The malfind plugin assists analysts with finding injected code or DLLs. To run this plugin on a specific PID, such as the lsass.exe process 868, the following command should be run:

[1] stuxnet.vmem 18:42:56>malfind proc_regex=lsass.exe

The preceding command produces the following abridged output:

The malfind plugin parses through the associated DLLs and other files. In the preceding example, there is an executable associated with the process starting at the memory segment 0x800000. This provides analysts with a starting point for evaluating what actions in memory the PID and associated executables are performing.

Get Digital Forensics and Incident Response now with O’Reilly online learning.

O’Reilly members experience live online training, plus books, videos, and digital content from 200+ publishers.