add dump test 1
This commit is contained in:
parent
c8ce82e8a7
commit
8c642f6ba0
118
logs/dump_test/1/eprocess_lpusscan.csv
Normal file
118
logs/dump_test/1/eprocess_lpusscan.csv
Normal file
@ -0,0 +1,118 @@
|
||||
address,process,fullpath
|
||||
0xffff948957c6c080,svchost.exe,
|
||||
0xffff948957caa080,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895ad15080,powershell.exe,
|
||||
0xffff94895ad1a080,CodeHelper.exe,\Users\User\AppData\Local\Programs\Microsoft VS Code\resources\app\out\vs\platform\files\node\watcher\win32\CodeHelper.exe
|
||||
0xffff94895b394080,Code.exe,\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe
|
||||
0xffff94895ba28080,MicrosoftEdgeC,\Windows\System32\MicrosoftEdgeCP.exe
|
||||
0xffff94895ba2b080,sppsvc.exe,\Windows\System32\sppsvc.exe
|
||||
0xffff94895ba433c0,audiodg.exe,\Windows\System32\audiodg.exe
|
||||
0xffff94895bb21380,powershell.exe,\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
|
||||
0xffff94895bb25080,MicrosoftEdgeC,\Windows\System32\MicrosoftEdgeCP.exe
|
||||
0xffff94895bb28080,conhost.exe,\Windows\System32\conhost.exe
|
||||
0xffff94895bb8a080,conhost.exe,\Windows\System32\conhost.exe
|
||||
0xffff94895cbc9080,Code.exe,\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe
|
||||
0xffff94895ce98400,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895cea7080,MemCompression,
|
||||
0xffff94895ceb5380,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895cec9080,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895cf2e3c0,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895cf5c400,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895cf90400,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895cf98400,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895e017440,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895e02b380,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895e072400,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895e077400,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895e0ce400,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895e0d8400,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895e1670c0,sqlwriter.exe,\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe
|
||||
0xffff94895e169380,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895e16a080,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895e16b080,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895e16c080,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895e16d080,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895e170080,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895e171080,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895e172080,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895e174080,spoolsv.exe,\Windows\System32\spoolsv.exe
|
||||
0xffff94895e1780c0,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895e38b080,WindowsInterna,\Windows\SystemApps\InputApp_cw5n1h2txyewy\WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe
|
||||
0xffff94895e390080,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895e391080,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895e392080,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895e394080,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895e395080,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895e396080,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895e3990c0,wlms.exe,\Windows\System32\wlms\wlms.exe
|
||||
0xffff94895e54e4c0,NisSrv.exe,\ProgramData\Microsoft\Windows Defender\Platform\4.18.2005.5-0\NisSrv.exe
|
||||
0xffff94895e929480,smartscreen.ex,\Windows\System32\smartscreen.exe
|
||||
0xffff94895e92a080,Code.exe,\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe
|
||||
0xffff94895e9412c0,Windows.WARP.J,\Windows\System32\Windows.WARP.JITService.exe
|
||||
0xffff94895e9512c0,MsMpEng.exe,\ProgramData\Microsoft\Windows Defender\Platform\4.18.2005.5-0\MsMpEng.exe
|
||||
0xffff94895e970080,SearchUI.exe,\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
|
||||
0xffff94895eaaf440,sihost.exe,\Windows\System32\sihost.exe
|
||||
0xffff94895eaee480,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895eaf54c0,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895eaf84c0,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895eb4f080,svchost.exe,
|
||||
0xffff94895eb57380,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895eb5b4c0,taskhostw.exe,\Windows\System32\taskhostw.exe
|
||||
0xffff94895ebbd3c0,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895ebc2440,ctfmon.exe,\Windows\System32\ctfmon.exe
|
||||
0xffff94895ec48400,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895ec5e080,userinit.exe,
|
||||
0xffff94895ec62080,explorer.exe,\Windows\explorer.exe
|
||||
0xffff94895ec70080,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895ec77080,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895ec934c0,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895eccc4c0,Code.exe,\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe
|
||||
0xffff94895ece5080,dllhost.exe,\Windows\System32\dllhost.exe
|
||||
0xffff94895edca080,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895edda080,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895edf6080,StartMenuExper,\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
|
||||
0xffff94895ef1b480,RuntimeBroker.,\Windows\System32\RuntimeBroker.exe
|
||||
0xffff94895efb9080,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895f089480,RuntimeBroker.,\Windows\System32\RuntimeBroker.exe
|
||||
0xffff94895f118480,RuntimeBroker.,\Windows\System32\RuntimeBroker.exe
|
||||
0xffff94895f119080,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895f122380,SearchIndexer.,\Windows\System32\SearchIndexer.exe
|
||||
0xffff94895f19e080,Windows.WARP.J,\Windows\System32\Windows.WARP.JITService.exe
|
||||
0xffff94895f2020c0,MicrosoftEdge.,\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
