counter

View My Stats

Tuesday, April 17, 2012

Identifying malicious injected code in Legit Process through dynamic analysis:

I wont be diving into details how thread injection can be done as there is a lot of information on the internet about it.

For locating malicious code injected in process I would be using Sysinternals VMMAP tool and windbg as remote debugger.

I’ll show how to identify injected threads in explorer.exe

Using windbg I find the details of process running in the system

command:!process 0 0

kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 829c6830  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 00319000  ObjectTable: e1000cc0  HandleCount: 475.
    Image: System
PROCESS 82879170  SessionId: none  Cid: 0238    Peb: 7ffd6000  ParentCid: 0004
    DirBase: 08040020  ObjectTable: e1793dc0  HandleCount:  21.
    Image: smss.exe
PROCESS 822dc360  SessionId: 0  Cid: 0268    Peb: 7ffdf000  ParentCid: 0238
    DirBase: 08040040  ObjectTable: e165c858  HandleCount: 395.
    Image: csrss.exe
PROCESS 827e1020  SessionId: 0  Cid: 0280    Peb: 7ffde000  ParentCid: 0238
    DirBase: 08040060  ObjectTable: e1649b20  HandleCount: 564.
    Image: winlogon.exe
PROCESS 827e6020  SessionId: 0  Cid: 02ac    Peb: 7ffda000  ParentCid: 0280
    DirBase: 08040080  ObjectTable: e188d650  HandleCount: 270.
    Image: services.exe
PROCESS 824571c8  SessionId: 0  Cid: 02b8    Peb: 7ffdd000  ParentCid: 0280
    DirBase: 080400a0  ObjectTable: e1894188  HandleCount: 342.
    Image: lsass.exe
PROCESS 8254fca8  SessionId: 0  Cid: 036c    Peb: 7ffd4000  ParentCid: 02ac
    DirBase: 080400c0  ObjectTable: e197a418  HandleCount:  24.
    Image: vmacthlp.exe
PROCESS 82453da0  SessionId: 0  Cid: 0378    Peb: 7ffd9000  ParentCid: 02ac
    DirBase: 080400e0  ObjectTable: e197e3d8  HandleCount: 189.
    Image: svchost.exe
PROCESS 823ef810  SessionId: 0  Cid: 03e8    Peb: 7ffdf000  ParentCid: 02ac
    DirBase: 08040120  ObjectTable: e1cca130  HandleCount: 283.
    Image: svchost.exe
PROCESS 8245a7e8  SessionId: 0  Cid: 0448    Peb: 7ffde000  ParentCid: 02ac
    DirBase: 08040140  ObjectTable: e1ccb818  HandleCount: 1520.
    Image: svchost.exe
PROCESS 8273b7e0  SessionId: 0  Cid: 0498    Peb: 7ffdd000  ParentCid: 02ac
    DirBase: 08040160  ObjectTable: e17b3310  HandleCount:  79.
    Image: svchost.exe
PROCESS 8255d460  SessionId: 0  Cid: 0580    Peb: 7ffde000  ParentCid: 02ac
    DirBase: 080401a0  ObjectTable: e1898440  HandleCount: 210.
    Image: svchost.exe
PROCESS 827f9020  SessionId: 0  Cid: 0594    Peb: 7ffda000  ParentCid: 056c
    DirBase: 080401c0  ObjectTable: e1893ed8  HandleCount: 817.
    Image: explorer.exe
PROCESS 82452980  SessionId: 0  Cid: 0634    Peb: 7ffdf000  ParentCid: 02ac
    DirBase: 080401e0  ObjectTable: e1fb64f8  HandleCount: 134.
    Image: spoolsv.exe
PROCESS 823e8b88  SessionId: 0  Cid: 06dc    Peb: 7ffd7000  ParentCid: 0594
    DirBase: 08040100  ObjectTable: e1c3dfb8  HandleCount:  60.
    Image: VMwareTray.exe
PROCESS 82452020  SessionId: 0  Cid: 06f8    Peb: 7ffd9000  ParentCid: 0594
    DirBase: 08040220  ObjectTable: e1909bb0  HandleCount: 200.
    Image: VMwareUser.exe
PROCESS 827f03c0  SessionId: 0  Cid: 0430    Peb: 7ffdb000  ParentCid: 02ac
    DirBase: 08040180  ObjectTable: e1c66998  HandleCount: 260.
    Image: vmtoolsd.exe
PROCESS 82456830  SessionId: 0  Cid: 050c    Peb: 7ffdf000  ParentCid: 02ac
    DirBase: 08040280  ObjectTable: e1942f20  HandleCount:  97.
    Image: VMUpgradeHelper.exe
PROCESS 826b3da0  SessionId: 0  Cid: 00b0    Peb: 7ffdf000  ParentCid: 0448
    DirBase: 080402c0  ObjectTable: e2115538  HandleCount:  48.
    Image: wscntfy.exe
PROCESS 822b1b28  SessionId: 0  Cid: 0188    Peb: 7ffde000  ParentCid: 02ac
    DirBase: 080402e0  ObjectTable: e219e928  HandleCount: 105.
    Image: alg.exe
PROCESS 828e3460  SessionId: 0  Cid: 0160    Peb: 7ffd9000  ParentCid: 0448
    DirBase: 08040320  ObjectTable: e21ec500  HandleCount: 146.
    Image: wuauclt.exe
PROCESS 828509f8  SessionId: 0  Cid: 0174    Peb: 7ffdc000  ParentCid: 0594
    DirBase: 080402a0  ObjectTable: 00000000  HandleCount:   0.
    Image: md5.exe
PROCESS 82161020  SessionId: 0  Cid: 0194    Peb: 7ffdc000  ParentCid: 0594
    DirBase: 08040200  ObjectTable: e21bb870  HandleCount: 319.
    Image: procexp.exe
PROCESS 8217bda0  SessionId: 0  Cid: 0570    Peb: 7ffdf000  ParentCid: 0594
    DirBase: 08040360  ObjectTable: e21a5520  HandleCount:  49.
    Image: cmd.exe
PROCESS 827f48b0  SessionId: 0  Cid: 07dc    Peb: 7ffde000  ParentCid: 0594
    DirBase: 08040380  ObjectTable: e27dabc0  HandleCount:  72.
    Image: Filemon.exe
PROCESS 821ba240  SessionId: 0  Cid: 0328    Peb: 7ffdf000  ParentCid: 0594
    DirBase: 08040260  ObjectTable: e1fd9008  HandleCount:  49.
    Image: cmd.exe
PROCESS 82569668  SessionId: 0  Cid: 0400    Peb: 7ffda000  ParentCid: 01cc
    DirBase: 08040420  ObjectTable: e27ea8a8  HandleCount:  51.
    Image: notepad.exe
PROCESS 821e9270  SessionId: 0  Cid: 0330    Peb: 7ffde000  ParentCid: 00d0
    DirBase: 080403a0  ObjectTable: 00000000  HandleCount:   0.
    Image: dikyufy.exe
PROCESS 8215f4c8  SessionId: 0  Cid: 0728    Peb: 7ffde000  ParentCid: 0594
    DirBase: 080404a0  ObjectTable: e1254b88  HandleCount: 115.
    Image: vmmap.exe

