Well the "--------" in the Hnds column of the pslist output means the handle table is invalid (probably because the process has exited). Thus there will be no handles.

Regarding the desire to see injected code, you had the resources in front of you but perhaps didn't know it. With each of the possibly suspect memory ranges, malfind prints a disassembly and hex dump of the data. You excluded that data from your email, but should have seen it on your screen.

MHL

On Wed, Feb 27, 2013 at 4:24 PM, Brian Keefer <chort@effu.se> wrote:

On Feb 27, 2013, at 1:05 PM, James Lay wrote:

> On 2013-02-27 13:51, Ayers, Robert wrote:
>> By name alone I'd bet a beer that this is a malicious executable
>>
>> 0x89152020 qegyas.exe 2364 2236 0 -------- 0
>> 0 2013-02-27 15:08:35 2013-02-27 15:08:44
>
> Thanks for the quick response. I believe that qegyas.exe is the injector (according to my procmon at least). Also, that process has exited, so I'm out of luck for taking a peak at it (in memory at least...happily the malware left the file on the drive :))
>
> James
>

Try using the handles plugin to see what handles pid 2364 has and what has handles to it.

--
bk

_______________________________________________
Vol-users mailing list
Vol-users@volatilesystems.com
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users