Yeah the OS version / profile you're using would be helpful. Even more helpful would be the ntoskrnl.exe file from the system's disk or even dumped out of memory with moddump. At that point we can look at the structures and see if anything changed with a recent patch, and that may explain psscan not working.
The shimcache plugin pulls from the cached registry hives, which aren't guaranteed to be cached. Can you check if all registry based plugins are failing or is it just the shimcache plugin? For example, does hivelist return any results? Either way, check out the shimcachememory plugin from our community repo https://github.com/volatilityfoundation/community/tree/master/ShimcacheMemory or the author's repo https://github.com/fireeye/Volatility-Plugins/tree/master/shimcachemem (it's the same version in both places). This plugin pulls from the RAM cache, which is a more reliable method given a memory dump. MHL On 5/31/16 5:29 PM, Bridgey theGeek wrote: > Hi Erika, > > Which version of Windows are you analysing? > > You say 'psscan' returns no results, how about pslist and psxview? > I would agree that psscan finding nothing is odd. > > And how was the image acquired? > > Let us know! > Adam > > > > On 31 May 2016 at 21:38, Erika Noerenberg <[email protected] > <mailto:[email protected]>> wrote: > > Hello all, > > I am analyzing a memory dump and looking at execution in a period of > known bad activity, and have been able to gather quite a bit of > information using volatility. For some reason though, shimcache and > psscan return no results, although all the other plugins I've run > (and volshell) have worked fine. I find it hard to believe that > psscan for one can find no _EPROCESS structures, so I'm not sure > what's happening. Also, in the results from the timeliner, I have > several entries with blank shimcache entries like > "macb,---------------,0,0,0,"[SHIMCACHE] "" during times I can > correlate with shimcache entries on disk, so I know something is > just not being picked up. > > Any ideas on why shimcache/psscan would produce no results? I'm not > sure about the best way to track down the reason. > > Thanks! > Erika > > _______________________________________________ > Vol-users mailing list > [email protected] <mailto:[email protected]> > http://lists.volatilesystems.com/mailman/listinfo/vol-users > > > > > _______________________________________________ > Vol-users mailing list > [email protected] > http://lists.volatilesystems.com/mailman/listinfo/vol-users >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Vol-users mailing list [email protected] http://lists.volatilesystems.com/mailman/listinfo/vol-users
