4. Enumerating Processes
When you are investigating a memory image, you will mainly focus on identifying any suspicious process running on the system. There are various plugins in Volatility that allow you to enumerate processes. Volatility's pslist
plugin lists the processes from the memory image, similar to how task manager lists the process on a live system. In the following output, running the pslist
plugin against a memory image infected with a malware sample (Perseus) shows two suspicious processes: svchost..exe
(pid 3832
) and suchost..exe
( pid 3924
). The reason why these two processes are suspicious is that the names of these processes have an additional dot character before the .exe
extension (which is abnormal). On a clean system, you will find multiple instances of svchost.exe
processes running. By creating a process such as svchost..exe
and suchost..exe
, the attacker is trying to blend in by making these processes look similar to the legitimate svchost.exe
process:
$ python vol...