How to identify hidden processes with volatility using psxview?

Question

I was learning volatility and in this room in tryhackme they used psxview to find the hidden processes. The assignment was,

It's fairly common for malware to attempt to hide itself and the process associated with it. That being said, we can view intentionally hidden processes via the command psxview. What process has only one 'False' listed?

And the output was:

$volatility -f cridex.vmem --profile WinXPSP3x86 psxview

Volatility Foundation Volatility Framework 2.6
Offset(P)  Name                    PID pslist psscan thrdproc pspcid csrss session deskthrd ExitTime
---------- -------------------- ------ ------ ------ -------- ------ ----- ------- -------- --------
0x02498700 winlogon.exe            608 True   True   True     True   True  True    True     
0x02511360 svchost.exe             824 True   True   True     True   True  True    True     
0x022e8da0 alg.exe                 788 True   True   True     True   True  True    True     
0x020b17b8 spoolsv.exe            1512 True   True   True     True   True  True    True     
0x0202ab28 services.exe            652 True   True   True     True   True  True    True     
0x02495650 svchost.exe            1220 True   True   True     True   True  True    True     
0x0207bda0 reader_sl.exe          1640 True   True   True     True   True  True    True     
0x025001d0 svchost.exe            1004 True   True   True     True   True  True    True     
0x02029ab8 svchost.exe             908 True   True   True     True   True  True    True     
0x023fcda0 wuauclt.exe            1136 True   True   True     True   True  True    True     
0x0225bda0 wuauclt.exe            1588 True   True   True     True   True  True    True     
0x0202a3b8 lsass.exe               664 True   True   True     True   True  True    True     
0x023dea70 explorer.exe           1484 True   True   True     True   True  True    True     
0x023dfda0 svchost.exe            1056 True   True   True     True   True  True    True     
0x024f1020 smss.exe                368 True   True   True     True   False False   False    
0x025c89c8 System                    4 True   True   True     True   False False   False    
0x024a0598 csrss.exe               584 True   True   True     True   False True    True

The answer to this assignment was csrss.exe as you can see that its the only process with one "False" in it.

How exactly is a process considered hidden ? Is it when there is only one "False" in its properties?

At the same time, this source tells that

Well, except in our case ;) no processes seem to be hidden, if so you’ll see “False” in the first two columns (pslist and psscan).

So, Which is correct? When is a process considered hidden when analyzing the output of psxview ?

score 0 · Answer 1 · answered Apr 26 '22 at 14:05

Firstly, it's beneficial to use the -R flag with this psxview module to call out known-benign patterns, such as for the legitimate csrss and smss processes displaying false in your output.

To answer the original question, the psscan column will tell you any EPROCESS structure volatility found by crawling through memory. An EPROCESS structure is like scaffolding around an executable in memory, and therefore evidence a process is running or ran.

You will then compare this with the pslist column, which contains entries that are reporting to the operating system as normal, via the EPROCESS doubly linked list.

If an entry is found in PSSCAN, but not by PSLIST, some explanations are

the process was exited but remnants exist in memory
the process is running and has been intentionally hidden

How to identify hidden processes with volatility using psxview?

1 Answers1