For explorer.exe


PROCESS 827f9020  SessionId: 0  Cid: 0594    Peb: 7ffda000  ParentCid: 056c
    DirBase: 080401c0  ObjectTable: e1893ed8  HandleCount: 817.
    Image: explorer.exe

To see details of explorer.exe the following command can be executed:


!process 827f9020 1f

kd> !process 827f9020 1f
PROCESS 827f9020  SessionId: 0  Cid: 0594    Peb: 7ffda000  ParentCid: 056c
    DirBase: 080401c0  ObjectTable: e1893ed8  HandleCount: 840.
    Image: explorer.exe
    VadRoot 828c6ed0 Vads 453 Clone 0 Private 4113. Modified 300223. Locked 0.
    DeviceMap e1cba0b0
    Token                             e1f32940
    ElapsedTime                       79 Days 20:15:11.781
    UserTime                          00:00:35.453
    KernelTime                        00:01:39.687
    QuotaPoolUsage[PagedPool]         160060
    QuotaPoolUsage[NonPagedPool]      52216
    Working Set Sizes (now,min,max)  (3723, 50, 345) (14892KB, 200KB, 1380KB)
    PeakWorkingSetSize                11379
    VirtualSize                       96 Mb
    PeakVirtualSize                   126 Mb
    PageFaultCount                    156083
    MemoryPriority                    BACKGROUND
    BasePriority                      8
    CommitCharge                      5551
        THREAD 823e83f0  Cid 0594.0598  Teb: 7ffdf000 Win32Thread: e1d9b2d8 WAIT: (WrUserRequest) UserMode 

