🧂 前言
今天想要介紹 psxview 這個plugin,有時候惡意程式不會出現在pslist或者pstree上,因此會需要使用psxview 幫我們進行比對,找出可疑進程
🍘 仙貝工具
Volatility
下載連結:
Volatility 2 : https://github.com/volatilityfoundation/volatility
Volatility 3 : https://github.com/volatilityfoundation/volatility3
經典的記憶體分析工具,利用指令可以分析 memory dump 中的關鍵訊息,像是進程、網路連線、檔案……等等。
基本的操作這邊推薦可以直接上網查有人整理好的指令doc
而Volatility分為2與3版,差別就是一個是要使用 python2 執行,另一個是用 python3 執行,並且現在Volatility 2 已經沒有在維護了,但是一些 Plugin 的完整度在目前為止還是比 Volatility 3 還要高並且豐富,所以有些人還是會比較會偏向使用 Volatility 2
什麼是pslist/pstree
對沒錯,講了六天的記憶體鑑識,現在才要談什麼是pslist/pstree
pslist/pstree 可以幫助我們去查看這台電腦跑了什麼process,他們分析的方式是會根據Symbol Table 找到Windows Kernel的 PsActiveProcessHead 的位址,然後從那個鏈表開始沿 ActiveProcessLinks 指標逐一讀出 EPROCESS 結構並解析必要欄位,如:ImageFileName、UniqueProcessId、CreateTime、ExitTime 等
另外的pstree 以 pslist 的結果為基礎,轉成父子樹狀。
那如果參考 https://ithelp.ithome.com.tw/m/articles/10321120 或者 https://ithelp.ithome.com.tw/articles/10335699 的其中一個方式, 可以發現其實惡意程式是可以去將process 隱藏起來的,並且讓pslist 與 pstree 無法偵測,因此我們可以使用 psscan 嘗試去偵測
什麼是psscan?
首先要說明,Windows kernel 在為許多核心物件(例如 EPROCESS、ETHREAD、FILE_OBJECT)分配記憶體時,會在 _POOL_HEADER 中放置一個 4-byte 的 pool tag,用來標示該分配的用途或來源。
psscan是一個使用 pool-tag scanning 的掃描器:它會在 memory dump 中搜尋_POOL_HEADER 與 pool tag,並且對找到的候選區塊做結構一致性檢查(例如欄位範圍、指標是否指向可讀記憶體、ProcessName 是否可讀等),來判定該區塊是否為一個有效的 EPROCESS/ETHREAD。因此,即使該程序物件已被從 kernel 的 active list unlink(例如被某些 rootkit 隱藏),只要其 pool 分配尚存在記憶體且尚未被覆寫,psscan 通常可以把它找到。
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
| $vol -f MemoryDump.mem windows.psscan
Volatility 3 Framework 2.11.0
Progress: 100.00 PDB scanning finished
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output
832 676 msdtc.exe 0xad8185861280 9 - 0 False 2023-05-21 22:29:25.000000 UTC N/A Disabled
4 0 System 0xad8185883180 157 - N/A False 2023-05-21 22:27:10.000000 UTC N/A Disabled
108 4 Registry 0xad81858f2080 4 - N/A False 2023-05-21 22:26:54.000000 UTC N/A Disabled
3028 676 dllhost.exe 0xad8185907080 12 - 0 False 2023-05-21 22:29:20.000000 UTC N/A Disabled
5704 824 RuntimeBroker. 0xad8185962080 5 - 1 False 2023-05-21 22:32:44.000000 UTC N/A Disabled
332 4 smss.exe 0xad81860dc040 2 - N/A False 2023-05-21 22:27:10.000000 UTC N/A Disabled
452 444 csrss.exe 0xad81861cd080 12 - 0 False 2023-05-21 22:27:22.000000 UTC N/A Disabled
2404 2152 vm3dservice.ex 0xad8186619200 2 - 1 False 2023-05-21 22:28:32.000000 UTC N/A Disabled
528 520 csrss.exe 0xad8186f1b140 14 - 1 False 2023-05-21 22:27:25.000000 UTC N/A Disabled
552 444 wininit.exe 0xad8186f2b080 1 - 0 False 2023-05-21 22:27:25.000000 UTC N/A Disabled
588 520 winlogon.exe 0xad8186f450c0 5 - 1 False 2023-05-21 22:27:25.000000 UTC N/A Disabled
372 824 SkypeBackgroun 0xad8186f49080 3 - 1 False 2023-05-21 22:10:00.000000 UTC N/A Disabled
1232 676 svchost.exe 0xad8186f4a2c0 7 - 0 False 2023-05-21 22:29:39.000000 UTC N/A Disabled
676 552 services.exe 0xad8186f4d080 7 - 0 False 2023-05-21 22:27:29.000000 UTC N/A Disabled
696 552 lsass.exe 0xad8186fc6080 10 - 0 False 2023-05-21 22:27:29.000000 UTC N/A Disabled