|
||||
0xffff94895f2074c0,ApplicationFra,\Windows\System32\ApplicationFrameHost.exe
|
||||
0xffff94895f267440,cmd.exe,\Windows\System32\cmd.exe
|
||||
0xffff94895f2c8080,SgrmBroker.exe,\Windows\System32\SgrmBroker.exe
|
||||
0xffff94895f2db080,SkypeBackgroun,\Program Files\WindowsApps\Microsoft.SkypeApp_14.56.102.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe
|
||||
0xffff94895f2dd080,SkypeApp.exe,\Program Files\WindowsApps\Microsoft.SkypeApp_14.56.102.0_x64__kzf8qxf38zg5c\SkypeApp.exe
|
||||
0xffff94895f3be480,browser_broker,\Windows\System32\browser_broker.exe
|
||||
0xffff94895f3c5080,YourPhone.exe,\Program Files\WindowsApps\Microsoft.YourPhone_1.20041.91.0_x64__8wekyb3d8bbwe\YourPhone.exe
|
||||
0xffff94895f3ce400,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895f419080,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895f449080,WinStore.App.e,\Program Files\WindowsApps\Microsoft.WindowsStore_12005.1001.1.0_x64__8wekyb3d8bbwe\WinStore.App.exe
|
||||
0xffff94895f44b480,RuntimeBroker.,\Windows\System32\RuntimeBroker.exe
|
||||
0xffff94895f4b1080,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895f4e5080,RuntimeBroker.,\Windows\System32\RuntimeBroker.exe
|
||||
0xffff94895f4e9240,MicrosoftEdgeC,\Windows\System32\MicrosoftEdgeCP.exe
|
||||
0xffff94895f571480,RuntimeBroker.,\Windows\System32\RuntimeBroker.exe
|
||||
0xffff94895f5880c0,RuntimeBroker.,\Windows\System32\RuntimeBroker.exe
|
||||
0xffff94895f58e080,VBoxTray.exe,\Windows\System32\VBoxTray.exe
|
||||
0xffff94895f5c7080,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff94895f603080,MicrosoftEdgeS,\Windows\System32\MicrosoftEdgeSH.exe
|
||||
0xffff94895f7c7080,OneDrive.exe,\Users\User\AppData\Local\Microsoft\OneDrive\OneDrive.exe
|
||||
0xffff94895f7c8080,SecurityHealth,\Windows\System32\SecurityHealthSystray.exe
|
||||
0xffff94895f7ca380,SecurityHealth,\Windows\System32\SecurityHealthService.exe
|
||||
0xffff94895fce60c0,backgroundTask,\Windows\System32\backgroundTaskHost.exe
|
||||
0xffff94895fdd2080,Code.exe,\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe
|
||||
0xffff94895ffce080,MicrosoftEdgeC,
|
||||
0xffff94895ffe2080,Code.exe,\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe
|
||||
0xffff94895ffef080,backgroundTask,\Windows\System32\backgroundTaskHost.exe
|
||||
0xffff94895fff2480,conhost.exe,\Windows\System32\conhost.exe
|
||||
0xffff9489600c50c0,Code.exe,\Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe
|
||||
0xffff9489600cf340,eprocess_scan.,\Users\User\Desktop\lpus-0.3-alpha\target\release\eprocess_scan.exe
|
||||
0xffff9489602ec080,dllhost.exe,\Windows\System32\dllhost.exe
|
||||
0xffff9489602f0080,conhost.exe,
|
||||
0xffff9489602f5080,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff9489603ca080,Windows.WARP.J,\Windows\System32\Windows.WARP.JITService.exe
|
||||
0xffff948960acc080,svchost.exe,\Windows\System32\svchost.exe
|
||||
0xffff948960ad3080,RuntimeBroker.,\Windows\System32\RuntimeBroker.exe
|
||||
0xffff9489610de080,MicrosoftEdgeC,\Windows\System32\MicrosoftEdgeCP.exe
|
|
121
logs/dump_test/1/eprocess_scan_log.txt
Normal file
121
logs/dump_test/1/eprocess_scan_log.txt
Normal file
@ -0,0 +1,121 @@
|
||||
PDB for Amd64, guid: e7477a03-a707-8050-cb79-36455ce346b5, age: 1
|
||||
|
||||
NtLoadDriver() -> 0x0
|
||||
pool: 0xffff948957c6c000 | eprocess: 0xffff948957c6c080 | | svchost.exe
|
||||
pool: 0xffff948957caa000 | eprocess: 0xffff948957caa080 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895ad15000 | eprocess: 0xffff94895ad15080 | | powershell.exe
|
||||
pool: 0xffff94895ad1a000 | eprocess: 0xffff94895ad1a080 | \Users\User\AppData\Local\Programs\Microsoft VS Code\resources\app\out\vs\platform\files\node\watcher\win32\CodeHelper.exe | CodeHelper.exe
|
||||
pool: 0xffff94895b394000 | eprocess: 0xffff94895b394080 | \Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe | Code.exe
|
||||
pool: 0xffff94895ba28000 | eprocess: 0xffff94895ba28080 | \Windows\System32\MicrosoftEdgeCP.exe | MicrosoftEdgeC
|
||||
pool: 0xffff94895ba2b000 | eprocess: 0xffff94895ba2b080 | \Windows\System32\sppsvc.exe | sppsvc.exe
|
||||
pool: 0xffff94895ba43360 | eprocess: 0xffff94895ba433c0 | \Windows\System32\audiodg.exe | audiodg.exe
|
||||
pool: 0xffff94895bb21310 | eprocess: 0xffff94895bb21380 | \Windows\System32\WindowsPowerShell\v1.0\powershell.exe | powershell.exe
|
||||
pool: 0xffff94895bb25000 | eprocess: 0xffff94895bb25080 | \Windows\System32\MicrosoftEdgeCP.exe | MicrosoftEdgeC
|
||||
pool: 0xffff94895bb28000 | eprocess: 0xffff94895bb28080 | \Windows\System32\conhost.exe | conhost.exe
|
||||
pool: 0xffff94895bb8a000 | eprocess: 0xffff94895bb8a080 | \Windows\System32\conhost.exe | conhost.exe
|
||||
pool: 0xffff94895cbc9000 | eprocess: 0xffff94895cbc9080 | \Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe | Code.exe
|
||||
pool: 0xffff94895ce98390 | eprocess: 0xffff94895ce98400 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895cea7040 | eprocess: 0xffff94895cea7080 | | MemCompression
|
||||
pool: 0xffff94895ceb5310 | eprocess: 0xffff94895ceb5380 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895cec9000 | eprocess: 0xffff94895cec9080 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895cf2e350 | eprocess: 0xffff94895cf2e3c0 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895cf5c390 | eprocess: 0xffff94895cf5c400 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895cf90390 | eprocess: 0xffff94895cf90400 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895cf98390 | eprocess: 0xffff94895cf98400 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895e0173c0 | eprocess: 0xffff94895e017440 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895e02b310 | eprocess: 0xffff94895e02b380 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895e072390 | eprocess: 0xffff94895e072400 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895e077390 | eprocess: 0xffff94895e077400 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895e0ce390 | eprocess: 0xffff94895e0ce400 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895e0d8390 | eprocess: 0xffff94895e0d8400 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895e167040 | eprocess: 0xffff94895e1670c0 | \Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe | sqlwriter.exe
