GIAC
GCIH · Question #836
GCIH Question #836: Real Exam Question with Answer & Explanation
The correct answer is D: The psscan plugin identifies hidden processes. Volatility's psscan scans raw memory pool tags to find processes, allowing it to detect hidden or unlinked processes that pslist misses by only walking the kernel's active process list.
Question
Considering Volatility, why would psscan return more results than pslist?
Options
- AThe psscan plugin is known to provide duplicate results
- BThe psscan plugin searches a longer timeline
- CThe psscan plugin can access a list of processes directly from the kernel
- DThe psscan plugin identifies hidden processes
Explanation
Volatility's psscan scans raw memory pool tags to find processes, allowing it to detect hidden or unlinked processes that pslist misses by only walking the kernel's active process list.
Common mistakes.
- A. Occasional false positives or stale EPROCESS artifacts can appear in psscan output, but duplicate results are not the primary reason psscan returns more processes than pslist.
- B. Both psscan and pslist operate on the same static memory image and have no concept of different timelines; neither plugin searches a broader time window than the other.
- C. It is pslist, not psscan, that reads directly from the kernel's active process doubly-linked list; psscan bypasses that list entirely by scanning raw memory pool allocations.
Concept tested. Volatility psscan detection of DKOM-hidden processes
Community Discussion
No community discussion yet for this question.