I'd say there's a 50/50 chance of the cause being code injection as compared to just normal process activity over time. So IMO, no, its not enough to warrant further investigation of services.exe. However, your belief that the malware injects code into services.exe (i.e. because you read a report online, someone told you, etc) is enough. You should check out the malfind and ldrmodules plugins, as they can help locate and identify injected code - unless you really want to review 141 VAD segments manually ;=)

If you want to know more about the VADs, check our wiki, the final few chapters of Malware Cookbook, or consider registering for one of our upcoming training courses (which cover VADs and 5 days worth of other material in depth). 

Hope this helps!

On Tue, Dec 11, 2012 at 11:12 AM, Kathy Simm <kathys39@hotmail.com> wrote:
I've got a memory dump of a clean system and a memory dump of a system infected with a piece of malware that I believe has been injected into services.exe.

When I use the vadinfo command, there are 93 memory segments associated with services.exe in the clean dump, and 234 segments in the infected dump.

Is this difference in the number of segments enough to warrant further review of services.exe?  If so, is the next step to dump the extra memory segments that are in the infected dump using the vaddump command and review each of those dumps?

Thanks - any info is appreciated.

Vol-users mailing list