|
||||
pool: 0xffff94895e169310 | eprocess: 0xffff94895e169380 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895e16a000 | eprocess: 0xffff94895e16a080 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895e16b000 | eprocess: 0xffff94895e16b080 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895e16c000 | eprocess: 0xffff94895e16c080 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895e16d000 | eprocess: 0xffff94895e16d080 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895e170000 | eprocess: 0xffff94895e170080 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895e171000 | eprocess: 0xffff94895e171080 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895e172000 | eprocess: 0xffff94895e172080 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895e174000 | eprocess: 0xffff94895e174080 | \Windows\System32\spoolsv.exe | spoolsv.exe
|
||||
pool: 0xffff94895e178040 | eprocess: 0xffff94895e1780c0 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895e38b000 | eprocess: 0xffff94895e38b080 | \Windows\SystemApps\InputApp_cw5n1h2txyewy\WindowsInternal.ComposableShell.Experiences.TextInput.InputApp.exe | WindowsInterna
|
||||
pool: 0xffff94895e390000 | eprocess: 0xffff94895e390080 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895e391000 | eprocess: 0xffff94895e391080 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895e392000 | eprocess: 0xffff94895e392080 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895e394000 | eprocess: 0xffff94895e394080 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895e395000 | eprocess: 0xffff94895e395080 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895e396000 | eprocess: 0xffff94895e396080 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895e399040 | eprocess: 0xffff94895e3990c0 | \Windows\System32\wlms\wlms.exe | wlms.exe
|
||||
pool: 0xffff94895e54e450 | eprocess: 0xffff94895e54e4c0 | \ProgramData\Microsoft\Windows Defender\Platform\4.18.2005.5-0\NisSrv.exe | NisSrv.exe
|
||||
pool: 0xffff94895e929410 | eprocess: 0xffff94895e929480 | \Windows\System32\smartscreen.exe | smartscreen.ex
|
||||
pool: 0xffff94895e92a000 | eprocess: 0xffff94895e92a080 | \Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe | Code.exe
|
||||
pool: 0xffff94895e941250 | eprocess: 0xffff94895e9412c0 | \Windows\System32\Windows.WARP.JITService.exe | Windows.WARP.J
|
||||
pool: 0xffff94895e951230 | eprocess: 0xffff94895e9512c0 | \ProgramData\Microsoft\Windows Defender\Platform\4.18.2005.5-0\MsMpEng.exe | MsMpEng.exe
|
||||
pool: 0xffff94895e970000 | eprocess: 0xffff94895e970080 | \Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe | SearchUI.exe
|
||||
pool: 0xffff94895eaaf3b0 | eprocess: 0xffff94895eaaf440 | \Windows\System32\sihost.exe | sihost.exe
|
||||
pool: 0xffff94895eaee420 | eprocess: 0xffff94895eaee480 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895eaf5430 | eprocess: 0xffff94895eaf54c0 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895eaf8430 | eprocess: 0xffff94895eaf84c0 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895eb4f000 | eprocess: 0xffff94895eb4f080 | | svchost.exe
|
||||
pool: 0xffff94895eb57310 | eprocess: 0xffff94895eb57380 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895eb5b430 | eprocess: 0xffff94895eb5b4c0 | \Windows\System32\taskhostw.exe | taskhostw.exe
|
||||
pool: 0xffff94895ebbd340 | eprocess: 0xffff94895ebbd3c0 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895ebc23b0 | eprocess: 0xffff94895ebc2440 | \Windows\System32\ctfmon.exe | ctfmon.exe
|
||||
pool: 0xffff94895ec48380 | eprocess: 0xffff94895ec48400 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895ec5e000 | eprocess: 0xffff94895ec5e080 | | userinit.exe
|
||||
pool: 0xffff94895ec62000 | eprocess: 0xffff94895ec62080 | \Windows\explorer.exe | explorer.exe
|
||||
pool: 0xffff94895ec70000 | eprocess: 0xffff94895ec70080 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895ec77000 | eprocess: 0xffff94895ec77080 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895ec93430 | eprocess: 0xffff94895ec934c0 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895eccc450 | eprocess: 0xffff94895eccc4c0 | \Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe | Code.exe
|
||||
pool: 0xffff94895ece5000 | eprocess: 0xffff94895ece5080 | \Windows\System32\dllhost.exe | dllhost.exe
|
||||
pool: 0xffff94895edca000 | eprocess: 0xffff94895edca080 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895edda000 | eprocess: 0xffff94895edda080 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895edf6000 | eprocess: 0xffff94895edf6080 | \Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe | StartMenuExper
|
||||
pool: 0xffff94895ef1b420 | eprocess: 0xffff94895ef1b480 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
|
||||
pool: 0xffff94895efb9000 | eprocess: 0xffff94895efb9080 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895f089420 | eprocess: 0xffff94895f089480 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
|
||||
pool: 0xffff94895f118420 | eprocess: 0xffff94895f118480 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
|
||||
pool: 0xffff94895f119000 | eprocess: 0xffff94895f119080 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895f122310 | eprocess: 0xffff94895f122380 | \Windows\System32\SearchIndexer.exe | SearchIndexer.
|
||||
pool: 0xffff94895f19e000 | eprocess: 0xffff94895f19e080 | \Windows\System32\Windows.WARP.JITService.exe | Windows.WARP.J
|
||||
pool: 0xffff94895f202040 | eprocess: 0xffff94895f2020c0 | \Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe | MicrosoftEdge.