852 552 fontdrvhost.ex 0xad818761b0c0 5 - 0 False 2023-05-21 22:27:33.000000 UTC N/A Disabled
824 676 svchost.exe 0xad818761d240 22 - 0 False 2023-05-21 22:27:32.000000 UTC N/A Disabled
860 588 fontdrvhost.ex 0xad818761f140 5 - 1 False 2023-05-21 22:27:33.000000 UTC N/A Disabled
952 676 svchost.exe 0xad81876802c0 12 - 0 False 2023-05-21 22:27:36.000000 UTC N/A Disabled
1016 588 dwm.exe 0xad81876e4340 15 - 1 False 2023-05-21 22:27:38.000000 UTC N/A Disabled
5656 824 RuntimeBroker. 0xad81876e8080 0 - 1 False 2023-05-21 21:58:19.000000 UTC 2023-05-21 22:02:01.000000 UTC Disabled
448 676 svchost.exe 0xad8187721240 54 - 0 False 2023-05-21 22:27:41.000000 UTC N/A Disabled
1012 676 svchost.exe 0xad818774c080 19 - 0 False 2023-05-21 22:27:43.000000 UTC N/A Disabled
752 676 svchost.exe 0xad8187758280 21 - 0 False 2023-05-21 22:27:43.000000 UTC N/A Disabled
1196 676 svchost.exe 0xad81877972c0 34 - 0 False 2023-05-21 22:27:46.000000 UTC N/A Disabled
1376 676 svchost.exe 0xad81878020c0 15 - 0 False 2023-05-21 22:27:49.000000 UTC N/A Disabled
1280 4 MemCompression 0xad8187835080 62 - N/A False 2023-05-21 22:27:49.000000 UTC N/A Disabled
1448 676 svchost.exe 0xad818796c2c0 30 - 0 False 2023-05-21 22:27:52.000000 UTC N/A Disabled
1496 676 svchost.exe 0xad81879752c0 12 - 0 False 2023-05-21 22:27:52.000000 UTC N/A Disabled
1644 676 svchost.exe 0xad8187a112c0 6 - 0 False 2023-05-21 22:27:58.000000 UTC N/A Disabled
1652 676 svchost.exe 0xad8187a2d2c0 10 - 0 False 2023-05-21 22:27:58.000000 UTC N/A Disabled
8896 5328 msedge.exe 0xad8187a39080 18 - 1 False 2023-05-21 22:28:21.000000 UTC N/A Disabled
1840 676 spoolsv.exe 0xad8187acb200 10 - 0 False 2023-05-21 22:28:03.000000 UTC N/A Disabled
1892 676 svchost.exe 0xad8187b34080 14 - 0 False 2023-05-21 22:28:05.000000 UTC N/A Disabled
2024 676 svchost.exe 0xad8187b65240 7 - 0 False 2023-05-21 22:28:11.000000 UTC N/A Disabled
2076 676 svchost.exe 0xad8187b94080 10 - 0 False 2023-05-21 22:28:19.000000 UTC N/A Disabled
1120 676 MsMpEng.exe 0xad818945c080 12 - 0 False 2023-05-21 22:10:01.000000 UTC N/A Disabled
2144 676 vmtoolsd.exe 0xad81896ab080 11 - 0 False 2023-05-21 22:28:19.000000 UTC N/A Disabled
2152 676 vm3dservice.ex 0xad81896ae240 2 - 0 False 2023-05-21 22:28:19.000000 UTC N/A Disabled
2200 676 VGAuthService. 0xad81896b3300 2 - 0 False 2023-05-21 22:28:19.000000 UTC N/A Disabled
3252 3580 vmtoolsd.exe 0xad8189796300 8 - 1 False 2023-05-21 22:31:59.000000 UTC N/A Disabled
464 3580 SecurityHealth 0xad818979d080 3 - 1 False 2023-05-21 22:31:59.000000 UTC N/A Disabled
130195296305516 127577716190325 � 0xad818997494d 1342177466 - - True 2000-08-31 04:07:25.000000 UTC - Disabled
2044 676 svchost.exe 0xad8189b27080 28 - 0 False 2023-05-21 22:49:29.000000 UTC N/A Disabled
3876 448 taskhostw.exe 0xad8189b30080 8 - 1 False 2023-05-21 22:08:02.000000 UTC N/A Disabled
5896 8844 oneetx.exe 0xad8189b41080 5 - 1 True 2023-05-21 22:30:56.000000 UTC N/A Disabled