Non-Alertable
            826fee88  SynchronizationEvent
        Not impersonating
        DeviceMap                 e1cba0b0
        Owning Process            827f9020       Image:         explorer.exe
        Attached Process          N/A            Image:         N/A
        Wait Start TickCount      696150         Ticks: 643 (0:00:00:10.046)
        Context Switch Count      5674                 LargeStack
        UserTime                  00:00:00.078
        KernelTime                00:00:01.000
        Win32 Start Address Explorer!ModuleEntry (0x0101e24e)
        Start Address kernel32!BaseProcessStartThunk (0x7c810867)
        Stack Init f80d7000 Current f80d6cb0 Base f80d7000 Limit f80d1000 Call 0
        Priority 12 BasePriority 8 PriorityDecrement 2 DecrementCount 16
        ChildEBP RetAddr  
        f80d6cc8 8050017a nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
        f80d6cd4 804f99be nt!KiSwapThread+0x46 (FPO: [0,0,0])
        f80d6cfc bf802ec4 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])
WARNING: Frame IP not in any known module. Following frames may be wrong.
        f80d6d5c 8053c808 0xbf802ec4
        f80d6d5c 0000003b nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame-EDITED @ f80d6d4c)
        8053c804 0d8be58b 0x3b
        8053c808 ffdff124 0xd8be58b
        8053c80c 893c558b 0xffdff124
        8053c810 00013491 0x893c558b
        8053c814 45f7fa00 0x13491
        8053c818 02000070 0x45f7fa00
        8053c81c f6067500 0x2000070
        8053c820 74016c45 0xf6067500
        8053c824 241d8b57 0x74016c45
        8053c828 c6ffdff1 0x241d8b57
        8053c82c 80002e43 0xc6ffdff1
        8053c830 74004a7b 0x80002e43
        8053c834 89dd8b47 0x74004a7b
        8053c838 43c74443 0x89dd8b47
        8053c83c 00000000 0x43c74443
        THREAD 826fdb88  Cid 0594.05b0  Teb: 7ffdc000 Win32Thread: e195f8b8 WAIT: (WrUserRequest) UserMode 

Non-Alertable
            82451220  SynchronizationEvent
        Not impersonating
        DeviceMap                 e1cba0b0
        Owning Process            827f9020       Image:         explorer.exe
        Attached Process          N/A            Image:         N/A
        Wait Start TickCount      696780         Ticks: 13 (0:00:00:00.203)
        Context Switch Count      134374                 LargeStack
        UserTime                  00:00:01.359
        KernelTime                00:00:12.546
        Win32 Start Address SHLWAPI!WrapperThreadProc (0x77f7f56f)
        Start Address kernel32!BaseThreadStartThunk (0x7c810856)
        Stack Init b29a9000 Current b29a8cb0 Base b29a9000 Limit b29a3000 Call 0
        Priority 11 BasePriority 9 PriorityDecrement 0 DecrementCount 16
        ChildEBP RetAddr  
        b29a8cc8 8050017a nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
        b29a8cd4 804f99be nt!KiSwapThread+0x46 (FPO: [0,0,0])
        b29a8cfc bf802ec4 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])
WARNING: Frame IP not in any known module. Following frames may be wrong.
        b29a8d5c 8053c808 0xbf802ec4
        b29a8d5c 0000003b nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame-EDITED @ b29a8d4c)
        8053c804 0d8be58b 0x3b
        8053c808 ffdff124 0xd8be58b
        8053c80c 893c558b 0xffdff124
        8053c810 00013491 0x893c558b
        8053c814 45f7fa00 0x13491
        8053c818 02000070 0x45f7fa00
        8053c81c f6067500 0x2000070
        8053c820 74016c45 0xf6067500
        8053c824 241d8b57 0x74016c45
        8053c828 c6ffdff1 0x241d8b57
        8053c82c 80002e43 0xc6ffdff1
        8053c830 74004a7b 0x80002e43
        8053c834 89dd8b47 0x74004a7b
        8053c838 43c74443 0x89dd8b47
        8053c83c 00000000 0x43c74443
        THREAD 82453680  Cid 0594.05b8  Teb: 7ffdb000 Win32Thread: 00000000 WAIT: (DelayExecution) UserMode 