|
||||
pool: 0xffff94895f207440 | eprocess: 0xffff94895f2074c0 | \Windows\System32\ApplicationFrameHost.exe | ApplicationFra
|
||||
pool: 0xffff94895f2673c0 | eprocess: 0xffff94895f267440 | \Windows\System32\cmd.exe | cmd.exe
|
||||
pool: 0xffff94895f2c8000 | eprocess: 0xffff94895f2c8080 | \Windows\System32\SgrmBroker.exe | SgrmBroker.exe
|
||||
pool: 0xffff94895f2db000 | eprocess: 0xffff94895f2db080 | \Program Files\WindowsApps\Microsoft.SkypeApp_14.56.102.0_x64__kzf8qxf38zg5c\SkypeBackgroundHost.exe | SkypeBackgroun
|
||||
pool: 0xffff94895f2dd000 | eprocess: 0xffff94895f2dd080 | \Program Files\WindowsApps\Microsoft.SkypeApp_14.56.102.0_x64__kzf8qxf38zg5c\SkypeApp.exe | SkypeApp.exe
|
||||
pool: 0xffff94895f3be420 | eprocess: 0xffff94895f3be480 | \Windows\System32\browser_broker.exe | browser_broker
|
||||
pool: 0xffff94895f3c5000 | eprocess: 0xffff94895f3c5080 | \Program Files\WindowsApps\Microsoft.YourPhone_1.20041.91.0_x64__8wekyb3d8bbwe\YourPhone.exe | YourPhone.exe
|
||||
pool: 0xffff94895f3ce390 | eprocess: 0xffff94895f3ce400 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895f419000 | eprocess: 0xffff94895f419080 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895f449000 | eprocess: 0xffff94895f449080 | \Program Files\WindowsApps\Microsoft.WindowsStore_12005.1001.1.0_x64__8wekyb3d8bbwe\WinStore.App.exe | WinStore.App.e
|
||||
pool: 0xffff94895f44b420 | eprocess: 0xffff94895f44b480 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
|
||||
pool: 0xffff94895f4b1000 | eprocess: 0xffff94895f4b1080 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895f4e5000 | eprocess: 0xffff94895f4e5080 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
|
||||
pool: 0xffff94895f4e91d0 | eprocess: 0xffff94895f4e9240 | \Windows\System32\MicrosoftEdgeCP.exe | MicrosoftEdgeC
|
||||
pool: 0xffff94895f571420 | eprocess: 0xffff94895f571480 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
|
||||
pool: 0xffff94895f588040 | eprocess: 0xffff94895f5880c0 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
|
||||
pool: 0xffff94895f58e000 | eprocess: 0xffff94895f58e080 | \Windows\System32\VBoxTray.exe | VBoxTray.exe
|
||||
pool: 0xffff94895f5c7000 | eprocess: 0xffff94895f5c7080 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff94895f603000 | eprocess: 0xffff94895f603080 | \Windows\System32\MicrosoftEdgeSH.exe | MicrosoftEdgeS
|
||||
pool: 0xffff94895f7c7000 | eprocess: 0xffff94895f7c7080 | \Users\User\AppData\Local\Microsoft\OneDrive\OneDrive.exe | OneDrive.exe
|
||||
pool: 0xffff94895f7c8000 | eprocess: 0xffff94895f7c8080 | \Windows\System32\SecurityHealthSystray.exe | SecurityHealth
|
||||
pool: 0xffff94895f7ca320 | eprocess: 0xffff94895f7ca380 | \Windows\System32\SecurityHealthService.exe | SecurityHealth
|
||||
pool: 0xffff94895fce6040 | eprocess: 0xffff94895fce60c0 | \Windows\System32\backgroundTaskHost.exe | backgroundTask
|
||||
pool: 0xffff94895fdd2000 | eprocess: 0xffff94895fdd2080 | \Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe | Code.exe
|
||||
pool: 0xffff94895ffce000 | eprocess: 0xffff94895ffce080 | | MicrosoftEdgeC
|
||||
pool: 0xffff94895ffe2000 | eprocess: 0xffff94895ffe2080 | \Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe | Code.exe
|
||||
pool: 0xffff94895ffef000 | eprocess: 0xffff94895ffef080 | \Windows\System32\backgroundTaskHost.exe | backgroundTask
|
||||
pool: 0xffff94895fff2400 | eprocess: 0xffff94895fff2480 | \Windows\System32\conhost.exe | conhost.exe
|
||||
pool: 0xffff9489600c5040 | eprocess: 0xffff9489600c50c0 | \Users\User\AppData\Local\Programs\Microsoft VS Code\Code.exe | Code.exe
|
||||
pool: 0xffff9489600cf2b0 | eprocess: 0xffff9489600cf340 | \Users\User\Desktop\lpus-0.3-alpha\target\release\eprocess_scan.exe | eprocess_scan.
|
||||
pool: 0xffff9489602ec000 | eprocess: 0xffff9489602ec080 | \Windows\System32\dllhost.exe | dllhost.exe
|
||||
pool: 0xffff9489602f0000 | eprocess: 0xffff9489602f0080 | | conhost.exe
|
||||
pool: 0xffff9489602f5000 | eprocess: 0xffff9489602f5080 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff9489603ca000 | eprocess: 0xffff9489603ca080 | \Windows\System32\Windows.WARP.JITService.exe | Windows.WARP.J
|
||||
pool: 0xffff948960acc000 | eprocess: 0xffff948960acc080 | \Windows\System32\svchost.exe | svchost.exe
|
||||
pool: 0xffff948960ad3000 | eprocess: 0xffff948960ad3080 | \Windows\System32\RuntimeBroker.exe | RuntimeBroker.
