Usage
- Cross-view detection
| Method | Source |
|---|---|
| pslist | ActiveProcess linked list |
| psscan | Pool scan |
| thrdproc | Thread → EPROCESS back-reference |
| pspcid | PspCidTable (PID table) |
| session | Session process list |
| deskthrd | Desktop thread list |
If present in:
psscanthrdprocpspcid
But NOT in:
pslist→ Likely DKOM hiding.
Commands
# Cross-check process visibility across structures (Vol2)
vol.py -f <mem> --profile=<profile> psxview