Alertable
            82453770  NotificationTimer
        Not impersonating
        DeviceMap                 e1cba0b0
        Owning Process            827f9020       Image:         explorer.exe
        Attached Process          N/A            Image:         N/A
        Wait Start TickCount      696150         Ticks: 643 (0:00:00:10.046)
        Context Switch Count      193             
        UserTime                  00:00:00.000
        KernelTime                00:00:00.015
        Win32 Start Address ntdll!RtlpTimerThread (0x7c92798d)
        Start Address kernel32!BaseThreadStartThunk (0x7c810856)
        Stack Init b29ed000 Current b29eccbc Base b29ed000 Limit b29ea000 Call 0
        Priority 10 BasePriority 8 PriorityDecrement 0 DecrementCount 16
        ChildEBP RetAddr  
        b29eccd4 8050017a nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
        b29ecce0 804f93fb nt!KiSwapThread+0x46 (FPO: [0,0,0])
        b29ecd0c 8060b2f5 nt!KeDelayExecutionThread+0x1c9 (FPO: [Non-Fpo])
        b29ecd54 8053c808 nt!NtDelayExecution+0x87 (FPO: [Non-Fpo])
        b29ecd54 7c90eb94 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b29ecd64)
        00fbff98 7c90d85c ntdll!KiFastSystemCallRet (FPO: [0,0,0])
        00fbff9c 7c9279d4 ntdll!NtDelayExecution+0xc (FPO: [2,0,0])
        00fbffb4 7c80b50b ntdll!RtlpTimerThread+0x47 (FPO: [Non-Fpo])
        00fbffec 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo])
        THREAD 826f6670  Cid 0594.05c0  Teb: 7ffd8000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode 

Alertable
            822dd9e0  NotificationTimer
            82453a18  SynchronizationEvent
            826f0708  NotificationEvent
            82498508  NotificationEvent
            82810860  SynchronizationEvent
            828ba380  SynchronizationEvent
            821b12c8  SynchronizationEvent
            8227a608  SynchronizationEvent
            820e2608  SynchronizationEvent
            821ec1b0  SynchronizationEvent
            821ed7c0  SynchronizationEvent
            82164698  SynchronizationEvent
            82481708  SynchronizationEvent
            825d2c40  SynchronizationEvent
            8278cfc8  SynchronizationEvent
            828a7638  SynchronizationEvent
            821583c8  SynchronizationEvent
            822ea740  SynchronizationEvent
            823bac58  SynchronizationEvent
            8265fe30  SynchronizationEvent
            829e1514  NotificationEvent
            82518fc0  SynchronizationEvent
        Not impersonating
        DeviceMap                 e1cba0b0
        Owning Process            827f9020       Image:         explorer.exe
        Attached Process          N/A            Image:         N/A
        Wait Start TickCount      696150         Ticks: 643 (0:00:00:10.046)
        Context Switch Count      18             
        UserTime                  00:00:00.000
        KernelTime                00:00:00.000
        Win32 Start Address ntdll!RtlpWaitThread (0x7c929fae)
        Start Address kernel32!BaseThreadStartThunk (0x7c810856)
        Stack Init b29e1000 Current b29e095c Base b29e1000 Limit b29de000 Call 0
        Priority 10 BasePriority 8 PriorityDecrement 2 DecrementCount 16
        ChildEBP RetAddr  
        b29e0974 8050017a nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
        b29e0980 804f973e nt!KiSwapThread+0x46 (FPO: [0,0,0])
        b29e09b8 805b4d6a nt!KeWaitForMultipleObjects+0x284 (FPO: [Non-Fpo])
        b29e0d48 8053c808 nt!NtWaitForMultipleObjects+0x2a2 (FPO: [Non-Fpo])
        b29e0d48 7c90eb94 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b29e0d64)
        0113fce8 7c90e9ab ntdll!KiFastSystemCallRet (FPO: [0,0,0])
        0113fcec 7c92a0d5 ntdll!ZwWaitForMultipleObjects+0xc (FPO: [5,0,0])
        0113ffb4 7c80b50b ntdll!RtlpWaitThread+0x13d (FPO: [Non-Fpo])
        0113ffec 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo])
        THREAD 827456b8  Cid 0594.0614  Teb: 7ffd7000 Win32Thread: e1fa7eb0 WAIT: (UserRequest) UserMode 

