[Vol-users] Shimcache plugin - no entries
greg.pendergast at gmail.com
Mon Jul 11 14:01:56 CDT 2016
Did anything ever come of this? I've observed recently that I'm also not getting any psscan results. One anomaly is with an image where psscan shows one process with PID 0.
In my case, the images are all Win7SP1x64 and the dumps were captured with winpmem_1.6.2.
> On May 31, 2016, at 6:42 PM, Erika Noerenberg <erika.noerenberg at gmail.com> wrote:
> Yes, sorry - pslist and psxview show normal results (although the psscan column in psxview is all False of course). The system is Win 7 x64 and the memory was dumped from Carbon Black's endpoint response agent (not by me).
>> On Tue, May 31, 2016 at 4:29 PM, Bridgey theGeek <bridgeythegeek at gmail.com> wrote:
>> Hi Erika,
>> Which version of Windows are you analysing?
>> You say 'psscan' returns no results, how about pslist and psxview?
>> I would agree that psscan finding nothing is odd.
>> And how was the image acquired?
>> Let us know!
>>> On 31 May 2016 at 21:38, Erika Noerenberg <erika.noerenberg at gmail.com> wrote:
>>> Hello all,
>>> I am analyzing a memory dump and looking at execution in a period of known bad activity, and have been able to gather quite a bit of information using volatility. For some reason though, shimcache and psscan return no results, although all the other plugins I've run (and volshell) have worked fine. I find it hard to believe that psscan for one can find no _EPROCESS structures, so I'm not sure what's happening. Also, in the results from the timeliner, I have several entries with blank shimcache entries like "macb,---------------,0,0,0,"[SHIMCACHE] "" during times I can correlate with shimcache entries on disk, so I know something is just not being picked up.
>>> Any ideas on why shimcache/psscan would produce no results? I'm not sure about the best way to track down the reason.
>>> Vol-users mailing list
>>> Vol-users at volatilityfoundation.org
> Vol-users mailing list
> Vol-users at volatilityfoundation.org
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the Vol-users