8:37 a.m.
Hey All,
I realized that my memory dump file was a little corrupt. Glad I made two (one with FTK
Imager and one with WinEn): Here is my pslist:
root@SIFT-Workstation:/mnt/hgfs/myCases/2012-08-0016/mits# cat pslist
Offset(V) Name PID PPID Thds Hnds Sess Wow64 Start
Exit
---------- -------------------- ------ ------ ------ -------- ------ ------
-------------------- --------------------
0x85760020 System 4 0 124 599 ------ 0 2012-08-14
12:05:00
0x86efb4c0 smss.exe 304 4 2 33 ------ 0 2012-08-14
12:05:00
0x87639910 csrss.exe 432 380 9 682 0 0 2012-08-14
12:05:07
0x878aa030 wininit.exe 504 380 3 79 0 0 2012-08-14
12:05:08
0x878aa878 csrss.exe 512 496 11 400 1 0 2012-08-14
12:05:08
0x878d5548 services.exe 568 504 7 233 0 0 2012-08-14
12:05:08
0x878d9030 winlogon.exe 592 496 3 122 1 0 2012-08-14
12:05:08
0x878dd128 lsass.exe 600 504 7 660 0 0 2012-08-14
12:05:08
0x870012b0 lsm.exe 632 504 10 140 0 0 2012-08-14
12:05:09
0x87922340 svchost.exe 724 568 9 368 0 0 2012-08-14
12:05:09
0x87948318 svchost.exe 804 568 9 296 0 0 2012-08-14
12:05:10
0x8796b030 svchost.exe 888 568 19 504 0 0 2012-08-14
12:05:10
0x87989958 svchost.exe 940 568 24 509 0 0 2012-08-14
12:05:10
0x879a0030 svchost.exe 996 568 32 1103 0 0 2012-08-14
12:05:10
0x879db030 svchost.exe 1156 568 17 361 0 0 2012-08-14
12:05:10
0x87a16930 svchost.exe 1332 568 16 524 0 0 2012-08-14
12:05:10
0x87485030 spoolsv.exe 1460 568 17 396 0 0 2012-08-14
12:05:11
0x87a535e0 svchost.exe 1492 568 18 305 0 0 2012-08-14
12:05:11
0x87495b38 armsvc.exe 1584 568 4 67 0 0 2012-08-14
12:05:11
0x874b0ad0 PDFProFiltSrvP 1620 568 5 60 0 0 2012-08-14
12:05:11
0x8717d9e0 w3dbsmgr.exe 1656 568 11 197 0 0 2012-08-14
12:05:11
0x875ed830 ccSvcHst.exe 1716 568 62 1441 0 0 2012-08-14
12:05:11
0x87a97930 svchost.exe 1764 568 10 159 0 0 2012-08-14
12:05:11
0x87b81030 Smc.exe 2256 568 23 637 0 0 2012-08-14
12:05:17
0x87bcf030 ccSvcHst.exe 3040 1716 19 293 1 0 2012-08-14
12:07:09
0x865ffc28 HP1006MC.EXE 3232 724 5 85 0 0 2012-08-14
12:07:09
0x87be3b50 taskhost.exe 3308 568 8 187 1 0 2012-08-14
12:07:10
0x878edb18 dwm.exe 3416 940 5 111 1 0 2012-08-14
12:07:10
0x878bf340 explorer.exe 3492 3260 24 852 1 0 2012-08-14
12:07:10
0x85900800 jusched.exe 3680 3492 1 42 1 0 2012-08-14
12:07:11
0x859304a0 pptd40nt.exe 3772 3492 3 72 1 0 2012-08-14
12:07:11
0x85935708 pdfPro5Hook.ex 3832 3492 2 55 1 0 2012-08-14
12:07:11
0x8591c030 BrStMonW.exe 3936 3492 5 143 1 0 2012-08-14
12:07:12
0x8595d7a0 ISUSPM.exe 3956 3492 7 248 1 0 2012-08-14
12:07:12
0x8796b638 BrCtrlCntr.exe 3984 3916 2 142 1 0 2012-08-14
12:07:12
0x87c07708 BrYNSvc.exe 4080 568 7 128 0 0 2012-08-14
12:07:12
0x8595b930 BrCcUxSys.exe 1136 3984 2 92 1 0 2012-08-14
12:07:12
0x85960750 SearchIndexer. 2588 568 14 938 0 0 2012-08-14
12:07:17
0x85990728 svchost.exe 796 568 5 78 0 0 2012-08-14
12:07:18
0x87b52d40 wuauclt.exe 2908 996 3 91 1 0 2012-08-14
12:08:36
0x879e15e8 agent.exe 2584 724 6 259 1 0 2012-08-14
12:17:14
0x86e8ebd8 audiodg.exe 3144 888 5 129 0 0 2012-08-14
17:53:07
0x86faad40 sppsvc.exe 3276 568 4 166 0 0 2012-08-14
17:54:40
0x85b8c998 cmd.exe 3052 3492 1 20 1 0 2012-08-14
17:56:47
0x87193030 conhost.exe 1324 512 2 54 1 0 2012-08-14
17:56:47
0x86fc7030 winen.exe 3160 3052 3 86 1 0 2012-08-14
17:57:20
Here is my PSSCAN:
root@SIFT-Workstation:/mnt/hgfs/myCases/2012-08-0016/mits# cat psscan
Offset(P) Name PID PPID PDB Time created Time exited
---------- ---------------- ------ ------ ---------- --------------------
