Hi Ben,Process Explorer only verifies the signature of the image on disk, not in memory. As these signatures are not generated on a per page basis, it is not possible to use them to verify code in memory.I plan on releasing a prototype plugin that validates in memory code on Windows next week, alongside my presentation at DFRWS. This is not achieved using the existing digital signatures however, but with hashes built from Windows executables.I hope this answers your question.Regards,Andrew WhiteOn Tue, Jul 30, 2013 at 12:46 PM, sockify <sockify@gmail.com> wrote:
_______________________________________________I meant process explorer and the "verified signer" feature
On Tue, Jul 30, 2013 at 8:43 PM, sockify <sockify@gmail.com> wrote:
BenCheersHi AllApologies if this has been addressed already but can't find it in the archives. Is volatility able to verify image signatures similar to how process monitor can? Suspect the answer is no as it's not a live system and may not be running under windows. None of the plugins seem to be able to do this from what I can see, just want to check I'm not missing something.
Vol-users mailing list
Vol-users@volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users