abnormalities in windows threads, attached process and owned process
https://stackoverflow.com/questions/7972706
-
19-02-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
So I am doing some memory analysis on a windows memory image and I am looking at threads spawned by processes.
the tool I am using is volatility.
So I was checking the threads spawned by an explorer process. my question is, does a thread always have to have 1) owned process and 2) attached process.
I caught an explorer thread that has an Owned process: Explorer.exe but the Attached Process does not have a name. The process with no name has an associated address in memory.
Is this normal for a thread to have an attached process with no name? Also what is the subtle difference between an owned process and attached process?
Thanks for looking.
Solution
An AttachedProcess search finds "threads that are currently executing in the context of a process other than the process which owns the thread" (from https://code.google.com/p/volatility/wiki/CommandReference).
This article will explain this for you: http://mnin.blogspot.com/2011/04/investigating-windows-threads-with.html
There is an entire section on attached processes and their implications in memory analysis.