3204 752 ctfmon.exe 0xad8189c8b280 12 - 1 False 2023-05-21 22:30:11.000000 UTC N/A Disabled
1600 448 taskhostw.exe 0xad8189d07300 10 - 1 False 2023-05-21 22:30:09.000000 UTC N/A Disabled
1064 676 svchost.exe 0xad8189d7c2c0 15 - 1 False 2023-05-21 22:30:09.000000 UTC N/A Disabled
1392 448 sihost.exe 0xad8189e94280 11 - 1 False 2023-05-21 22:30:08.000000 UTC N/A Disabled
3556 588 userinit.exe 0xad818c02f340 0 - 1 False 2023-05-21 22:30:28.000000 UTC 2023-05-21 22:30:43.000000 UTC Disabled
3580 3556 explorer.exe 0xad818c047340 76 - 1 False 2023-05-21 22:30:28.000000 UTC N/A Disabled
3944 824 WmiPrvSE.exe 0xad818c054080 13 - 0 False 2023-05-21 22:30:44.000000 UTC N/A Disabled
4448 824 RuntimeBroker. 0xad818c09a080 9 - 1 False 2023-05-21 22:31:33.000000 UTC N/A Disabled
6544 5328 msedge.exe 0xad818c0ea080 18 - 1 False 2023-05-21 22:22:35.000000 UTC N/A Disabled
3004 676 svchost.exe 0xad818c4212c0 7 - 0 False 2023-05-21 22:30:55.000000 UTC N/A Disabled
1116 676 svchost.exe 0xad818c426080 6 - 1 False 2023-05-21 22:31:00.000000 UTC N/A Disabled
6696 676 svchost.exe 0xad818c532080 8 - 0 False 2023-05-21 22:34:07.000000 UTC N/A Disabled
5156 5328 msedge.exe 0xad818c553080 14 - 1 False 2023-05-21 22:28:22.000000 UTC N/A Disabled
3160 824 StartMenuExper 0xad818cad3240 14 - 1 False 2023-05-21 22:31:21.000000 UTC N/A Disabled
7160 824 SearchApp.exe 0xad818ccc4080 57 - 1 False 2023-05-21 22:39:13.000000 UTC N/A Disabled
4116 824 RuntimeBroker. 0xad818cd93300 3 - 1 False 2023-05-21 22:31:24.000000 UTC N/A Disabled
4228 676 SearchIndexer. 0xad818ce06240 15 - 0 False 2023-05-21 22:31:27.000000 UTC N/A Disabled
3608 676 svchost.exe 0xad818d07a080 3 - 0 False 2023-05-21 22:41:28.000000 UTC N/A Disabled
5328 3580 msedge.exe 0xad818d0980c0 54 - 1 False 2023-05-21 22:32:02.000000 UTC N/A Disabled
1916 824 SearchApp.exe 0xad818d099080 24 - 1 False 2023-05-21 22:33:05.000000 UTC N/A Disabled
6200 676 SgrmBroker.exe 0xad818d09f080 7 - 0 False 2023-05-21 22:33:42.000000 UTC N/A Disabled
2228 3580 FTK Imager.exe 0xad818d143080 10 - 1 False 2023-05-21 22:43:56.000000 UTC N/A Disabled
1764 824 dllhost.exe 0xad818d176080 7 - 1 False 2023-05-21 22:32:48.000000 UTC N/A Disabled
7732 5896 rundll32.exe 0xad818d1912c0 1 - 1 True 2023-05-21 22:31:53.000000 UTC N/A Disabled
5136 676 SecurityHealth 0xad818d374280 7 - 0 False 2023-05-21 22:32:01.000000 UTC N/A Disabled
6644 824 SkypeApp.exe 0xad818d3ac080 49 - 1 False 2023-05-21 22:41:52.000000 UTC N/A Disabled
5480 448 oneetx.exe 0xad818d3d6080 6 - 1 True 2023-05-21 23:03:00.000000 UTC N/A Disabled
8708 676 svchost.exe 0xad818d431080 5 - 0 False 2023-05-21 22:57:33.000000 UTC N/A Disabled
4396 5328 msedge.exe 0xad818d515080 7 - 1 False 2023-05-21 22:32:19.000000 UTC N/A Disabled
4544 5328 msedge.exe 0xad818d75b080 14 - 1 False 2023-05-21 22:32:39.000000 UTC N/A Disabled
1144 5328 msedge.exe 0xad818d75f080 18 - 1 False 2023-05-21 22:32:38.000000 UTC N/A Disabled