|
||||
pool: 0xffff9489610de000 | eprocess: 0xffff9489610de080 | \Windows\System32\MicrosoftEdgeCP.exe | MicrosoftEdgeC
|
||||
NtUnloadDriver() -> 0x0
|
29
logs/dump_test/1/eprocess_to_csv.py
Normal file
29
logs/dump_test/1/eprocess_to_csv.py
Normal file
@ -0,0 +1,29 @@
|
||||
import re
|
||||
import csv
|
||||
|
||||
vp = re.compile(r'^(0x[0-9a-f]+)\s+(.{15})\s+\d+\s+\d+.*$')
|
||||
|
||||
vol = map(lambda x: x.group(1, 2), filter(lambda x: x is not None, map(vp.match, open('eprocess_volscan.txt', 'r').read().split('\n'))))
|
||||
|
||||
with open('eprocess_volscan.csv', 'w', newline='') as f:
|
||||
writer = csv.writer(f)
|
||||
writer.writerow(['address', 'process'])
|
||||
for v in vol:
|
||||
a, b = list(v)
|
||||
a = hex(int(a, 16) + 0xffff000000000000)
|
||||
b = b.rstrip(' ')
|
||||
writer.writerow([a, b])
|
||||
|
||||
|
||||
# lp = re.compile(r'pool: 0x[0-9a-f]+ \| file object: (0x[0-9a-f]+) \| offsetby: 0x[0-9a-f]+\s+(.*)$', re.MULTILINE)
|
||||
|
||||
lpus = re.finditer(r'pool: 0x[0-9a-f]+ \| eprocess: (0x[0-9a-f]+) \| ([^|]*) \| (.*)$',
|
||||
open('eprocess_scan_log.txt', 'r', encoding='utf-8').read(), re.MULTILINE)
|
||||
|
||||
with open('eprocess_lpusscan.csv', 'w', newline='', encoding='utf-8') as f:
|
||||
writer = csv.writer(f)
|
||||
writer.writerow(['address', 'process', 'fullpath'])
|
||||
for v in lpus:
|
||||
a, b, c = list(v.groups())
|
||||
writer.writerow([a, c, b])
|
||||
|
75
logs/dump_test/1/eprocess_volscan.csv
Normal file
75
logs/dump_test/1/eprocess_volscan.csv
Normal file
@ -0,0 +1,75 @@
|
||||
address,process
|
||||
0xffff948957c67080,VBoxService.ex
|
||||
0xffff948957c6c080,svchost.exe
|
||||
0xffff948957caa080,svchost.exe
|
||||
0xffff948957ce3080,svchost.exe
|
||||
0xffff948957d1b080,svchost.exe
|
||||
0xffff948957ddf040,Registry
|
||||
0xffff94895ac79400,smss.exe
|
||||
0xffff94895ad15080,powershell.exe
|
||||
0xffff94895b0452c0,csrss.exe
|
||||
0xffff94895ba28080,MicrosoftEdgeC
|
||||
0xffff94895bb25080,MicrosoftEdgeC
|
||||
0xffff94895bdb0080,winlogon.exe
|
||||
0xffff94895bdf51c0,services.exe
|
||||
0xffff94895ca5f280,fontdrvhost.ex
|
||||
0xffff94895ca6a280,fontdrvhost.ex
|
||||
0xffff94895ca70380,svchost.exe
|
||||
0xffff94895caf6400,svchost.exe
|
||||
0xffff94895cb3a380,svchost.exe
|
||||
0xffff94895cbd8400,svchost.exe
|
||||
0xffff94895cc15440,svchost.exe
|
||||
0xffff94895cc223c0,svchost.exe
|
||||
0xffff94895cc5b380,svchost.exe
|
||||
0xffff94895ccae400,svchost.exe
|
||||
0xffff94895cdac400,svchost.exe
|
||||
0xffff94895cdae400,svchost.exe
|
||||
0xffff94895ce19400,svchost.exe
|
||||
0xffff94895ce1b080,svchost.exe
|
||||
0xffff94895ce98400,svchost.exe
|
||||
0xffff94895cea7080,MemCompression
|
||||
0xffff94895ceb5380,svchost.exe
|
||||
0xffff94895cf2e3c0,svchost.exe
|
||||
0xffff94895cf90400,svchost.exe
|
||||
0xffff94895cf98400,svchost.exe
|
||||
0xffff94895e017440,svchost.exe
|
||||
0xffff94895e02b380,svchost.exe
|
||||
0xffff94895e077400,svchost.exe
|
||||
0xffff94895e0ce400,svchost.exe
|
||||
0xffff94895e0d8400,svchost.exe
|
||||
0xffff94895e169380,svchost.exe
|
||||
0xffff94895e171080,svchost.exe
|
||||
0xffff94895e391080,SearchProtocol
|
||||
0xffff94895e54e4c0,NisSrv.exe
|
||||
0xffff94895e929480,smartscreen.ex
|
||||
0xffff94895e9412c0,Windows.WARP.J
|
||||
0xffff94895e9512c0,MsMpEng.exe
|
||||
0xffff94895e970080,SearchUI.exe
|
||||
0xffff94895eaaf440,sihost.exe
|
||||
0xffff94895eaee480,svchost.exe
|
||||
0xffff94895eaf54c0,svchost.exe
|
||||
0xffff94895eaf84c0,svchost.exe
|
||||
0xffff94895eb5b4c0,taskhostw.exe
|
||||
0xffff94895ebbd3c0,svchost.exe
|
||||
0xffff94895ebc2440,ctfmon.exe
|
||||
0xffff94895ec5e080,userinit.exe
|
||||
0xffff94895eccc4c0,Code.exe
|
||||
0xffff94895ece5080,dllhost.exe
|
||||
0xffff94895edf6080,StartMenuExper
|
||||
0xffff94895ef1b480,RuntimeBroker.
|
||||
0xffff94895f2074c0,ApplicationFra
|
||||
0xffff94895f2dd080,SkypeApp.exe
|
||||
0xffff94895f3be480,browser_broker
|
||||
0xffff94895f3c5080,YourPhone.exe
|
||||
0xffff94895f3ce400,svchost.exe
|
||||
0xffff94895f449080,WinStore.App.e
|
||||
0xffff94895f44b480,RuntimeBroker.
