tag:blogger.com,1999:blog-7693961727488638788.post4940049178729833599..comments2024-03-24T09:17:33.072-04:00Comments on [Archive of Volatility Labs]: MoVP 1.1 Logon Sessions, Processes, and ImagesJamie Levyhttp://www.blogger.com/profile/16089000750284843256noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-7693961727488638788.post-41148170229126760062012-09-13T07:09:49.689-04:002012-09-13T07:09:49.689-04:00Thanks - will also read through MoVP 1.3.
To you ...Thanks - will also read through MoVP 1.3.<br /><br />To you and to the rest of the volatility team, I think you've created a fantastic tool for OS deep dives. Between reading the Volatility plugin source code, your excellent book and Windows Internals, there's more than any number of university courses can teach about operating systems. Doesn't hurt at all that volatility provides forChiradeep Chhayahttps://www.blogger.com/profile/15527620586475134166noreply@blogger.comtag:blogger.com,1999:blog-7693961727488638788.post-28221014511716521512012-09-12T21:07:39.948-04:002012-09-12T21:07:39.948-04:00Yes, _MM_SESSION_SPACE uses the pointers, but not ...Yes, _MM_SESSION_SPACE uses the pointers, but not in an OS-critical way. In other words, you can unlink a process from _EPROCESS.SessionProcessLinks without crashing the system. So the key would be to unlink from both ActiveProcessLinks (PsActiveProcessHead) and SessionProcessLinks to hide a little better. However, you'd still get detected by Volatility's psscan command and the various Michael Hale Lighhttps://www.blogger.com/profile/17377327006242921434noreply@blogger.comtag:blogger.com,1999:blog-7693961727488638788.post-67740017661654526292012-09-12T05:06:45.050-04:002012-09-12T05:06:45.050-04:00Excellent witeup, and very informative - as always...Excellent witeup, and very informative - as always!<br /><br />"The ProcessList member can be used as an alternate process listing for processes that hide via conventional DKOM unlinking from PsActiveProcessHead"<br /><br />Does _MM_SESSION_SPACE use the pointers to the process list and included processes, or can we still unlink a process from this list and retain only the forward Chiradeep Chhayahttps://www.blogger.com/profile/15527620586475134166noreply@blogger.com