[Vol-users] Huge PID in psxview

Ken Pryor kdpryor at gmail.com
Sat Mar 16 16:04:28 CDT 2013


Glad this topic came up. I've recently experienced the same thing and
wasn't sure what to make of it. I'll run deskscan and see what turns up.

Thanks!
Ken

On Sat, Mar 16, 2013 at 2:38 PM, Michael Hale Ligh
<michael.hale at gmail.com>wrote:

> Steve,
>
> It looks like the process was found by analyzing desktop threads (True in
> the far right column) and then following that lead to the thread's owning
> process. Its possible that an application created a desktop (i.e.
> CreateDesktop), started a new process attached to that desktop (the
> STARTUPINFO.lpDesktop parameter passed to CreateProcess) or "manually"
> attached an existing thread (SetThreadDesktop). At some point before you
> acquired memory, the thread(s) terminated and the desktop was removed by
> the application by calling CloseDesktop. That is one possible theory to
> keep in mind (its not necessarily a rogue process).
>
> I would try running the deskscan plugin to see some details on the desktop
> object in question. You can also use volshell and the dt() command to show
> the other _EPROCESS fiels for the structure at 0x6da39918.
>
> MHL
>
>
> On Sat, Mar 16, 2013 at 1:37 PM, <shorejsi2 at mmm.com> wrote:
>
>>  I'm digging through a memory image of a pretty thoroughly compromised
>> system using Volatility and I've run across something new (to me anyway...).
>>
>>  There's a rogue process in the image that lists a PID which exceeds the
>> width allocated by Volatility:
>>
>> 0xdba0f9a8 cmd.exe                5004 True   True   False    True
>> False True    False
>> 0xda247250 chrome.exe             4764 True   True   False    True
>> False True    False
>> 0x6da39918 ☼                    42...2 False  False  False    False
>>  False False   True
>> 0xdcd97610 SearchFilterHo         6956 False  True   False    False
>>  False False   False
>> 0xdace4568 PrintIsolation         6312 False  True   False    False
>>  False False   False
>>
>>  I'd dearly love to get my hands on that executable, but I don't see an
>> easy way to get the PID.
>>
>>  Any easy way forward on this?
>>
>>
>>
>>                         -=[ Steve ]=-
>>
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users at volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>>
>>
>
> _______________________________________________
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20130316/2e777836/attachment.html


More information about the Vol-users mailing list