|
||||
0xffff94895f4e9240,MicrosoftEdgeC
|
||||
0xffff94895f571480,RuntimeBroker.
|
||||
0xffff94895f7ca380,SecurityHealth
|
||||
0xffff94895ffce080,MicrosoftEdgeC
|
||||
0xffff94895fff2480,conhost.exe
|
||||
0xffff9489600c50c0,Code.exe
|
||||
0xffff9489602ec080,dllhost.exe
|
||||
0xffff9489603ca080,Windows.WARP.J
|
||||
0xffff948960acc080,svchost.exe
|
|
77
logs/dump_test/1/eprocess_volscan.txt
Normal file
77
logs/dump_test/1/eprocess_volscan.txt
Normal file
@ -0,0 +1,77 @@
|
||||
Volatility Foundation Volatility Framework 2.6.1
|
||||
Offset(P) Name PID PPID PDB Time created Time exited
|
||||
------------------ ---------------- ------ ------ ------------------ ------------------------------ ------------------------------
|
||||
0x0000948957c67080 VBoxService.ex 1604 596 0x00000000205e9002 2020-06-04 20:20:35 UTC+0000
|
||||
0x0000948957c6c080 svchost.exe 6904 596 0x0000000009506002 2020-06-04 06:25:45 UTC+0000 2020-06-04 06:27:55 UTC+0000
|
||||
0x0000948957caa080 svchost.exe 6448 596 0x000000006a7bc002 2020-06-04 06:21:12 UTC+0000
|
||||
0x0000948957ce3080 svchost.exe 1508 596 0x000000001ff45002 2020-06-04 20:20:35 UTC+0000
|
||||
0x0000948957d1b080 svchost.exe 1444 596 0x000000001e3b9002 2020-06-04 20:20:35 UTC+0000
|
||||
0x0000948957ddf040 Registry 68 4 0x0000000000341002 2020-06-04 20:20:13 UTC+0000
|
||||
0x000094895ac79400 smss.exe 324 4 0x0000000101742002 2020-06-04 20:20:19 UTC+0000
|
||||
0x000094895ad15080 powershell.exe 408 1060 0x00000000b5241002 2020-06-04 07:19:20 UTC+0000 2020-06-04 07:20:22 UTC+0000
|
||||
0x000094895b0452c0 csrss.exe 416 408 0x0000000002e84002 2020-06-04 20:20:33 UTC+0000
|
||||
0x000094895ba28080 MicrosoftEdgeC 1436 772 0x000000011866b002 2020-06-04 07:16:47 UTC+0000
|
||||
0x000094895bb25080 MicrosoftEdgeC 2776 772 0x00000000d2641002 2020-06-04 07:16:57 UTC+0000
|
||||
0x000094895bdb0080 winlogon.exe 544 480 0x0000000001add002 2020-06-04 20:20:33 UTC+0000
|
||||
0x000094895bdf51c0 services.exe 596 488 0x0000000016c16002 2020-06-04 20:20:33 UTC+0000
|
||||
0x000094895ca5f280 fontdrvhost.ex 680 544 0x0000000019366002 2020-06-04 20:20:33 UTC+0000
|
||||
0x000094895ca6a280 fontdrvhost.ex 688 488 0x0000000015d1b002 2020-06-04 20:20:33 UTC+0000
|
||||
0x000094895ca70380 svchost.exe 708 596 0x0000000017338002 2020-06-04 20:20:33 UTC+0000
|
||||
0x000094895caf6400 svchost.exe 824 596 0x0000000019ad0002 2020-06-04 20:20:34 UTC+0000
|
||||
0x000094895cb3a380 svchost.exe 876 596 0x000000001a2b4002 2020-06-04 20:20:34 UTC+0000
|
||||
0x000094895cbd8400 svchost.exe 384 596 0x000000001950d002 2020-06-04 20:20:34 UTC+0000
|
||||
0x000094895cc15440 svchost.exe 420 596 0x000000001c315002 2020-06-04 20:20:34 UTC+0000
|
||||
0x000094895cc223c0 svchost.exe 592 596 0x000000001c549002 2020-06-04 20:20:34 UTC+0000
|
||||
0x000094895cc5b380 svchost.exe 1064 596 0x000000001d1a4002 2020-06-04 20:20:34 UTC+0000
|
||||
0x000094895ccae400 svchost.exe 1148 596 0x000000001ddbf002 2020-06-04 20:20:34 UTC+0000
|
||||
0x000094895cdac400 svchost.exe 1372 596 0x000000001ca24002 2020-06-04 20:20:35 UTC+0000
|
||||
0x000094895cdae400 svchost.exe 1452 596 0x00000000206dd002 2020-06-04 20:20:35 UTC+0000
|
||||
0x000094895ce19400 svchost.exe 1632 596 0x0000000023c4f002 2020-06-04 20:20:35 UTC+0000
|
||||
0x000094895ce1b080 svchost.exe 1640 596 0x0000000022b39002 2020-06-04 20:20:35 UTC+0000
|
||||
0x000094895ce98400 svchost.exe 1772 596 0x0000000020e71002 2020-06-04 06:20:37 UTC+0000
|
||||
0x000094895cea7080 MemCompression 1812 4 0x00000000236f8002 2020-06-04 06:20:37 UTC+0000
|
||||
0x000094895ceb5380 svchost.exe 1868 596 0x0000000025c34002 2020-06-04 06:20:37 UTC+0000
|
||||
0x000094895cf2e3c0 svchost.exe 1936 596 0x0000000024179002 2020-06-04 06:20:37 UTC+0000
|
||||
0x000094895cf90400 svchost.exe 1660 596 0x0000000022790002 2020-06-04 06:20:37 UTC+0000
|
||||
0x000094895cf98400 svchost.exe 1352 596 0x0000000025171002 2020-06-04 06:20:37 UTC+0000
|
||||
0x000094895e017440 svchost.exe 2088 596 0x0000000021120002 2020-06-04 06:20:38 UTC+0000
|
||||
0x000094895e02b380 svchost.exe 2128 596 0x0000000027d28002 2020-06-04 06:20:38 UTC+0000
