Which Volatility plugin helps identify the modules loaded by each process, aiding detection of injected code?

Unlock all questions

This demo includes only 20 questions. Upgrade to access hundreds of questions, flashcards, exam simulations, and disable ads.

Full question bankExam simulationsFlashcards
From $24.99Unlock all

Study for the SANS Advanced Incident Response, Threat Hunting, and Digital Forensics (FOR508) Test. Prepare with comprehensive materials, flashcards, and multiple choice questions with hints and explanations. Ace your exam with confidence!

Multiple Choice

Which Volatility plugin helps identify the modules loaded by each process, aiding detection of injected code?

Explanation:
Detecting code injection relies on seeing what code each process has loaded. If a malicious actor injects code, a rogue DLL often becomes one of the modules listed for the target process. The ldrmodules plugin is built to enumerate all modules loaded by every process by traversing the process's loader data structures and listing each module’s name, base address, and path. This per-process module census makes injections visible: you can spot DLLs that don’t belong to the legitimate application, come from unusual directories, or appear with unexpected base addresses or timestamps. Other plugins focus on different artifacts. pslist simply enumerates processes, netscan reports network connections, and handles shows handles opened by processes. None of these directly reveal the set of modules loaded into each process, which is why ldrmodules is the best choice for detecting injected code.

Detecting code injection relies on seeing what code each process has loaded. If a malicious actor injects code, a rogue DLL often becomes one of the modules listed for the target process. The ldrmodules plugin is built to enumerate all modules loaded by every process by traversing the process's loader data structures and listing each module’s name, base address, and path. This per-process module census makes injections visible: you can spot DLLs that don’t belong to the legitimate application, come from unusual directories, or appear with unexpected base addresses or timestamps.

Other plugins focus on different artifacts. pslist simply enumerates processes, netscan reports network connections, and handles shows handles opened by processes. None of these directly reveal the set of modules loaded into each process, which is why ldrmodules is the best choice for detecting injected code.

More Multiple Choice Questions
Subscribe

Get the latest from Examzify

You can unsubscribe at any time. Read our privacy policy