6292 5328 msedge.exe 0xad818d7a1080 20 - 1 False 2023-05-21 22:06:15.000000 UTC N/A Disabled
5340 5328 msedge.exe 0xad818d7b3080 10 - 1 False 2023-05-21 22:32:39.000000 UTC N/A Disabled
5636 3580 notepad.exe 0xad818db45080 1 - 1 False 2023-05-21 22:46:50.000000 UTC N/A Disabled
6048 448 taskhostw.exe 0xad818dc5d080 5 - 1 False 2023-05-21 22:40:20.000000 UTC N/A Disabled
6596 676 TrustedInstall 0xad818dc88080 4 - 0 False 2023-05-21 22:58:13.000000 UTC N/A Disabled
5808 824 HxTsr.exe 0xad818de5d080 0 - 1 False 2023-05-21 21:59:58.000000 UTC 2023-05-21 22:07:45.000000 UTC Disabled
4628 6724 tun2socks.exe 0xad818de82340 0 - 1 True 2023-05-21 22:40:10.000000 UTC 2023-05-21 23:01:24.000000 UTC Disabled
7964 5328 msedge.exe 0xad818dee5080 19 - 1 False 2023-05-21 22:22:09.000000 UTC N/A Disabled
7696 824 dllhost.exe 0xad818dee6080 0 - 1 False 2023-05-21 23:02:40.000000 UTC 2023-05-21 23:02:45.000000 UTC Disabled
6324 1496 audiodg.exe 0xad818df2e080 4 - 0 False 2023-05-21 22:42:56.000000 UTC N/A Disabled
2388 5328 msedge.exe 0xad818e54c340 18 - 1 False 2023-05-21 22:05:35.000000 UTC N/A Disabled
6724 3580 Outline.exe 0xad818e578080 0 - 1 True 2023-05-21 22:36:09.000000 UTC 2023-05-21 23:01:24.000000 UTC Disabled
8952 824 TextInputHost. 0xad818e6db080 10 - 1 False 2023-05-21 21:59:11.000000 UTC N/A Disabled
5476 676 svchost.exe 0xad818e752080 9 - 0 False 2023-05-21 22:58:08.000000 UTC N/A Disabled
2332 824 TiWorker.exe 0xad818e780080 4 - 0 False 2023-05-21 22:58:13.000000 UTC N/A Disabled
7312 824 ApplicationFra 0xad818e84f300 10 - 1 False 2023-05-21 22:35:44.000000 UTC N/A Disabled
4340 676 VSSVC.exe 0xad818e888080 3 - 0 False 2023-05-21 23:01:06.000000 UTC N/A Disabled
4224 6724 Outline.exe 0xad818e88b080 0 - 1 True 2023-05-21 22:36:23.000000 UTC 2023-05-21 23:01:24.000000 UTC Disabled
7772 676 svchost.exe 0xad818e88e140 3 - 0 False 2023-05-21 22:36:03.000000 UTC N/A Disabled
7540 824 smartscreen.ex 0xad818e893080 14 - 1 False 2023-05-21 23:02:26.000000 UTC N/A Disabled
7788 2916 conhost.exe 0xad818e8a1080 0 - 0 False 2023-05-21 23:01:27.000000 UTC 2023-05-21 23:01:48.000000 UTC Disabled
7336 824 RuntimeBroker. 0xad818e8bb080 2 - 1 False 2023-05-21 22:11:39.000000 UTC N/A Disabled
6076 824 ShellExperienc 0xad818eb18080 14 - 1 False 2023-05-21 22:11:36.000000 UTC N/A Disabled
8264 824 RuntimeBroker. 0xad818eec8080 4 - 1 False 2023-05-21 22:40:33.000000 UTC N/A Disabled
8920 3580 FTK Imager.exe 0xad818ef81080 20 - 1 False 2023-05-21 23:02:28.000000 UTC N/A Disabled
5964 676 svchost.exe 0xad818ef86080 5 - 0 False 2023-05-21 22:27:56.000000 UTC N/A Disabled
125689842201708 208586546348048 dexer 0xad818f4f62ad 16777219 - - True 2000-08-31 04:05:52.000000 UTC - Disabled
4396 5328 msedge.exe 0xbe8505fbf080 7 - 1 False 2023-05-21 22:32:19.000000 UTC N/A Disabled
|
那我們知道psscan之後我們如果要比對跟pslist 的結果太麻煩了,因此有一個plugin 可以幫助我們進行比對,這個 plugin就是我們今天的主題 psxview
什麼是psxview ?
