[Vol-users] Newb and procexedump

Hey all. So..I have a couple questions (clearly) about procexedump and another one about hidden processes. First, procexedump. Here's the info of the memdump: Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start Exit ---------- -------------------- ------ ------ ------ -------- ------ ------ -------------------- -------------------- 0x8925a808 exp3.tmp.exe 3336 1628 0 -------- 0 0 2012-12-13 15:22:46 2012-12-13 15:25:22 Offset(P) Name PID PPID PDB Time created Time exited ---------- ---------------- ------ ------ ---------- -------------------- -------------------- 0x0925a808 exp3.tmp.exe 3336 1628 0x0a440480 2012-12-13 15:22:46 2012-12-13 15:25:22 I'm attempting to dump this to an exe file, but here's what I'm getting: Process(V) ImageBase Name Result ---------- ---------- -------------------- ------ 0x8925a808 ---------- exp3.tmp.exe Error: PEB at 0x7ffdf000 is paged I won't lie in saying I don't really have a handle on the entire memory structure of Windows XPSP3. What exactly can I do, if anything, to get this as a sample? Next up, hidden processes: Offset(P) Local Address Remote Address Pid ---------- ------------------------- ------------------------- --- 0x09046008 192.168.0.2:1066 x.x.x.106:443 1448 0x0912f878 192.168.0.2:1071 x.x.x.8:443 1448 0x091bfa70 192.168.0.2:1069 x.x.x.106:443 1448 0x09231478 192.168.0.2:1065 x.x.x.106:443 1448 pslist, psscan, and psxview do not show this PID. How do I figure out what and where this PID is? Thanks for any help you can provide. James