Name – Shiva Singh

Roll – 2041018

Degree – M.tech (IS)

Subject – Malware Analysis(CS410245)

In this assignment I have used xp-laptop-2005-06-25.img image.

1. PSLIST

When we are investing a memory image, we mainly focus on identifying

any suspicious process running on the system. There are various plugins
that allow to enumerate processes . pslist command lists the processes
from the memory image, similar to how task manager lists the process on a
live system. We can not find anything suspicious in this process as the
names of the processes are correct.
2. PSSCAN

It is used to list the processes running in the system.The psscan command

displays inactive and even hidden processes that can be used by malware
and are well known for doing just that to evade discovery by users and
antivirus programs. It is more powerful than pstree.

3. PSTREE

It displays the parent child process relationships by using the output from
the pslist and formatting it in a tree view.Since it relies on pslist it cannot
list the hidden and terminated process.

In the following output we can see that System is the parent process.
winlogon.exe is the child process of smss.exe and so on.
4. PSXVIEW

The psxview plugin provides a detailed listing of which processes are

running in the memory image. In the following output we can see various
commands like psscan, pslist, pspcid, session and which is present for
which process. For ex- cmd.exe is present in psscan but not in pslist,
pspcid and sesion .
5. DLLLIST

It displays the full path associated with a process. It is also used to list the
loaded modules(executable and DLLs).It gets the information about loaded
modules from a structure named the process environment block.

We can also check DLLs for a particular process. For ex- If we want to
check for process 592 then can use dlllist -p 592 as shown in the 3rd
output.
6. CONNECTIONS

It is used to determine the active network connections on systems.

connections command is used to determine information concerning not
only ongoing communications, but also for recently terminated network
communications and sessions. It therefore makes sense to use this plugin
in order to query the memory image for additional network-based
information.

And in the output we can also check which process is 2160 or 2392.
7. CONNSCAN

It is used to verify for the existence of ongoing network connections. It

scans a memory image for current or recently terminated connections. This
plugin reveals several important pieces of new information. The first is that
the suspect computer system from where the memory image originated and
from where it has been established.

It displays which local address connected with which remote address and
which pid is responsible for that. We can also check which process this pid
belongs to. For example- for pid 944 we can check, but we found
something suspicious . We used other commands such as psscn , but not
able to know the process.

So there is no information about this pid.

8. SVCSCAN

It is used to see which services are registered on your memory image.The

output shows the process ID of each service , if it's active and related to a
user mode process and the service name, service display name, service type,
and current status. It also shows the binary path for the registered service.