Thanks for the response and great explanation. If possible can you advise
when you have released the plugin either on or off list as and it sounds
On Wed, Jul 31, 2013 at 5:42 PM, Andrew White <awhite.au(a)gmail.com> wrote:
Process Explorer only verifies the signature of the image on disk, not in
memory. As these signatures are not generated on a per page basis, it is
not possible to use them to verify code in memory.
I plan on releasing a prototype plugin that validates in memory code on
Windows next week, alongside my presentation at DFRWS. This is not achieved
using the existing digital signatures however, but with hashes built from
I hope this answers your question.
On Tue, Jul 30, 2013 at 12:46 PM, sockify <sockify(a)gmail.com> wrote:
I meant process explorer and the "verified
On Tue, Jul 30, 2013 at 8:43 PM, sockify <sockify(a)gmail.com> wrote:
Apologies if this has been addressed already but can't find it in the
archives. Is volatility able to verify image signatures similar to how
process monitor can? Suspect the answer is no as it's not a live system and
may not be running under windows. None of the plugins seem to be able to do
this from what I can see, just want to check I'm not missing something.
Vol-users mailing list