1:35 p.m.
Hey all.
So..I have a couple questions (clearly) about procexedump and another
one about hidden processes. First, procexedump. Here's the info of the
memdump:
Offset(V) Name PID PPID Thds Hnds Sess
Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------
------ -------------------- --------------------
0x8925a808 exp3.tmp.exe 3336 1628 0 -------- 0
0 2012-12-13 15:22:46 2012-12-13 15:25:22
Offset(P) Name PID PPID PDB Time created
Time exited
---------- ---------------- ------ ------ ----------
-------------------- --------------------
0x0925a808 exp3.tmp.exe 3336 1628 0x0a440480 2012-12-13
15:22:46 2012-12-13 15:25:22
I'm attempting to dump this to an exe file, but here's what I'm
getting:
Process(V) ImageBase Name Result
---------- ---------- -------------------- ------
0x8925a808 ---------- exp3.tmp.exe Error: PEB at 0x7ffdf000 is
paged
I won't lie in saying I don't really have a handle on the entire memory
structure of Windows XPSP3. What exactly can I do, if anything, to get
this as a sample? Next up, hidden processes:
Offset(P) Local Address Remote Address Pid
---------- ------------------------- ------------------------- ---
0x09046008 192.168.0.2:1066 x.x.x.106:443 1448
0x0912f878 192.168.0.2:1071 x.x.x.8:443 1448
0x091bfa70 192.168.0.2:1069 x.x.x.106:443 1448
0x09231478 192.168.0.2:1065 x.x.x.106:443 1448
pslist, psscan, and psxview do not show this PID. How do I figure out
what and where this PID is? Thanks for any help you can provide.
James
4:35 p.m.
James,
You probably won't be able to dump exp3.tmp.exe, because it has exited
(notice there's an Exit time, 0 threads, and invalid handle table). The
_EPROCESS structure still exists in the "active" list for reasons explained
here: http://mnin.blogspot.com/2011/03/mis-leading-active-in.html. Once the
process exits, its address space, which contains the executable, is
destroyed.
I'm also going to guess that pid 1448 is an exited (not hidden) process,
but it made some connections during its lifetime. That's the gift and curse
of scanning physical memory for data. Its able to help show what happened
on a system in the past (i.e. IPs and ports contacted), but not everything
is preserved. Kernel memory pools are used and re-used, allowing some
allocations to survive longer than others. You found a connection object
that was owned by pid 1448 at some point in time, but the _EPROCESS for pid
1448 is long gone. I'm pretty confident in psxview's ability to find hidden
processes since it uses like 8 different methods. Even advanced rootkits
these days don't try hiding in more than 2-3 ways....at that point its
easier just to inject code into another process and hide that way.
MHL
On Fri, Dec 14, 2012 at 1:35 PM, James Lay <jlay(a)slave-tothe-box.net> wrote:
Hey all.
So..I have a couple questions (clearly) about procexedump and another one
about hidden processes. First, procexedump. Here's the info of the
memdump:
Offset(V) Name PID PPID Thds Hnds Sess
Wow64 Start Exit
---------- -------------------- ------ ------ ------ -------- ------
------ -------------------- --------------------
0x8925a808 exp3.tmp.exe 3336 1628 0 -------- 0 0
2012-12-13 15:22:46 2012-12-13 15:25:22
Offset(P) Name PID PPID PDB Time created
Time exited
---------- ---------------- ------ ------ ---------- --------------------
--------------------
0x0925a808 exp3.tmp.exe 3336 1628 0x0a440480 2012-12-13 15:22:46
2012-12-13 15:25:22
I'm attempting to dump this to an exe file, but here's what I'm getting:
Process(V) ImageBase Name Result
---------- ---------- -------------------- ------
0x8925a808 ---------- exp3.tmp.exe Error: PEB at 0x7ffdf000 is
paged
I won't lie in saying I don't really have a handle on the entire memory
structure of Windows XPSP3. What exactly can I do, if anything, to get
this as a sample? Next up, hidden processes:
Offset(P) Local Address Remote Address Pid
---------- ------------------------- ------------------------- ---
0x09046008 192.168.0.2:1066 x.x.x.106:443 1448
0x0912f878 192.168.0.2:1071 x.x.x.8:443 1448
0x091bfa70 192.168.0.2:1069 x.x.x.106:443 1448
0x09231478 192.168.0.2:1065 x.x.x.106:443 1448
pslist, psscan, and psxview do not show this PID. How do I figure out
what and where this PID is? Thanks for any help you can provide.
