-users@volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users