|
||||
0x000094895e077400 svchost.exe 2160 596 0x0000000025ec9002 2020-06-04 06:20:38 UTC+0000
|
||||
0x000094895e0ce400 svchost.exe 2208 596 0x00000000260c0002 2020-06-04 06:20:38 UTC+0000
|
||||
0x000094895e0d8400 svchost.exe 2232 596 0x000000002652a002 2020-06-04 06:20:38 UTC+0000
|
||||
0x000094895e169380 svchost.exe 2928 596 0x000000002e054002 2020-06-04 06:20:39 UTC+0000
|
||||
0x000094895e171080 svchost.exe 2684 596 0x000000002ad7c002 2020-06-04 06:20:39 UTC+0000
|
||||
0x000094895e391080 SearchProtocol 1648 5160 0x000000009b248002 2020-06-04 07:26:11 UTC+0000
|
||||
0x000094895e54e4c0 NisSrv.exe 2016 596 0x00000000b4eff002 2020-06-04 06:28:41 UTC+0000
|
||||
0x000094895e929480 smartscreen.ex 3256 772 0x00000000c11d6002 2020-06-04 07:16:27 UTC+0000
|
||||
0x000094895e9412c0 Windows.WARP.J 5712 5580 0x00000000c0f76002 2020-06-04 07:16:26 UTC+0000
|
||||
0x000094895e9512c0 MsMpEng.exe 4676 596 0x0000000044f09002 2020-06-04 06:28:33 UTC+0000
|
||||
0x000094895e970080 SearchUI.exe 4692 772 0x0000000057496002 2020-06-04 06:21:01 UTC+0000
|
||||
0x000094895eaaf440 sihost.exe 432 1292 0x0000000043c29002 2020-06-04 06:20:50 UTC+0000
|
||||
0x000094895eaee480 svchost.exe 1588 596 0x0000000043ecd002 2020-06-04 06:20:50 UTC+0000
|
||||
0x000094895eaf54c0 svchost.exe 3152 596 0x0000000045d46002 2020-06-04 06:20:50 UTC+0000
|
||||
0x000094895eaf84c0 svchost.exe 3672 596 0x00000000465a3002 2020-06-04 06:20:50 UTC+0000
|
||||
0x000094895eb5b4c0 taskhostw.exe 4124 1064 0x0000000046bc4002 2020-06-04 06:20:50 UTC+0000
|
||||
0x000094895ebbd3c0 svchost.exe 4232 596 0x000000004306e002 2020-06-04 06:20:50 UTC+0000
|
||||
0x000094895ebc2440 ctfmon.exe 4300 4232 0x0000000041c8c002 2020-06-04 06:20:50 UTC+0000
|
||||
0x000094895ec5e080 userinit.exe 4400 544 0x0000000046ed7002 2020-06-04 06:20:51 UTC+0000 2020-06-04 06:21:20 UTC+0000
|
||||
0x000094895eccc4c0 Code.exe 6968 3736 0x00000000bb0c4002 2020-06-04 07:19:16 UTC+0000
|
||||
0x000094895ece5080 dllhost.exe 4648 772 0x00000000502b5002 2020-06-04 06:20:53 UTC+0000
|
||||
0x000094895edf6080 StartMenuExper 4972 772 0x0000000053638002 2020-06-04 06:21:00 UTC+0000
|
||||
0x000094895ef1b480 RuntimeBroker. 5092 772 0x0000000056e70002 2020-06-04 06:21:00 UTC+0000
|
||||
0x000094895f2074c0 ApplicationFra 5336 772 0x000000005c223002 2020-06-04 06:21:04 UTC+0000
|
||||
0x000094895f2dd080 SkypeApp.exe 5412 772 0x000000005fea5002 2020-06-04 06:21:05 UTC+0000
|
||||
0x000094895f3be480 browser_broker 5544 772 0x0000000060a28002 2020-06-04 06:21:05 UTC+0000
|
||||
0x000094895f3c5080 YourPhone.exe 5588 772 0x000000006315e002 2020-06-04 06:21:05 UTC+0000
|
||||
0x000094895f3ce400 svchost.exe 5580 596 0x0000000063376002 2020-06-04 06:21:05 UTC+0000
|
||||
0x000094895f449080 WinStore.App.e 5952 772 0x00000001142d1002 2020-06-04 06:22:36 UTC+0000
|
||||
0x000094895f44b480 RuntimeBroker. 5860 772 0x0000000061748002 2020-06-04 06:21:06 UTC+0000
|
||||
0x000094895f4e9240 MicrosoftEdgeC 6048 772 0x0000000063ba6002 2020-06-04 06:21:07 UTC+0000
|
||||
0x000094895f571480 RuntimeBroker. 6908 772 0x000000006dcb1002 2020-06-04 06:21:16 UTC+0000
|
||||
0x000094895f7ca380 SecurityHealth 2248 596 0x000000006f4ba002 2020-06-04 06:21:21 UTC+0000
|
||||
0x000094895ffce080 MicrosoftEdgeC 3288 772 0x00000000bd993002 2020-06-04 07:16:41 UTC+0000 2020-06-04 07:19:52 UTC+0000
|
||||
0x000094895fff2480 conhost.exe 5696 1892 0x0000000058bc3002 2020-06-04 07:19:49 UTC+0000
|
||||
0x00009489600c50c0 Code.exe 1060 3736 0x000000003859d002 2020-06-04 07:19:17 UTC+0000
|
||||
0x00009489602ec080 dllhost.exe 4156 772 0x000000009589c002 2020-06-04 07:16:29 UTC+0000
|
||||
0x00009489603ca080 Windows.WARP.J 7068 5580 0x00000000bb4da002 2020-06-04 07:16:48 UTC+0000
|
||||
0x0000948960acc080 svchost.exe 3204 596 0x00000000c4173002 2020-06-04 07:19:47 UTC+0000
|
16450
logs/dump_test/1/file_lpusscan.csv
Normal file
16450
logs/dump_test/1/file_lpusscan.csv
Normal file
File diff suppressed because it is too large
Load Diff
32903
logs/dump_test/1/file_scan_log.txt
Normal file
32903
logs/dump_test/1/file_scan_log.txt
Normal file
