Solved Processes on memory dump, but no on ps aux

Solved issue
Joined
Jan 27, 2024
Messages
38
Reaction score
4
Credits
292
Hi, happy Sunday everyone, I'm practicing with Volatility 3 to scan my memory dump, made using avml, and I ran into doubt because I'm seeing processes on the memory dump that doesn't exist when I run 'ps aux', this processes are: gvfsd-dnssd, gvfsd-network, kworker/u12:1, kworker/u12:3, p11-kit-server, and so on, what can I get from this? are these processes malicious? or ps aux is not showing those processes, those processes are known, right?
 


Guys, I'm in trouble, I used psscan on Volatility3, but I'm having difficulty recognizing legitimate from malicious processes. I attached the file generated by psscan, can you guys help me? for the first time, I'm looking in depth into the processes, I need to find out if there is something that shouldn't be there!
 

Attachments

  • output_psscan.txt
    50.7 KB · Views: 63
@luizfernandorg
Please run ps --help simple and according to help you should realize that you're filtering out processes, thus not getting full list.
I did a 'ps -A', which I understand shows all the processes, and in the list, I got from volatility 3, using linux.psscan, this list shows some processes that don't show up on 'ps -A'. Should this be normal? or am I getting malware in the list? and I know that hackers can hide themselves from ps, this is why digital forensics use volatility 3 to scan the memory to see hidden processes.
 
I did a 'ps -A', which I understand shows all the processes, and in the list, I got from volatility 3, using linux.psscan, this list shows some processes that don't show up on 'ps -A'. Should this be normal? or am I getting malware in the list? and I know that hackers can hide themselves from ps, this is why digital forensics use volatility 3 to scan the memory to see hidden processes.
When you run ps -A you also need to dump memory in relatively same time, you don't compare it to old dump right?

Also note that memory dump might show threads and child processes which the ps command might not show.
Child processes are those which a process creates during run-time.
Threads on another side should have same PID.
 
When you run ps -A you also need to dump memory in relatively same time, you don't compare it to old dump right?

Also note that memory dump might show threads and child processes which the ps command might not show.
Child processes are those which a process creates during run-time.
Threads on another side should have same PID.
about taking the dump memory and running ps -A at the same time, I didn't do that, when I use volatility 3 to scan the dump memory I use linux.psscan, linux.pslist, linux.psaux, and linux.pstree, and some processes that exist when taken from psscan don't show up on the other three, like pslist, psaux, and pstree, this intrigues me. it is my first time using Volatility 3.
 

Members online


Top