1:37 p.m.
I'm digging through a memory image of a pretty thoroughly compromised
system using Volatility and I've run across something new (to me
anyway...).
There's a rogue process in the image that lists a PID which exceeds the
width allocated by Volatility:
0xdba0f9a8 cmd.exe 5004 True True False True False
True False
0xda247250 chrome.exe 4764 True True False True False
True False
0x6da39918 ☼ 42...2 False False False False False
False True
0xdcd97610 SearchFilterHo 6956 False True False False False
False False
0xdace4568 PrintIsolation 6312 False True False False False
False False
I'd dearly love to get my hands on that executable, but I don't see an
easy way to get the PID.
Any easy way forward on this?
-=[ Steve ]=-
3:38 p.m.
Steve,
It looks like the process was found by analyzing desktop threads (True in
the far right column) and then following that lead to the thread's owning
process. Its possible that an application created a desktop (i.e.
CreateDesktop), started a new process attached to that desktop (the
STARTUPINFO.lpDesktop parameter passed to CreateProcess) or "manually"
attached an existing thread (SetThreadDesktop). At some point before you
acquired memory, the thread(s) terminated and the desktop was removed by
the application by calling CloseDesktop. That is one possible theory to
keep in mind (its not necessarily a rogue process).
I would try running the deskscan plugin to see some details on the desktop
object in question. You can also use volshell and the dt() command to show
the other _EPROCESS fiels for the structure at 0x6da39918.
MHL
On Sat, Mar 16, 2013 at 1:37 PM, <shorejsi2(a)mmm.com> wrote:
I'm digging through a memory image of a pretty
thoroughly compromised
system using Volatility and I've run across something new (to me anyway...).
There's a rogue process in the image that lists a PID which exceeds the
width allocated by Volatility:
0xdba0f9a8 cmd.exe 5004 True True False True False
True False
0xda247250 chrome.exe 4764 True True False True False
True False
0x6da39918 ☼ 42...2 False False False False False
False True
0xdcd97610 SearchFilterHo 6956 False True False False False
False False
0xdace4568 PrintIsolation 6312 False True False False False
False False
I'd dearly love to get my hands on that executable, but I don't see an
easy way to get the PID.
Any easy way forward on this?
-=[ Steve ]=-
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
5:04 p.m.
Glad this topic came up. I've recently experienced the same thing and
wasn't sure what to make of it. I'll run deskscan and see what turns up.
Thanks!
Ken
On Sat, Mar 16, 2013 at 2:38 PM, Michael Hale Ligh
<michael.hale(a)gmail.com>wrote:
Steve,
It looks like the process was found by analyzing desktop threads (True in
the far right column) and then following that lead to the thread's owning
process. Its possible that an application created a desktop (i.e.
CreateDesktop), started a new process attached to that desktop (the
STARTUPINFO.lpDesktop parameter passed to CreateProcess) or "manually"
attached an existing thread (SetThreadDesktop). At some point before you
acquired memory, the thread(s) terminated and the desktop was removed by
the application by calling CloseDesktop. That is one possible theory to
keep in mind (its not necessarily a rogue process).
I would try running the deskscan plugin to see some details on the desktop
object in question. You can also use volshell and the dt() command to show
the other _EPROCESS fiels for the structure at 0x6da39918.
MHL
On Sat, Mar 16, 2013 at 1:37 PM, <shorejsi2(a)mmm.com> wrote:
I'm digging through a memory image of a
pretty thoroughly compromised
system using Volatility and I've run across something new (to me anyway...).
There's a rogue process in the image that lists a PID which exceeds the
width allocated by Volatility:
0xdba0f9a8 cmd.exe 5004 True True False True
False True False
0xda247250 chrome.exe 4764 True True False True
False True False
0x6da39918 ☼ 42...2 False False False False
False False True
0xdcd97610 SearchFilterHo 6956 False True False False
False False False
0xdace4568 PrintIsolation 6312 False True False False
False False False
I'd dearly love to get my hands on that executable, but I don't see an
easy way to get the PID.
Any easy way forward on this?
-=[ Steve ]=-
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
6:29 a.m.
Thank You all for the ideas and suggestions. As it turns out, this
appears to indeed have been a false positive; probably the remains of
something that was once instantiated in that space and since abandoned.
I am working with an image taken from a machine we decided to re-image;
it had been infected and 'cleaned' multiple times in the past to the point
where it was only moderately functional (IE had quit working so he loaded
Firefox, which no longer worked and he was now using Chrome.) I'm digging
through the bones and wreckage to see if there is any more to be gleaned
from this mess; it's a poster child for wipe and reload.
Thanks again!
-=[ Steve ]=-
From: Michael Hale Ligh <michael.hale(a)gmail.com>
To: shorejsi2(a)mmm.com
Cc: vol-users <vol-users(a)volatilesystems.com>
Date: 03/16/2013 02:38 PM
Subject: Re: [Vol-users] Huge PID in psxview
Steve,
It looks like the process was found by analyzing desktop threads (True in
the far right column) and then following that lead to the thread's owning
process. Its possible that an application created a desktop (i.e.
CreateDesktop), started a new process attached to that desktop (the
STARTUPINFO.lpDesktop parameter passed to CreateProcess) or "manually"
attached an existing thread (SetThreadDesktop). At some point before you
acquired memory, the thread(s) terminated and the desktop was removed by
the application by calling CloseDesktop. That is one possible theory to
keep in mind (its not necessarily a rogue process).
I would try running the deskscan plugin to see some details on the desktop
object in question. You can also use volshell and the dt() command to show
the other _EPROCESS fiels for the structure at 0x6da39918.
MHL
On Sat, Mar 16, 2013 at 1:37 PM, <shorejsi2(a)mmm.com> wrote:
I'm digging through a memory image of a pretty thoroughly compromised
system using Volatility and I've run across something new (to me
anyway...).
There's a rogue process in the image that lists a PID which exceeds the
width allocated by Volatility:
0xdba0f9a8 cmd.exe 5004 True True False True False
True False
0xda247250 chrome.exe 4764 True True False True False
True False
0x6da39918 ☼ 42...2 False False False False False
False True
0xdcd97610 SearchFilterHo 6956 False True False False False
False False
0xdace4568 PrintIsolation 6312 False True False False False
False False
I'd dearly love to get my hands on that executable, but I don't see an
easy way to get the PID.
Any easy way forward on this?
-=[ Steve ]=-
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilesystems.com
http://lists.volatilesystems.com/mailman/listinfo/vol-users
4259
days inactive
4261
days old
vol-users@lists.volatilityfoundation.org
3 comments
3 participants
participants (3)
-
Ken Pryor -
Michael Hale Ligh -
shorejsi2@mmm.com