A common practice with malware coders is attempting to hide the activities of the malware. One technique is to attempt to hide the DLL files associated with the malicious code. This can be accomplished by unlinking the suspect DLL from the Process Environment Block (PEB). While this may provide some obfuscation on the surface, there is still trace evidence of the DLL's existence contained within the Virtual Address Descriptor (VAD). The VAD is a mechanism that identifies a DLL file's base address and full path. The ldrmodules plugin compares the list of processes and determines if they are in the PEB. The following command runs ldrmodules against the Cridex image file:

dfir@Desktop-SFARF6G~$ volatility -f cridex_laptop.mem -profile=WinXPSP2x86 -p 1640 ldrmodules

The command produces the following output:

A review of the output reveals an interesting entry on the top line:

From this output, the reader_sl.exe process does appear to have an issue associated with the DLL file. The indicator that this process is suspect is the False indicator in the InInit column for the first entry. This indicates that the executable has de-linked the DLL files and the reader_sl.exe file warrants further investigation.