Re: [Vol-users] Additional assist with hidden PID's

Hello, The 'pslist' column of psxview is False for both of the processes. This corresponds to the pslist plugin. When you give the -p option to Volatility what happens in the background is that the active process list is walked (what pslist does) and the matching process is found/reported. Since the process is not in pslist then you cannot use -p. Instead you need to use the -o option with the physical offset of the process's EPROCESS structure (the first column of psxview). About your specific processes ---- The only column that is True for both is psscan. psscan is capable of finding processes that previously terminated. It is likely that the processes are no longer actually running which means if you use procmemdump with -o that you will likely not get real data back. On Mon, Dec 9, 2013 at 12:14 PM, James Lay <jlay(a)slave-tothe-box.net> wrote: > Hey all, > > Here's what I have: > > Offset(P) Name PID pslist psscan thrdproc pspcid csrss > session deskthrd > ---------- -------------------- ------ ------ ------ -------- ------ ----- > ------- -------- > 0x26004da0 UPS_Label_23052 396 False True False False False > False False > 0x260f7da0 UPS_Label_23052 396 False True False False False > False False > > > Offset(P) Name PID PPID PDB Time created > Time exited > ---------- ---------------- ------ ------ ---------- > ------------------------------ ------------------------------ > 0x27808020 explorer.exe 1480 1412 0x0a440200 2013-05-23 17:44:24 > UTC+0000 > 0x26004da0 UPS_Label_23052 396 1480 0x0a4403c0 2013-05-23 17:46:09 > UTC+0000 > 0x260f7da0 UPS_Label_23052 396 1480 0x0a4403c0 2013-05-23 17:46:09 > UTC+0000 > > I'm attempting to find and extract the running UPS_Label_23052, but having > difficulty extracting the exe from it. Procmemdump and procexedump fail to > find the pid, so I'm kind of lost. Any info would help...thank you. > > James > _______________________________________________ > Vol-users mailing list > Vol-users(a)volatilityfoundation.org > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users