Hi Lee, 

Thanks for the follow-up. Two questions:

1) Are you sure the original image is corrupt? You may just need to specify a different dtb or kdbg on command-line. See [ref1] and [ref2]
2) On this new image, I'm assuming the output of psxview looks a lot more reasonable?

[ref1]. http://code.google.com/p/volatility/wiki/FAQ#Volatility_thinks_my_image_is_invalid
[ref2]. http://code.google.com/p/volatility/wiki/CommandReference21#kdbgscan

Thanks,
MHL

On Fri, Aug 17, 2012 at 9:08 AM, Armet, Lee <Lee.Armet@td.com> wrote:

Here is my pstree:

 

root@SIFT-Workstation:/mnt/hgfs/myCases/2012-08-0016/mits# vol.py -f mits_ram --profile=Win7SP0x86 pstree

Volatile Systems Volatility Framework 2.2_alpha

Name                                                  Pid   PPid   Thds   Hnds Time               

-------------------------------------------------- ------ ------ ------ ------ --------------------

0x878aa878:csrss.exe                                 512    496     11    400 2012-08-14 12:05:08

. 0x87193030:conhost.exe                             1324    512      2     54 2012-08-14 17:56:47

 0x878d9030:winlogon.exe                              592    496      3    122 2012-08-14 12:05:08

 0x878aa030:wininit.exe                               504    380      3     79 2012-08-14 12:05:08

. 0x878d5548:services.exe                             568    504      7    233 2012-08-14 12:05:08

.. 0x879db030:svchost.exe                            1156    568     17    361 2012-08-14 12:05:10

.. 0x87a535e0:svchost.exe                            1492    568     18    305 2012-08-14 12:05:11

.. 0x85960750:SearchIndexer.                         2588    568     14    938 2012-08-14 12:07:17

.. 0x87948318:svchost.exe                             804    568      9    296 2012-08-14 12:05:10

.. 0x85990728:svchost.exe                             796    568      5     78 2012-08-14 12:07:18

.. 0x87989958:svchost.exe                             940    568     24    509 2012-08-14 12:05:10

... 0x878edb18:dwm.exe                               3416    940      5    111 2012-08-14 12:07:10

.. 0x8796b030:svchost.exe                             888    568     19    504 2012-08-14 12:05:10

... 0x86e8ebd8:audiodg.exe                           3144    888      5    129 2012-08-14 17:53:07

.. 0x87a16930:svchost.exe                            1332    568     16    524 2012-08-14 12:05:10

.. 0x87485030:spoolsv.exe                            1460    568     17    396 2012-08-14 12:05:11

.. 0x86faad40:sppsvc.exe                             3276    568      4    166 2012-08-14 17:54:40

.. 0x8717d9e0:w3dbsmgr.exe                           1656    568     11    197 2012-08-14 12:05:11

.. 0x875ed830:ccSvcHst.exe                           1716    568     62   1441 2012-08-14 12:05:11

... 0x87bcf030:ccSvcHst.exe                          3040   1716     19    293 2012-08-14 12:07:09

.. 0x874b0ad0:PDFProFiltSrvP                         1620    568      5     60 2012-08-14 12:05:11

.. 0x87495b38:armsvc.exe                             1584    568      4     67 2012-08-14 12:05:11

.. 0x87a97930:svchost.exe                            1764    568     10    159 2012-08-14 12:05:11

.. 0x87b81030:Smc.exe                                2256    568     23    637 2012-08-14 12:05:17

.. 0x879a0030:svchost.exe                             996    568     32   1103 2012-08-14 12:05:10

... 0x87b52d40:wuauclt.exe                           2908    996      3     91 2012-08-14 12:08:36

.. 0x87be3b50:taskhost.exe                           3308    568      8    187 2012-08-14 12:07:10

.. 0x87c07708:BrYNSvc.exe                            4080    568      7    128 2012-08-14 12:07:12

.. 0x87922340:svchost.exe                             724    568      9    368 2012-08-14 12:05:09

... 0x879e15e8:agent.exe                             2584    724      6    259 2012-08-14 12:17:14

... 0x865ffc28:HP1006MC.EXE                          3232    724      5     85 2012-08-14 12:07:09

. 0x878dd128:lsass.exe                                600    504      7    660 2012-08-14 12:05:08

. 0x870012b0:lsm.exe                                  632    504     10    140 2012-08-14 12:05:09

 0x87639910:csrss.exe                                 432    380      9    682 2012-08-14 12:05:07

 0x878bf340:explorer.exe                             3492   3260     24    852 2012-08-14 12:07:10

. 0x85b8c998:cmd.exe                                 3052   3492      1     20 2012-08-14 17:56:47

.. 0x86fc7030:winen.exe                              3160   3052      3     86 2012-08-14 17:57:20

. 0x85935708:pdfPro5Hook.ex                          3832   3492      2     55 2012-08-14 12:07:11

