James, 

You probably won't be able to dump exp3.tmp.exe, because it has exited (notice there's an Exit time, 0 threads, and invalid handle table). The _EPROCESS structure still exists in the "active" list for reasons explained here: http://mnin.blogspot.com/2011/03/mis-leading-active-in.html. Once the process exits, its address space, which contains the executable, is destroyed. 

I'm also going to guess that pid 1448 is an exited (not hidden) process, but it made some connections during its lifetime. That's the gift and curse of scanning physical memory for data. Its able to help show what happened on a system in the past (i.e. IPs and ports contacted), but not everything is preserved. Kernel memory pools are used and re-used, allowing some allocations to survive longer than others. You found a connection object that was owned by pid 1448 at some point in time, but the _EPROCESS for pid 1448 is long gone. I'm pretty confident in psxview's ability to find hidden processes since it uses like 8 different methods. Even advanced rootkits these days don't try hiding in more than 2-3 ways....at that point its easier just to inject code into another process and hide that way. 

MHL



On Fri, Dec 14, 2012 at 1:35 PM, James Lay <jlay@slave-tothe-box.net> wrote:
Hey all.

So..I have a couple questions (clearly) about procexedump and another one about hidden processes.  First, procexedump.  Here's the info of the memdump:

Offset(V)  Name                    PID   PPID   Thds     Hnds   Sess  Wow64 Start                Exit
---------- -------------------- ------ ------ ------ -------- ------ ------ -------------------- --------------------
0x8925a808 exp3.tmp.exe           3336   1628      0 --------      0     0 2012-12-13 15:22:46  2012-12-13 15:25:22

Offset(P)  Name                PID   PPID PDB        Time created        Time exited
---------- ---------------- ------ ------ ---------- -------------------- --------------------
0x0925a808 exp3.tmp.exe       3336   1628 0x0a440480 2012-12-13 15:22:46  2012-12-13 15:25:22

I'm attempting to dump this to an exe file, but here's what I'm getting:

Process(V) ImageBase  Name                 Result
---------- ---------- -------------------- ------
0x8925a808 ---------- exp3.tmp.exe         Error: PEB at 0x7ffdf000 is paged

I won't lie in saying I don't really have a handle on the entire memory structure of Windows XPSP3.  What exactly can I do, if anything, to get this as a sample?  Next up, hidden processes:

Offset(P)  Local Address             Remote Address            Pid
---------- ------------------------- ------------------------- ---
0x09046008 192.168.0.2:1066          x.x.x.106:443           1448
0x0912f878 192.168.0.2:1071          x.x.x.8:443             1448
0x091bfa70 192.168.0.2:1069          x.x.x.106:443           1448
0x09231478 192.168.0.2:1065          x.x.x.106:443           1448

pslist, psscan, and psxview do not show this PID.  How do I figure out what and where this PID is?  Thanks for any help you can provide.

James


_______________________________________________
Vol-users mailing list
Vol-users@volatilityfoundation.org
http://lists.volatilesystems.com/mailman/listinfo/vol-users