[Vol-users] Huge PID in psxview

shorejsi2 at mmm.com shorejsi2 at mmm.com
Sat Mar 16 12:37:53 CDT 2013


 I'm digging through a memory image of a pretty thoroughly compromised 
system using Volatility and I've run across something new (to me 
anyway...).

 There's a rogue process in the image that lists a PID which exceeds the 
width allocated by Volatility:

0xdba0f9a8 cmd.exe                5004 True   True   False    True   False 
True    False
0xda247250 chrome.exe             4764 True   True   False    True   False 
True    False
0x6da39918 ☼                    42...2 False  False  False    False  False 
False   True
0xdcd97610 SearchFilterHo         6956 False  True   False    False  False 
False   False
0xdace4568 PrintIsolation         6312 False  True   False    False  False 
False   False

 I'd dearly love to get my hands on that executable, but I don't see an 
easy way to get the PID.

 Any easy way forward on this?



                        -=[ Steve ]=-

-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20130316/e93c6bf8/attachment.html


More information about the Vol-users mailing list