Alertable
            8218a7cc  NotificationEvent
            821abb74  NotificationEvent
            825d8084  NotificationEvent
            825cf5a4  NotificationEvent
            82741f7c  NotificationEvent
            8263025c  NotificationEvent
            824a8b54  NotificationEvent
            8266ae0c  NotificationEvent
            8268d7c4  NotificationEvent
            822ae084  NotificationEvent
            823ae25c  NotificationEvent
            8282497c  NotificationEvent
            82450084  NotificationEvent
            828aa3e4  NotificationEvent
            82456ef0  SynchronizationEvent
        IRP List:
            82205190: (0006,01b4) Flags: 00000000  Mdl: 00000000
            821d73d0: (0006,01b4) Flags: 00000000  Mdl: 00000000
            8250b008: (0006,01b4) Flags: 00000000  Mdl: 00000000
            823a8e48: (0006,01b4) Flags: 00000000  Mdl: 00000000
            823b4860: (0006,01b4) Flags: 00000000  Mdl: 00000000
            822ad400: (0006,01b4) Flags: 00000000  Mdl: 00000000
            823d6368: (0006,01b4) Flags: 00000000  Mdl: 00000000
            8284c3a0: (0006,01b4) Flags: 00000000  Mdl: 00000000
            821ee450: (0006,01b4) Flags: 00000000  Mdl: 00000000
            82209910: (0006,0190) Flags: 00000000  Mdl: 00000000
            824b3008: (0006,0190) Flags: 00000000  Mdl: 00000000
            823e0008: (0006,0190) Flags: 00000000  Mdl: 00000000
            8291c6c8: (0006,0190) Flags: 00000000  Mdl: 00000000
            827ef008: (0006,0190) Flags: 00000000  Mdl: 00000000
        Not impersonating
        DeviceMap                 e1cba0b0
        Owning Process            827f9020       Image:         explorer.exe
        Attached Process          N/A            Image:         N/A
        Wait Start TickCount      696150         Ticks: 643 (0:00:00:10.046)
        Context Switch Count      20457                 LargeStack
        UserTime                  00:00:00.078
        KernelTime                00:00:00.718
        Win32 Start Address SHLWAPI!WrapperThreadProc (0x77f7f56f)
        Start Address kernel32!BaseThreadStartThunk (0x7c810856)
        Stack Init b2989000 Current b298895c Base b2989000 Limit b2985000 Call 0
        Priority 10 BasePriority 8 PriorityDecrement 0 DecrementCount 16
        ChildEBP RetAddr  
        b2988974 8050017a nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
        b2988980 804f973e nt!KiSwapThread+0x46 (FPO: [0,0,0])
        b29889b8 805b4d6a nt!KeWaitForMultipleObjects+0x284 (FPO: [Non-Fpo])
        b2988d48 8053c808 nt!NtWaitForMultipleObjects+0x2a2 (FPO: [Non-Fpo])
        b2988d48 7c90eb94 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b2988d64)
        011bfd2c 7c90e9ab ntdll!KiFastSystemCallRet (FPO: [0,0,0])
        011bfd30 7c8094f2 ntdll!ZwWaitForMultipleObjects+0xc (FPO: [5,0,0])
        011bfdcc 77d4bbfe kernel32!WaitForMultipleObjectsEx+0x12c (FPO: [Non-Fpo])
        011bfe28 7c9f43d9 USER32!RealMsgWaitForMultipleObjectsEx+0x13e (FPO: [Non-Fpo])
        011bff4c 7ca3114e SHELL32!CChangeNotify::_MessagePump+0x3b (FPO: [Non-Fpo])
        011bff50 77f7f5de SHELL32!CChangeNotify::ThreadProc+0x1e (FPO: [1,0,0])
        011bffb4 7c80b50b SHLWAPI!WrapperThreadProc+0x94 (FPO: [Non-Fpo])
        011bffec 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo])
        THREAD 827eada8  Cid 0594.06f4  Teb: 7ffac000 Win32Thread: e1c436a8 WAIT: (WrUserRequest) UserMode 

