[Vol-users] Huge PID in psxview

shorejsi2 at mmm.com shorejsi2 at mmm.com
Mon Mar 18 05:29:56 CDT 2013


 Thank You all for the ideas and suggestions. As it turns out, this 
appears to indeed have been a false positive; probably the remains of 
something that was once instantiated in that space and since abandoned. 

 I am working with an image taken from a machine we decided to re-image; 
it had been infected and 'cleaned' multiple times in the past to the point 
where it was only moderately functional (IE had quit working so he loaded 
Firefox, which no longer worked and he was now using Chrome.) I'm digging 
through the bones and wreckage to see if there is any more to be gleaned 
from this mess; it's a poster child for wipe and reload.

 Thanks again!


                        -=[ Steve ]=-




From:   Michael Hale Ligh <michael.hale at gmail.com>
To:     shorejsi2 at mmm.com
Cc:     vol-users <vol-users at volatilityfoundation.org>
Date:   03/16/2013 02:38 PM
Subject:        Re: [Vol-users] Huge PID in psxview



Steve, 

It looks like the process was found by analyzing desktop threads (True in 
the far right column) and then following that lead to the thread's owning 
process. Its possible that an application created a desktop (i.e. 
CreateDesktop), started a new process attached to that desktop (the 
STARTUPINFO.lpDesktop parameter passed to CreateProcess) or "manually" 
attached an existing thread (SetThreadDesktop). At some point before you 
acquired memory, the thread(s) terminated and the desktop was removed by 
the application by calling CloseDesktop. That is one possible theory to 
keep in mind (its not necessarily a rogue process). 

I would try running the deskscan plugin to see some details on the desktop 
object in question. You can also use volshell and the dt() command to show 
the other _EPROCESS fiels for the structure at 0x6da39918. 

MHL 


On Sat, Mar 16, 2013 at 1:37 PM, <shorejsi2 at mmm.com> wrote:
 I'm digging through a memory image of a pretty thoroughly compromised 
system using Volatility and I've run across something new (to me 
anyway...). 

 There's a rogue process in the image that lists a PID which exceeds the 
width allocated by Volatility: 

0xdba0f9a8 cmd.exe                5004 True   True   False    True   False 
True    False 
0xda247250 chrome.exe             4764 True   True   False    True   False 
True    False 
0x6da39918 ☼                    42...2 False  False  False    False  False 
False   True 
0xdcd97610 SearchFilterHo         6956 False  True   False    False  False 
False   False 
0xdace4568 PrintIsolation         6312 False  True   False    False  False 
False   False 

 I'd dearly love to get my hands on that executable, but I don't see an 
easy way to get the PID. 

 Any easy way forward on this? 



                        -=[ Steve ]=- 

_______________________________________________
Vol-users mailing list
Vol-users at volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users



-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20130318/7b30c752/attachment.html


More information about the Vol-users mailing list