James
______________________________**_________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilesystems.**com/mailman/listinfo/vol-users<http://lis…
4:52 p.m.
On 2012-12-14 14:35, Michael Hale Ligh wrote:
James,
You probably wont be able to dump exp3.tmp.exe, because it has exited
(notice theres an Exit time, 0 threads, and invalid handle table).
The
_EPROCESS structure still exists in the "active" list for reasons
explained
here: http://mnin.blogspot.com/2011/03/mis-leading-active-in.html
[7]. Once the process exits, its address space, which contains the
executable, is destroyed.
Im also going to guess that pid 1448 is an exited (not hidden)
process, but it made some connections during its lifetime. Thats the
gift and curse of scanning physical memory for data. Its able to help
show what happened on a system in the past (i.e. IPs and ports
contacted), but not everything is preserved. Kernel memory pools are
used and re-used, allowing some allocations to survive longer than
others. You found a connection object that was owned by pid 1448 at
some point in time, but the _EPROCESS for pid 1448 is long gone. Im
pretty confident in psxviews ability to find hidden processes since
it
uses like 8 different methods. Even advanced rootkits these days dont
try hiding in more than 2-3 ways....at that point its easier just to
inject code into another process and hide that way.
MHL
On Fri, Dec 14, 2012 at 1:35 PM, James Lay <jlay(a)slave-tothe-box.net
[8]> wrote:
> Hey all.
>
> So..I have a couple questions (clearly) about procexedump and
> another one about hidden processes. First, procexedump. Heres
> the info of the memdump:
>
> Offset(V) Name PID PPID Thds
> Hnds Sess Wow64 Start Exit
> ---------- -------------------- ------ ------ ------ --------
> ------ ------ -------------------- --------------------
> 0x8925a808 exp3.tmp.exe 3336 1628 0
> -------- 0 0 2012-12-13 15:22:46 2012-12-13 15:25:22
>
> Offset(P) Name PID PPID PDB
> Time created Time exited
> ---------- ---------------- ------ ------ ----------
> -------------------- --------------------
> 0x0925a808 exp3.tmp.exe 3336 1628 0x0a440480 2012-12-13
> 15:22:46 2012-12-13 15:25:22
>
> Im attempting to dump this to an exe file, but heres what Im
> getting:
>
> Process(V) ImageBase Name Result
> ---------- ---------- -------------------- ------
> 0x8925a808 ---------- exp3.tmp.exe Error: PEB at
> 0x7ffdf000 is paged
>
> I wont lie in saying I dont really have a handle on the entire
> memory structure of Windows XPSP3. What exactly can I do, if
> anything, to get this as a sample? Next up, hidden processes:
>
> Offset(P) Local Address Remote Address
> Pid
> ---------- ------------------------- ------------------------- ---
> 0x09046008 192.168.0.2:1066 [1] x.x.x.106:443
> 1448
> 0x0912f878 192.168.0.2:1071 [2] x.x.x.8:443
> 1448
> 0x091bfa70 192.168.0.2:1069 [3] x.x.x.106:443
> 1448
> 0x09231478 192.168.0.2:1065 [4] x.x.x.106:443
> 1448
>
> pslist, psscan, and psxview do not show this PID. How do I figure
> out what and where this PID is? Thanks for any help you can
> provide.
>
> James
Hey thanks for the quick response and explanation..that really helps.
Still learning the ropes here...thanks again.
James
4353
days inactive
4353
days old
vol-users@lists.volatilityfoundation.org
2 comments
2 participants
participants (2)
-
James Lay -
Michael Hale Ligh