Re: [Vol-users] Newb and procexedump
14 Dec
2012
14 Dec
'12
4:35 p.m.
James,
You probably won't be able to dump exp3.tmp.exe, because it has exited
(notice there's an Exit time, 0 threads, and invalid handle table). The
_EPROCESS structure still exists in the "active" list for reasons explained
here: http://mnin.blogspot.com/2011/03/mis-leading-active-in.html. Once the
process exits, its address space, which contains the executable, is
destroyed.
I'm also going to guess that pid 1448 is an exited (not hidden) process,
but it made some connections during its lifetime. That's the gift and curse
of scanning physical memory for data. Its able to help show what happened
on a system in the past (i.e. IPs and ports contacted), but not everything
is preserved. Kernel memory pools are used and re-used, allowing some
allocations to survive longer than others. You found a connection object
that was owned by pid 1448 at some point in time, but the _EPROCESS for pid
1448 is long gone. I'm pretty confident in psxview's ability to find hidden
processes since it uses like 8 different methods. Even advanced rootkits
these days don't try hiding in more than 2-3 ways....at that point its
easier just to inject code into another process and hide that way.
MHL
On Fri, Dec 14, 2012 at 1:35 PM, James Lay <jlay(a)slave-tothe-box.net> wrote:
Hey all.
So..I have a couple questions (clearly) about procexedump and another one
about hidden processes. First, procexedump. Here's the info of the
memdump:
Offset(V) Name PID PPID Thds Hnds Sess
Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------
------ -------------------- --------------------
0x8925a808 exp3.tmp.exe 3336 1628 0 -------- 0 0
2012-12-13 15:22:46 2012-12-13 15:25:22
Offset(P) Name PID PPID PDB Time created
Time exited
---------- ---------------- ------ ------ ---------- --------------------
--------------------
0x0925a808 exp3.tmp.exe 3336 1628 0x0a440480 2012-12-13 15:22:46
2012-12-13 15:25:22
I'm attempting to dump this to an exe file, but here's what I'm getting:
Process(V) ImageBase Name Result
---------- ---------- -------------------- ------
0x8925a808 ---------- exp3.tmp.exe Error: PEB at 0x7ffdf000 is
paged
I won't lie in saying I don't really have a handle on the entire memory
structure of Windows XPSP3. What exactly can I do, if anything, to get
this as a sample? Next up, hidden processes:
Offset(P) Local Address Remote Address Pid
---------- ------------------------- ------------------------- ---
0x09046008 192.168.0.2:1066 x.x.x.106:443 1448
0x0912f878 192.168.0.2:1071 x.x.x.8:443 1448
0x091bfa70 192.168.0.2:1069 x.x.x.106:443 1448
0x09231478 192.168.0.2:1065 x.x.x.106:443 1448
pslist, psscan, and psxview do not show this PID. How do I figure out
what and where this PID is? Thanks for any help you can provide.
James
______________________________**_________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilesystems.**com/mailman/listinfo/vol-users<http://lis…
Attachments:
- attachment.html (text/html — 4.2 KB)