Non-Alertable
            82491ff0  SynchronizationEvent
        Not impersonating
        DeviceMap                 e1cba0b0
        Owning Process            827f9020       Image:         explorer.exe
        Attached Process          N/A            Image:         N/A
        Wait Start TickCount      696150         Ticks: 643 (0:00:00:10.046)
        Context Switch Count      105062                 LargeStack
        UserTime                  00:00:00.234
        KernelTime                00:00:04.703
        Win32 Start Address stobject!CSysTray::SysTrayThreadProc (0x762836f7)
        Start Address kernel32!BaseThreadStartThunk (0x7c810856)
        Stack Init b286e000 Current b286dc20 Base b286e000 Limit b286a000 Call 0
        Priority 12 BasePriority 8 PriorityDecrement 2 DecrementCount 16
        ChildEBP RetAddr  
        b286dc38 8050017a nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
        b286dc44 804f99be nt!KiSwapThread+0x46 (FPO: [0,0,0])
        b286dc6c bf802ec4 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])
WARNING: Frame IP not in any known module. Following frames may be wrong.
        b286dd4c 8053c808 0xbf802ec4
        b286dd4c 014efd68 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame-EDITED @ b286dcec)
        b286dd64 00000000 0x14efd68
        THREAD 823f5da8  Cid 0594.071c  Teb: 7ffab000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode 

Non-Alertable
            823c88f8  SynchronizationEvent
            828f06e8  NotificationEvent
        Not impersonating
        DeviceMap                 e1cba0b0
        Owning Process            827f9020       Image:         explorer.exe
        Attached Process          N/A            Image:         N/A
        Wait Start TickCount      696150         Ticks: 643 (0:00:00:10.046)
        Context Switch Count      3             
        UserTime                  00:00:00.000
        KernelTime                00:00:00.000
        Win32 Start Address wdmaud!MixerCallbackThread (0x72d230e8)
        Start Address kernel32!BaseThreadStartThunk (0x7c810856)
        Stack Init b28d1000 Current b28d095c Base b28d1000 Limit b28ce000 Call 0
        Priority 15 BasePriority 15 PriorityDecrement 0 DecrementCount 0
        ChildEBP RetAddr  
        b28d0974 8050017a nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
        b28d0980 804f973e nt!KiSwapThread+0x46 (FPO: [0,0,0])
        b28d09b8 805b4d6a nt!KeWaitForMultipleObjects+0x284 (FPO: [Non-Fpo])
        b28d0d48 8053c808 nt!NtWaitForMultipleObjects+0x2a2 (FPO: [Non-Fpo])
        b28d0d48 7c90eb94 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b28d0d64)
        0152fecc 7c90e9ab ntdll!KiFastSystemCallRet (FPO: [0,0,0])
        0152fed0 7c8094f2 ntdll!ZwWaitForMultipleObjects+0xc (FPO: [5,0,0])
        0152ff6c 7c809c86 kernel32!WaitForMultipleObjectsEx+0x12c (FPO: [Non-Fpo])
        0152ff88 72d2312a kernel32!WaitForMultipleObjects+0x18 (FPO: [Non-Fpo])
        0152ffb4 7c80b50b wdmaud!MixerCallbackThread+0x42 (FPO: [Non-Fpo])
        0152ffec 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo])
        THREAD 8245dda8  Cid 0594.0738  Teb: 7ffae000 Win32Thread: e1917078 WAIT: (WrUserRequest) UserMode 