File diff suppressed because it is too large
Load Diff
29
logs/dump_test/1/file_to_csv.py
Normal file
29
logs/dump_test/1/file_to_csv.py
Normal file
@ -0,0 +1,29 @@
|
||||
import re
|
||||
import csv
|
||||
|
||||
vp = re.compile(r'(0x[0-9a-f]+)\s+\d+\s+[01]\s+[RWDrwd-]+\s+(.*)')
|
||||
|
||||
vol = map(lambda x: x.group(1, 2), filter(lambda x: x is not None, map(vp.match, open('file_volscan.txt', 'r').read().split('\n'))))
|
||||
|
||||
with open('file_volscan.csv', 'w', newline='') as f:
|
||||
writer = csv.writer(f)
|
||||
writer.writerow(['address', 'file'])
|
||||
for v in vol:
|
||||
a, b = list(v)
|
||||
a = hex(int(a, 16) + 0xffff000000000000)
|
||||
writer.writerow([a, b])
|
||||
|
||||
|
||||
# lp = re.compile(r'pool: 0x[0-9a-f]+ \| file object: (0x[0-9a-f]+) \| offsetby: 0x[0-9a-f]+\s+(.*)$', re.MULTILINE)
|
||||
|
||||
lpus = map(lambda x: x.group(1, 2), filter(lambda x: x is not None, map(vp.match, open('file_volscan.txt', 'r').read().split('\n'))))
|
||||
|
||||
lpus = re.finditer(r'pool: 0x[0-9a-f]+ \| file object: (0x[0-9a-f]+) \| offsetby: 0x[0-9a-f]+\s+(.*)$',
|
||||
open('file_scan_log.txt', 'r', encoding='utf-8').read(), re.MULTILINE)
|
||||
|
||||
with open('file_lpusscan.csv', 'w', newline='', encoding='utf-8') as f:
|
||||
writer = csv.writer(f)
|
||||
writer.writerow(['address', 'file'])
|
||||
for v in lpus:
|
||||
a, b = list(v.groups())
|
||||
writer.writerow([a, b])
|
7896
logs/dump_test/1/file_volscan.csv
Normal file
7896
logs/dump_test/1/file_volscan.csv
Normal file
File diff suppressed because it is too large
Load Diff
7921
logs/dump_test/1/file_volscan.txt
Normal file
7921
logs/dump_test/1/file_volscan.txt
Normal file
File diff suppressed because it is too large
Load Diff
50
logs/dump_test/1/stat.py
Normal file
50
logs/dump_test/1/stat.py
Normal file
@ -0,0 +1,50 @@
|
||||
import pandas as pd
|
||||
|
||||
elpus = pd.read_csv('eprocess_lpusscan.csv')
|
||||
flpus = pd.read_csv('file_lpusscan.csv', encoding='utf-8')
|
||||
|
||||
evol = pd.read_csv('eprocess_volscan.csv')
|
||||
fvol = pd.read_csv('file_volscan.csv')
|
||||
|
||||
print('''
|
||||
A simple statistics for LPUS and Volatility
|
||||
|
||||
Environment: Windows 10 2019 (build number 18362) on VirtualBox
|
||||
RAM: 4GB
|
||||
|
||||
> The VM is downloaded through Microsoft
|
||||
|
||||
LPUS scan _EPROCESS and _FILE_OBJECT.
|
||||
The scan time: approximate 5 minutes.
|
||||
|
||||
After that, use VirtualBox command to generate the memory image
|
||||
|
||||
> "C:\Program Files\Oracle\VirtualBox\VBoxManage.exe" debugvm "<name>" dumpvmcore --filename "/path/to/<name>.elf"
|
||||
|
||||
Volatility version is at 5f685e5
|
||||
|
||||
> The latest release of Volatility doesn't have support for Windows build no. 18362
|
||||
|
||||
Then compare the log from LPUS and the two volatility command with profile Win10x64_18362:
|
||||
- psscan to scan _EPROCESS, approximate 30 minutes
|
||||
- filescan to scan _EPROCESS, approximate 2-3 hours
|
||||
|
||||
(The log file is then converted to csv files, see 'eprocess_to_csv.py' and 'file_to_csv.py')
|
||||
|
||||
''')
|
||||
|
||||
print('==================================================')
|
||||
|
||||
print('_EPROCESS')
|
||||
print('lpus scan: ', elpus['address'].shape, 'results')
|
||||
print('volatility scan: ', evol['address'].shape, 'results')
|
||||
print('volatility scan misses lpus: ', elpus['address'][~elpus['address'].isin(evol['address'])].shape, 'results')
|
||||
print('lpus scan misses volatility: ', evol['address'][~evol['address'].isin(elpus['address'])].shape, 'results')
|
||||
|
||||
print('==================================================')
|
||||
|
||||
print('_FILE_OBJECT')
|
||||
print('lpus scan: ', flpus['address'].shape, 'results')
|
||||
print('volatility scan: ', fvol['address'].shape, 'results')
|
||||
print('volatility scan misses lpus: ', flpus['address'][~flpus['address'].isin(fvol['address'])].shape, 'results')
|
||||
print('lpus scan misses volatility: ', fvol['address'][~fvol['address'].isin(flpus['address'])].shape, 'results')
|
Loading…
Reference in New Issue
Block a user