Re: [Vol-users] Finding injected code
27 Feb
2013
27 Feb
'13
5:04 p.m.
Well the "--------" in the Hnds column of the pslist output means the
handle table is invalid (probably because the process has exited). Thus
there will be no handles.
Regarding the desire to see injected code, you had the resources in front
of you but perhaps didn't know it. With each of the possibly suspect memory
ranges, malfind prints a disassembly and hex dump of the data. You excluded
that data from your email, but should have seen it on your screen.
MHL
On Wed, Feb 27, 2013 at 4:24 PM, Brian Keefer <chort(a)effu.se> wrote:
On Feb 27, 2013, at 1:05 PM, James Lay wrote:
On 2013-02-27 13:51, Ayers, Robert wrote:
injector
(according to my procmon at least). Also, that process has
exited, so I'm out of luck for taking a peak at it (in memory at
least...happily the malware left the file on the drive :))
By name alone I'd bet a beer that this is a
malicious executable
0x89152020 qegyas.exe 2364 2236 0 -------- 0
0 2013-02-27 15:08:35 2013-02-27 15:08:44
Thanks for the quick response. I believe that qegyas.exe is the
James
Try using the handles plugin to see what handles pid 2364 has and what has
handles to it.
--
bk
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Attachments:
- attachment.html (text/html — 2.4 KB)