Re: [Vol-users] Additional assist with hidden PID's
10 Dec
2013
10 Dec
'13
6:55 p.m.
Hello,
The 'pslist' column of psxview is False for both of the processes.
This corresponds to the pslist plugin. When you give the -p option to
Volatility what happens in the background is that the active process
list is walked (what pslist does) and the matching process is
found/reported. Since the process is not in pslist then you cannot use
-p. Instead you need to use the -o option with the physical offset of
the process's EPROCESS structure (the first column of psxview).
About your specific processes ---- The only column that is True for
both is psscan. psscan is capable of finding processes that previously
terminated. It is likely that the processes are no longer actually
running which means if you use procmemdump with -o that you will
likely not get real data back.
On Mon, Dec 9, 2013 at 12:14 PM, James Lay <jlay(a)slave-tothe-box.net> wrote:
Hey all,
Here's what I have:
Offset(P) Name PID pslist psscan thrdproc pspcid csrss
session deskthrd
---------- -------------------- ------ ------ ------ -------- ------ -----
------- --------
0x26004da0 UPS_Label_23052 396 False True False False False
False False
0x260f7da0 UPS_Label_23052 396 False True False False False
False False
Offset(P) Name PID PPID PDB Time created
Time exited
---------- ---------------- ------ ------ ----------
------------------------------ ------------------------------
0x27808020 explorer.exe 1480 1412 0x0a440200 2013-05-23 17:44:24
UTC+0000
0x26004da0 UPS_Label_23052 396 1480 0x0a4403c0 2013-05-23 17:46:09
UTC+0000
0x260f7da0 UPS_Label_23052 396 1480 0x0a4403c0 2013-05-23 17:46:09
UTC+0000
I'm attempting to find and extract the running UPS_Label_23052, but having
difficulty extracting the exe from it. Procmemdump and procexedump fail to
find the pid, so I'm kind of lost. Any info would help...thank you.
James
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users