--------------------
0x05760020 System 4 0 0x00185000 2012-08-14 12:05:00
0x8824fd79 System 4 0 0x00185000 2012-08-14 12:05:00
0xcce07708 BrYNSvc.exe 4080 568 0xcdd31520 2012-08-14 12:07:12
0xcd016930 svchost.exe 1332 568 0xcdd31220 2012-08-14 12:05:10
0xcd0535e0 svchost.exe 1492 568 0xcdd31260 2012-08-14 12:05:11
0xcd097930 svchost.exe 1764 568 0xcdd31300 2012-08-14 12:05:11
0xcd152d40 wuauclt.exe 2908 996 0xcdd313c0 2012-08-14 12:08:36
0xcd181030 Smc.exe 2256 568 0xcdd31340 2012-08-14 12:05:17
0xcd1cf030 ccSvcHst.exe 3040 1716 0xcdd313a0 2012-08-14 12:07:09
0xcd1e3b50 taskhost.exe 3308 568 0xcdd313e0 2012-08-14 12:07:10
0xcd2aa030 wininit.exe 504 380 0xcdd310a0 2012-08-14 12:05:08
0xcd2aa878 csrss.exe 512 496 0xcdd310c0 2012-08-14 12:05:08
0xcd2bf340 explorer.exe 3492 3260 0xcdd31420 2012-08-14 12:07:10
0xcd2d5548 services.exe 568 504 0xcdd31040 2012-08-14 12:05:08
0xcd2d9030 winlogon.exe 592 496 0xcdd310e0 2012-08-14 12:05:08
0xcd2dd128 lsass.exe 600 504 0xcdd31100 2012-08-14 12:05:08
0xcd2edb18 dwm.exe 3416 940 0xcdd31400 2012-08-14 12:07:10
0xcd322340 svchost.exe 724 568 0xcdd31120 2012-08-14 12:05:09
0xcd348318 svchost.exe 804 568 0xcdd31140 2012-08-14 12:05:10
0xcd36b030 svchost.exe 888 568 0xcdd31160 2012-08-14 12:05:10
0xcd36b638 BrCtrlCntr.exe 3984 3916 0xcdd31580 2012-08-14 12:07:12
0xcd389958 svchost.exe 940 568 0xcdd311a0 2012-08-14 12:05:10
0xcd3a0030 svchost.exe 996 568 0xcdd311c0 2012-08-14 12:05:10
0xcd3db030 svchost.exe 1156 568 0xcdd31200 2012-08-14 12:05:10
0xcd3e15e8 agent.exe 2584 724 0xcdd31660 2012-08-14 12:17:14
0xcd439910 csrss.exe 432 380 0xcdd31060 2012-08-14 12:05:07
0xcd685030 spoolsv.exe 1460 568 0xcdd31240 2012-08-14 12:05:11
0xcd695b38 armsvc.exe 1584 568 0xcdd31280 2012-08-14 12:05:11
0xcd6b0ad0 PDFProFiltSrvP 1620 568 0xcdd312a0 2012-08-14 12:05:11
0xcd7ed830 ccSvcHst.exe 1716 568 0xcdd312e0 2012-08-14 12:05:11
0xcda012b0 lsm.exe 632 504 0xcdd31080 2012-08-14 12:05:09
0xcdb7d9e0 w3dbsmgr.exe 1656 568 0xcdd312c0 2012-08-14 12:05:11
0xcdb93030 conhost.exe 1324 512 0xcdd31440 2012-08-14 17:56:47
0xcdc8ebd8 audiodg.exe 3144 888 0xcdd31600 2012-08-14 17:53:07
0xcdcfb4c0 smss.exe 304 4 0xcdd31020 2012-08-14 12:05:00
0xcddaad40 sppsvc.exe 3276 568 0xcdd31460 2012-08-14 17:54:40
0xcddc7030 winen.exe 3160 3052 0xcdd31640 2012-08-14 17:57:20
0xce7ffc28 HP1006MC.EXE 3232 724 0xcdd31380 2012-08-14 12:07:09
0xcf18c998 cmd.exe 3052 3492 0xcdd311e0 2012-08-14 17:56:47
0xcf300800 jusched.exe 3680 3492 0xcdd314c0 2012-08-14 12:07:11
0xcf31c030 BrStMonW.exe 3936 3492 0xcdd314a0 2012-08-14 12:07:12
0xcf3304a0 pptd40nt.exe 3772 3492 0xcdd31500 2012-08-14 12:07:11
0xcf335708 pdfPro5Hook.ex 3832 3492 0xcdd31540 2012-08-14 12:07:11
0xcf35b930 BrCcUxSys.exe 1136 3984 0xcdd315a0 2012-08-14 12:07:12
0xcf35d7a0 ISUSPM.exe 3956 3492 0xcdd315c0 2012-08-14 12:07:12
0xcf360750 SearchIndexer. 2588 568 0xcdd31360 2012-08-14 12:07:17
0xcf390728 svchost.exe 796 568 0xcdd315e0 2012-08-14 12:07:18
Regards,
Lee Armet | Senior Forensic Investigator | Global Security & Investigations | TD Bank
Group
O:416-982-6855 | M:647-242-0002
From: Michael Hale Ligh [mailto:michael.hale@gmail.com]
Sent: Thursday, August 16, 2012 2:20 PM
To: phocean; Armet, Lee
Cc: vol-users(a)volatilityfoundation.org
Subject: Re: [Vol-users] Interesting finding
So the weird PID is because the pid column is fixed width for an unsigned short (since the
maximum pid is 65535) however the EPROCESS.UniqueProcessId is actually defined as an
