1:29 p.m.
Anyone ever seen anything like this? It came out of a WinXPSP3x86 ram capture.
PCSXView results;
Offset(P) Name PID pslist psscan thrdproc pspcid csrss session
deskthrd
---------- -------------------- ------ ------ ------ -------- ------ ----- -------
--------
0x0a074da0 X???E?P??(O'? 23...6 False True False False False False False
PSSCan results;
Offset(P) Name PID PPID PDB Time created Time
exited
---------- ---------------- ------ ------ ---------- ------------------------------
------------------------------
0x0a074da0 X???E?P??(O'? 23...6 23...4 0x8a274dc0
Thanks,
Robert Ayers,
4:27 a.m.
This is likely a false positive since it only shows up in psscan - psscan
is like a carver for processes so sometimes it gives a false positive.
Michael.
On 5 March 2013 19:29, Ayers, Robert <roayers(a)pa.gov> wrote:
Anyone ever seen anything like this? It came out of a
WinXPSP3x86 ram
capture.****
** **
PCSXView results;****
** **
Offset(P) Name PID pslist psscan thrdproc pspcid csrss
session deskthrd****
---------- -------------------- ------ ------ ------ -------- ------ -----
------- --------****
0x0a074da0 X???E?P??(O'? 23...6 False True False False False
False False ****
** **
** **
PSSCan results;****
** **
Offset(P) Name PID PPID PDB Time
created Time exited ****
---------- ---------------- ------ ------ ----------
------------------------------ ------------------------------****
0x0a074da0 X???E?P??(O'? 23...6 23...4
0x8a274dc0 **
**
** **
Thanks,****
*Robert Ayers, *****
** **
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
4271
days inactive
4272
days old
vol-users@lists.volatilityfoundation.org
1 comments
2 participants
participants (2)
-
Ayers, Robert -
Michael Cohen