[Vol-users] Question

Michael Cohen scudette at gmail.com
Wed Mar 6 03:27:36 CST 2013


This is likely a false positive since it only shows up in psscan - psscan
is like a carver for processes so sometimes it gives a false positive.

Michael.

On 5 March 2013 19:29, Ayers, Robert <roayers at pa.gov> wrote:

> Anyone ever seen anything like this? It came out of a  WinXPSP3x86 ram
> capture.****
>
> ** **
>
> PCSXView results;****
>
> ** **
>
> Offset(P)  Name                    PID pslist psscan thrdproc pspcid csrss
> session deskthrd****
>
> ---------- -------------------- ------ ------ ------ -------- ------ -----
> ------- --------****
>
> 0x0a074da0 X???E?P??(O'?     23...6 False  True   False    False  False
> False   False   ****
>
> ** **
>
> ** **
>
> PSSCan results;****
>
> ** **
>
> Offset(P)  Name                PID   PPID PDB        Time
> created                   Time exited                   ****
>
> ---------- ---------------- ------ ------ ----------
> ------------------------------ ------------------------------****
>
> 0x0a074da0 X???E?P??(O'? 23...6 23...4
> 0x8a274dc0                                                              **
> **
>
> ** **
>
> Thanks,****
>
> *Robert Ayers, *****
>
> ** **
>
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20130306/f002cc4a/attachment.html


More information about the Vol-users mailing list