Non-Alertable
            82904680  SynchronizationEvent
        Not impersonating
        DeviceMap                 e1cba0b0
        Owning Process            827f9020       Image:         explorer.exe
        Attached Process          N/A            Image:         N/A
        Wait Start TickCount      696150         Ticks: 643 (0:00:00:10.046)
        Context Switch Count      895                 LargeStack
        UserTime                  00:00:00.015
        KernelTime                00:00:01.062
        Win32 Start Address WINMM!mciwindow (0x76b44dd6)
        Start Address kernel32!BaseThreadStartThunk (0x7c810856)
        Stack Init b2b81000 Current b2b80c20 Base b2b81000 Limit b2b7e000 Call 0
        Priority 12 BasePriority 10 PriorityDecrement 0 DecrementCount 16
        ChildEBP RetAddr  
        b2b80c38 8050017a nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
        b2b80c44 804f99be nt!KiSwapThread+0x46 (FPO: [0,0,0])
        b2b80c6c bf802ec4 nt!KeWaitForSingleObject+0x1c2 (FPO: [Non-Fpo])
WARNING: Frame IP not in any known module. Following frames may be wrong.
        b2b80d4c 8053c808 0xbf802ec4
        b2b80d4c 0166ff98 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame-EDITED @ b2b80cec)
        b2b80d64 00000000 0x166ff98
        THREAD 823cc520  Cid 0594.074c  Teb: 7ffaa000 Win32Thread: e2079418 WAIT: (UserRequest) UserMode 

Non-Alertable
            827ec190  SynchronizationEvent
            822d2810  SynchronizationEvent
        Not impersonating
        DeviceMap                 e1cba0b0
        Owning Process            827f9020       Image:         explorer.exe
        Attached Process          N/A            Image:         N/A
        Wait Start TickCount      696151         Ticks: 642 (0:00:00:10.031)
        Context Switch Count      14411                 LargeStack
        UserTime                  00:00:06.031
        KernelTime                00:00:14.203
        Win32 Start Address BROWSEUI!BrowserProtectedThreadProc (0x75fae9d5)
        Start Address kernel32!BaseThreadStartThunk (0x7c810856)
        Stack Init b2a70c80 Current b2a705dc Base b2a71000 Limit b2a6d000 Call b2a70c80
        Priority 12 BasePriority 8 PriorityDecrement 2 DecrementCount 16
        ChildEBP RetAddr  
        b2a705f4 8050017a nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
        b2a70600 804f973e nt!KiSwapThread+0x46 (FPO: [0,0,0])
        b2a70638 805b4d6a nt!KeWaitForMultipleObjects+0x284 (FPO: [Non-Fpo])
        b2a709c8 8053c808 nt!NtWaitForMultipleObjects+0x2a2 (FPO: [Non-Fpo])
        b2a709c8 7c90eb94 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b2a709e4)
        016afb48 7c90e9ab ntdll!KiFastSystemCallRet (FPO: [0,0,0])
        016afb4c 7c8094f2 ntdll!ZwWaitForMultipleObjects+0xc (FPO: [5,0,0])
        016afbe8 77d4bbfe kernel32!WaitForMultipleObjectsEx+0x12c (FPO: [Non-Fpo])
        016afc44 6c1e4b92 USER32!RealMsgWaitForMultipleObjectsEx+0x13e (FPO: [Non-Fpo])
        016afc64 6c1e4cfd DUSER!CoreSC::Wait+0x3a (FPO: [Non-Fpo])
        016afc88 6c1e4ef9 DUSER!CoreSC::WaitMessage+0x40 (FPO: [Non-Fpo])
        016afc98 77d88a2c DUSER!MphWaitMessageEx+0x22 (FPO: [Non-Fpo])
        016afcb4 7c90eae3 USER32!__ClientWaitMessageExMPH+0x1e (FPO: [Non-Fpo])
        016afcb4 804feb6c ntdll!KiUserCallbackDispatcher+0x13 (FPO: [0,0,0])
        b2a70c98 80595bbf nt!KiCallUserMode+0x4 (FPO: [2,3,4])
        b2a70cf4 bf92a862 nt!KeUserModeCallback+0x87 (FPO: [Non-Fpo])
WARNING: Frame IP not in any known module. Following frames may be wrong.
        b2a70d5c 8053c808 0xbf92a862
        b2a70d5c 7c90eb94 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b2a70d64)
        016afcb4 7c90eae3 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
        016afcc8 77d493f5 ntdll!KiUserCallbackDispatcher+0x13 (FPO: [0,0,0])
        016aff28 75faea19 USER32!NtUserWaitMessage+0xc
        016affb4 7c80b50b BROWSEUI!BrowserProtectedThreadProc+0x44 (FPO: [Non-Fpo])
        016affec 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo])
        THREAD 824cbc28  Cid 0594.077c  Teb: 7ffa9000 Win32Thread: e1c12008 WAIT: (UserRequest) UserMode 