這個plugin 會將我們剛剛提到的pslist/pstree與psscan以及其他thrdscan、csrss作比較,如果沒有出現在相對應的掃描上就會出現 False, 否則就會出現 true,因此如果有一個process 他在pslist 出現False 但在psscan出現True 那就可以嘗試去分析看看是不是rootkit
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
| $ vol -f MemoryDump.mem windows.psxview.PsXView
Volatility 3 Framework 2.11.0
Progress: 100.00 PDB scanning finished
Offset(Virtual) Name PID pslist psscan thrdscan csrss Exit Time
0xad8187acb200 spoolsv.exe 1840 True True True True
0xad81896ab080 vmtoolsd.exe 2144 True True True True
0xad8185907080 dllhost.exe 3028 True True True True
0xad818d75b080 msedge.exe 4544 True True True True
0xad818d75f080 msedge.exe 1144 True True True True
0xad818d09f080 SgrmBroker.exe 6200 True True True True
0xad818e88b080 Outline.exe 4224 True True False False 2023-05-21 23:01:24+00:00
0xad818e6db080 TextInputHost. 8952 True True True True
0xad818d7b3080 msedge.exe 5340 True True True True
0xad818e8bb080 RuntimeBroker. 7336 True True True True
0xad818c553080 msedge.exe 5156 True True True True
0xad8189c8b280 ctfmon.exe 3204 True True True True
0xad818db45080 notepad.exe 5636 True True True True
0xad81860dc040 smss.exe 332 True True True False
0xad818761d240 svchost.exe 824 True True True True
0xad8187721240 svchost.exe 448 True True True True
0xad8187b65240 svchost.exe 2024 True True True True
0xad818cad3240 StartMenuExper 3160 True True True True
0xad818ce06240 SearchIndexer. 4228 True True True True
0xad818c4212c0 svchost.exe 3004 True True True True
0xad818e893080 smartscreen.ex 7540 True True True True
0xad818e578080 Outline.exe 6724 True True True False 2023-05-21 23:01:24+00:00
0xad81858f2080 Registry 108 True True True False
0xad81861cd080 csrss.exe 452 True True True False
0xad8186f2b080 wininit.exe 552 True True True True
0xad8186f4d080 services.exe 676 True True True True
0xad8186fc6080 lsass.exe 696 True True True True
0xad818774c080 svchost.exe 1012 True True True True
0xad8187835080 MemCompression 1280 True True True False
0xad8187758280 svchost.exe 752 True True True True
0xad8187b34080 svchost.exe 1892 True True True True
0xad8187b94080 svchost.exe 2076 True True True True
0xad818c054080 WmiPrvSE.exe 3944 True True True True
0xad818945c080 MsMpEng.exe 1120 True True True True
0xad818ccc4080 SearchApp.exe 7160 True True True True
0xad818eec8080 RuntimeBroker. 8264 True True True True
0xad81876e8080 RuntimeBroker. 5656 True True False False 2023-05-21 22:02:01+00:00
0xad8189e94280 sihost.exe 1392 True True True True
0xad818d374280 SecurityHealth 5136 True True True True
0xad818e780080 TiWorker.exe 2332 True True True True
0xad818f4f62ad dexer 125689842201708 False True False False
0xad8189b27080 svchost.exe 2044 True True True True
0xad818dc88080 TrustedInstall 6596 True True True True
0xad818e888080 VSSVC.exe 4340 True True True True
0xad8186f450c0 winlogon.exe 588 True True True True
0xad818761b0c0 fontdrvhost.ex 852 True True True True
0xad81877972c0 svchost.exe 1196 True True True True
0xad81876802c0 svchost.exe 952 True True True True
0xad81878020c0 svchost.exe 1376 True True True True
0xad818d0980c0 msedge.exe 5328 True True True True
0xad818796c2c0 svchost.exe 1448 True True True True
