I try to retrieve information about machine, all running processes, threads, loaded drivers and dlls with full path from dump.
is it possible to find (reveal) hidden processes and injected threads (by rootkits or malware) which was hidden from explorer and AV?
I have small collection of old rootkits, some of them dont have own process - how it is possible to find symptoms of infection, like hooks and injected threads/code?
Currently I am using these commands and extensions to get information:
!process 0 0 , !process 0 7 or !sprocess -4 7
lm kv
!dml_proc
vertarget
!cpuid and !cpuinfo
!lmi
!handle (how to get list of all open files? like handle.exe -a do?)
can somebody suggest other ways to complete this task?
thanks
pav
Crash Dump Analysis and Debugging Forum
Exploring Crash Dumps and Debugging Techniques on Windows Platforms
finding malware with kernel memory dump
2 posts
• Page 1 of 1
finding malware with kernel memory dump
by pav » Mon Apr 28, 2008 3:08 pm
- pav
- Posts: 4
- Joined: Thu Apr 24, 2008 1:28 pm
Re: finding malware with kernel memory dump
by VDO » Wed Aug 13, 2008 12:29 am
.imgscan should work in kernel mode I believe.
also !chkimg should find deviations. This extension command has many options like -nospec although I haven't checked this
also !chkimg should find deviations. This extension command has many options like -nospec although I haven't checked this
- VDO
- Site Admin
- Posts: 552
- Joined: Mon May 01, 2006 10:34 am
- Location: Dublin, Ireland
2 posts
• Page 1 of 1
Return to Kernel and Complete memory dumps
Who is online
Users browsing this forum: No registered users and 0 guests