Operator On The Wire
Join
← Back to Knowledge Base
BLUE TEAM / DFI / MEMORY / DUMP / VOLATILITY / Threads

thrdscan

Pool scan for ETHREAD

Usage

  • Hidden threads
  • Orphaned threads

If thread exists but owning process missing → suspicious.

Commands

# Scan for hidden threads (Vol2)  
vol.py -f <mem> --profile=<profile> thrdscan  
  
# Scan for hidden threads (Vol3)  
python3 vol.py -f <mem> windows.thrdscan