0xad81879752c0 svchost.exe 1496 True True True True
0xad8187a112c0 svchost.exe 1644 True True True True
0xad8187a2d2c0 svchost.exe 1652 True True True True
0xad8186f4a2c0 svchost.exe 1232 True True True True
0xad818d3d6080 oneetx.exe 5480 True True True True
0xad818eb18080 ShellExperienc 6076 True True True True
0xad81896b3300 VGAuthService. 2200 True True True True
0xad8189d07300 taskhostw.exe 1600 True True True True
0xad818cd93300 RuntimeBroker. 4116 True True True True
0xad8189796300 vmtoolsd.exe 3252 True True True True
0xad818e84f300 ApplicationFra 7312 True True True True
0xad818979d080 SecurityHealth 464 True True True True
0xad818dc5d080 taskhostw.exe 6048 True True True True
0xad818de5d080 HxTsr.exe 5808 True True False False 2023-05-21 22:07:45+00:00
0xad818d7a1080 msedge.exe 6292 True True True True
0xad8186f49080 SkypeBackgroun 372 True True True True
0xad818d515080 msedge.exe 4396 True True True True
0xad818d099080 SearchApp.exe 1916 True True True True
0xad818dee5080 msedge.exe 7964 True True True True
0xad8187a39080 msedge.exe 8896 True True True True
0xad8189b41080 oneetx.exe 5896 True True True True
0xad8185861280 msdtc.exe 832 True True True True
0xbe8505fbf080 msedge.exe 4396 False True False False
0xad818ef81080 FTK Imager.exe 8920 True True True True
0xad818d143080 FTK Imager.exe 2228 True True True True
0xad818dee6080 dllhost.exe 7696 False True False False 2023-05-21 23:02:45+00:00
0xad8186f1b140 csrss.exe 528 True True True False
0xad818761f140 fontdrvhost.ex 860 True True True True
0xad81876e4340 dwm.exe 1016 True True True True
0xad818e88e140 svchost.exe 7772 True True True True
0xad818c02f340 userinit.exe 3556 True True False False 2023-05-21 22:30:43+00:00
0xad818c047340 explorer.exe 3580 True True True True
0xad818e54c340 msedge.exe 2388 True True True True
0xad818d3ac080 SkypeApp.exe 6644 True True True True
0xad8189b30080 taskhostw.exe 3876 True True True True
0xad8185883180 System 4 True True True False
0xad818c09a080 RuntimeBroker. 4448 True True True True
0xad818d07a080 svchost.exe 3608 True True True True
0xad8185962080 RuntimeBroker. 5704 True True True True
0xad818c426080 svchost.exe 1116 True True True True
0xad818c532080 svchost.exe 6696 True True True True
0xad818d176080 dllhost.exe 1764 True True True True
0xad818c0ea080 msedge.exe 6544 True True True True
0xad818ef86080 svchost.exe 5964 True True True True
0xad818df2e080 audiodg.exe 6324 True True True True
0xad818e752080 svchost.exe 5476 True True True True
0xad818e8a1080 conhost.exe 7788 False True False False 2023-05-21 23:01:48+00:00
0xad8189d7c2c0 svchost.exe 1064 True True True True
0xad818d431080 svchost.exe 8708 True True True True
|
結論:
在記憶體鑑識時,有些惡意程式會隱藏自己讓pslist與pstree找不到,因此可以用PsXView 這個Plugin幫助我們去比對是否有可疑的程式。
📚 參考資料:
https://github.com/volatilityfoundation/volatility/wiki/command-reference?utm_source=chatgpt.com
https://www.tophertimzen.com/resources/cs407/slides/week02_02-Processes.html#slide6
https://dfrws.org/sites/default/files/session-files/2016_EU_pres_pool_tag_-_quick_scanning_for_windows_memory_analysis.pdf
https://notes.qazeer.io/dfir/common/memory_forensics?utm_source=chatgpt.com