. 0x859304a0:pptd40nt.exe                            3772   3492      3     72 2012-08-14 12:07:11

. 0x85900800:jusched.exe                             3680   3492      1     42 2012-08-14 12:07:11

. 0x8591c030:BrStMonW.exe                            3936   3492      5    143 2012-08-14 12:07:12

. 0x8595d7a0:ISUSPM.exe                              3956   3492      7    248 2012-08-14 12:07:12

 0x8796b638:BrCtrlCntr.exe                           3984   3916      2    142 2012-08-14 12:07:12

. 0x8595b930:BrCcUxSys.exe                           1136   3984      2     92 2012-08-14 12:07:12

 0x85760020:System                                      4      0    124    599 2012-08-14 12:05:00

. 0x86efb4c0:smss.exe                                 304      4      2     33 2012-08-14 12:05:00

 

Regards,

 

 

Lee Armet | Senior Forensic Investigator | Global Security & Investigations | TD Bank Group

O:416-982-6855 | M:647-242-0002

 

From: Michael Hale Ligh [mailto:michael.hale@gmail.com]

Sent: Thursday, August 16, 2012 2:20 PM
To: phocean; Armet, Lee
Cc: vol-users@volatilityfoundation.org
Subject: Re: [Vol-users] Interesting finding

 

So the weird PID is because the pid column is fixed width for an unsigned short (since the maximum pid is 65535) however the EPROCESS.UniqueProcessId is actually defined as an unsigned int. So what happened is psscan (process pool scanner) picked up a possible structure whose UniqueProcessId value is larger than any valid PID and it gets shortened to "14...5" to fit in the column. I suppose we should fix it so that the whole unsigned int can fit even though those entries are likely to be false positives or a real EPROCESS structure but the pid member has been overritten. 

 

But yes the False in pslist, thrdproc, etc is strange. Does the pslist command work on your image? Also can you paste the full command-line your're using (not just the output)? 

 

Thanks,

MHL

On Thu, Aug 16, 2012 at 1:47 PM, phocean <0x90@phocean.net> wrote:

Personally no, but they will probably more competent people who will answer.

The most surprising is not weird PID but that most processes are hidden from pslist.

Isn't it just a bug or can you tell more about the context ?

 

--- phocean

 

 

 

 

Le 16 août 2012 à 17:51, "Armet, Lee" <Lee.Armet@td.com> a écrit :



Anyone ever see this?

 

0x2253cfb9                     14...5 False  True   False    False   False

 

 

Volatile Systems Volatility Framework 2.2_alpha

Offset(P)  Name                    PID pslist psscan thrdproc pspcdid csrss

---------- -------------------- ------ ------ ------ -------- ------- -----

0x05760020 System                    4 True   True   True     True    False

0x19863d21 svchost.exe             804 False  True   False    False   False

0x18fa330d pdfPro5Hook.ex         3832 False  True   False    False   False

0x18a9d585 cmd.exe                3052 False  True   False    False   False

0x2eac4d45 svchost.exe             724 False  True   False    False   False

0x1d844541 taskhost.exe           3308 False  True   False    False   False

0x190203a9 ISUSPM.exe             3956 False  True   False    False   False

0x18b2d26a System                    4 False  True   False    False   False

0x0c1577ed sppsvc.exe             3276 False  True   False    False   False

0x190b1335 svchost.exe             796 False  True   False    False   False

0x13473a2d wininit.exe             504 False  True   False    False   False

0x2253cfb9                     14...5 False  True   False    False   False

0x22e79729 wuauclt.exe            2908 False  True   False    False   False

0x21442a21 ccSvcHst.exe           3040 False  True   False    False   False

0x18f75c35 BrStMonW.exe           3936 False  True   False    False   False

0x19044359 SearchIndexer.         2588 False  True   False    False   False

0x22209305 svchost.exe            1332 False  True   False    False   False

0x1900a539 BrCcUxSys.exe          1136 False  True   False    False   False

0x227df30d svchost.exe            1764 False  True   False    False   False

0x3accbd3d explorer.exe           3492 False  True   False    False   False

0x18f980a5 pptd40nt.exe           3772 False  True   False    False   False

 

Regards,

 

 

Lee Armet | Senior Forensic Investigator | Global Security & Investigations | TD Bank Group

 

 

 


NOTICE: Confidential message which may be privileged. Unauthorized use/disclosure prohibited. If received in error, please go to www.td.com/legal for instructions.
AVIS : Message confidentiel dont le contenu peut être privilégié. Utilisation/divulgation interdites sans permission. Si reçu par erreur, prière d'aller auwww.td.com/francais/avis_juridique pour des instructions.

_______________________________________________
Vol-users mailing list
Vol-users@volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users

 


_______________________________________________
Vol-users mailing list
Vol-users@volatilesystems.com
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users