4. Enumerating Processes

When you are investigating a memory image, you will mainly focus on identifying any suspicious process running on the system. There are various plugins in Volatility that allow you to enumerate processes. Volatility's pslist plugin lists the processes from the memory image, similar to how task manager lists the process on a live system. In the following output, running the pslist plugin against a memory image infected with a malware sample (Perseus) shows two suspicious processes: svchost..exe (pid 3832) and suchost..exe ( pid 3924). The reason why these two processes are suspicious is that the names of these processes have an additional dot character before the .exe extension (which is abnormal). On a clean system, you will find multiple instances of svchost.exe processes running. By creating a process such as svchost..exe and suchost..exe, the attacker is trying to blend in by making these processes look similar to the legitimate svchost.exe process:

$ python vol.py -f perseus.vmem --profile=Win7SP1x86 pslist
Volatility Foundation Volatility Framework 2.6
Offset(V)  Name        PID  PPID  Thds Hnds Sess Wow64   Start 
---------- ----------- ---- ----- ---- ---- ---- ----- -------------------
0x84f4a8e8 System          4    0   88  475 ----   0   2016-09-23 09:21:47
0x8637b020 smss.exe      272    4    2   29 ----   0   2016-09-23 09:21:47
0x86c19310 csrss.exe     356  340    8  637    0   0   2016-09-23 09:21:49
0x86c13458 wininit.exe   396  340    3   75    0   0   2016-09-23 09:21:49
0x86e84a08 csrss.exe     404  388    9  191    1   0   2016-09-23 09:21:49
0x87684030 winlogon.exe  452  388    4  108    1   0   2016-09-23 09:21:49
0x86284228 services.exe  496  396   11  242    0   0   2016-09-23 09:21:49
0x876ab030 lsass.exe     504  396    9  737    0   0   2016-09-23 09:21:49
0x876d1a70 svchost.exe   620  496   12  353    0   0   2016-09-23 09:21:49
0x864d36a8 svchost.exe   708  496    6  302    0   0   2016-09-23 09:21:50
0x86b777c8 svchost.exe   760  496   24  570    0   0   2016-09-23 09:21:50
0x8772a030 svchost.exe   852  496   28  513    0   0   2016-09-23 09:21:50
0x87741030 svchost.exe   920  496   46 1054    0   0   2016-09-23 09:21:50
0x877ce3c0 spoolsv.exe  1272  496   15  338    0   0   2016-09-23 09:21:50
0x95a06a58 svchost.exe  1304  496   19  306    0   0   2016-09-23 09:21:50
0x8503f0e8 svchost..exe 3832 3712   11  303    0   0   2016-09-23 09:24:55
0x8508bb20 suchost..exe 3924 3832   11  252    0   0   2016-09-23 09:24:55
0x861d1030 svchost.exe  3120  496   12  311    0   0   2016-09-23 09:25:39

[......REMOVED..............]

Running the Volatility plugin is easy; you can run the plugin without knowing how it works. Understanding how the plugins work will help you assess the accuracy of the results, and it will also help you choose the right plugin when an attacker uses stealth techniques. The question is, how does pslist work? To understand that first, you need to understand what a process is and how Windows kernel keeps track of processes.

Table of Contents for 4. Enumerating Processes

Create new playlist

Sign In

Sign Up

Table of Contents for
4. Enumerating Processes