unsigned int. So what happened is psscan (process pool scanner) picked up a possible
structure whose UniqueProcessId value is larger than any valid PID and it gets shortened
to "14...5" to fit in the column. I suppose we should fix it so that the whole
unsigned int can fit even though those entries are likely to be false positives or a real
EPROCESS structure but the pid member has been overritten.
But yes the False in pslist, thrdproc, etc is strange. Does the pslist command work on
your image? Also can you paste the full command-line your're using (not just the
output)?
Thanks,
MHL
On Thu, Aug 16, 2012 at 1:47 PM, phocean
<0x90@phocean.net<mailto:0x90@phocean.net>> wrote:
Personally no, but they will probably more competent people who will answer.
The most surprising is not weird PID but that most processes are hidden from pslist.
Isn't it just a bug or can you tell more about the context ?
--- phocean
Le 16 août 2012 à 17:51, "Armet, Lee"
<Lee.Armet@td.com<mailto:Lee.Armet@td.com>> a écrit :
Anyone ever see this?
0x2253cfb9 14...5 False True False False False
Volatile Systems Volatility Framework 2.2_alpha
Offset(P) Name PID pslist psscan thrdproc pspcdid csrss
---------- -------------------- ------ ------ ------ -------- ------- -----
0x05760020 System 4 True True True True False
0x19863d21 svchost.exe 804 False True False False False
0x18fa330d pdfPro5Hook.ex 3832 False True False False False
0x18a9d585 cmd.exe 3052 False True False False False
0x2eac4d45 svchost.exe 724 False True False False False
0x1d844541 taskhost.exe 3308 False True False False False
0x190203a9 ISUSPM.exe 3956 False True False False False
0x18b2d26a System 4 False True False False False
0x0c1577ed sppsvc.exe 3276 False True False False False
0x190b1335 svchost.exe 796 False True False False False
0x13473a2d wininit.exe 504 False True False False False
0x2253cfb9 14...5 False True False False False
0x22e79729 wuauclt.exe 2908 False True False False False
0x21442a21 ccSvcHst.exe 3040 False True False False False
0x18f75c35 BrStMonW.exe 3936 False True False False False
0x19044359 SearchIndexer. 2588 False True False False False
0x22209305 svchost.exe 1332 False True False False False
0x1900a539 BrCcUxSys.exe 1136 False True False False False
0x227df30d svchost.exe 1764 False True False False False
0x3accbd3d explorer.exe 3492 False True False False False
0x18f980a5 pptd40nt.exe 3772 False True False False False
Regards,
Lee Armet | Senior Forensic Investigator | Global Security & Investigations | TD Bank
Group
O:416-982-6855<tel:416-982-6855> | M:647-242-0002<tel:647-242-0002>
NOTICE: Confidential message which may be privileged. Unauthorized use/disclosure
prohibited. If received in error, please go to
www.td.com/legal<http://www.td.com/legal> for instructions.
AVIS : Message confidentiel dont le contenu peut être privilégié. Utilisation/divulgation
interdites sans permission. Si reçu par erreur, prière d'aller
auwww.td.com/francais/avis_juridique<http://www.td.com/francais/avis_jur… pour
des instructions.
_______________________________________________
Vol-users mailing list
Vol-users@volatilityfoundation.org<mailto:Vol-users@volatilityfoundation.org>
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
_______________________________________________
Vol-users mailing list
Vol-users@volatilityfoundation.org<mailto:Vol-users@volatilityfoundation.org>
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users