Non-Alertable
            824967c8  SynchronizationEvent
            82477238  SynchronizationEvent
        Not impersonating
        DeviceMap                 e1cba0b0
        Owning Process            827f9020       Image:         explorer.exe
        Attached Process          N/A            Image:         N/A
        Wait Start TickCount      696151         Ticks: 642 (0:00:00:10.031)
        Context Switch Count      29                 LargeStack
        UserTime                  00:00:00.015
        KernelTime                00:00:00.000
        Win32 Start Address msvcrt!_endthreadex (0x77c3a341)
        Start Address kernel32!BaseThreadStartThunk (0x7c810856)
        Stack Init b262c000 Current b262b95c Base b262c000 Limit b2629000 Call 0
        Priority 11 BasePriority 8 PriorityDecrement 2 DecrementCount 16
        ChildEBP RetAddr  
        b262b974 8050017a nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
        b262b980 804f973e nt!KiSwapThread+0x46 (FPO: [0,0,0])
        b262b9b8 805b4d6a nt!KeWaitForMultipleObjects+0x284 (FPO: [Non-Fpo])
        b262bd48 8053c808 nt!NtWaitForMultipleObjects+0x2a2 (FPO: [Non-Fpo])
        b262bd48 7c90eb94 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b262bd64)
        0199fdbc 7c90e9ab ntdll!KiFastSystemCallRet (FPO: [0,0,0])
        0199fdc0 7c8094f2 ntdll!ZwWaitForMultipleObjects+0xc (FPO: [5,0,0])
        0199fe5c 77d4bbfe kernel32!WaitForMultipleObjectsEx+0x12c (FPO: [Non-Fpo])
        0199feb8 6c1e4b92 USER32!RealMsgWaitForMultipleObjectsEx+0x13e (FPO: [Non-Fpo])
        0199fed8 6c1e4ddc DUSER!CoreSC::Wait+0x3a (FPO: [Non-Fpo])
        0199ff0c 6c1de394 DUSER!CoreSC::xwProcessNL+0xab (FPO: [Non-Fpo])
        0199ff2c 6c1da6f1 DUSER!GetMessageExA+0x44 (FPO: [Non-Fpo])
        0199ff80 77c3a3b0 DUSER!ResourceManager::SharedThreadProc+0xb6 (FPO: [Non-Fpo])
        0199ffb4 7c80b50b msvcrt!_endthreadex+0xa9 (FPO: [Non-Fpo])
        0199ffec 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo])
        THREAD 825c82d0  Cid 0594.0538  Teb: 7ffaf000 Win32Thread: e3306d28 WAIT: (UserRequest) UserMode 

Non-Alertable
            82515b00  SynchronizationEvent
        Not impersonating
        DeviceMap                 e1cba0b0
        Owning Process            827f9020       Image:         explorer.exe
        Attached Process          N/A            Image:         N/A
        Wait Start TickCount      696151         Ticks: 642 (0:00:00:10.031)
        Context Switch Count      1185                 LargeStack
        UserTime                  00:00:00.078
        KernelTime                00:00:00.390
        Win32 Start Address ntdll!RtlpWorkerThread (0x7c910760)
        Start Address kernel32!BaseThreadStartThunk (0x7c810856)
        Stack Init b2a61000 Current b2a6095c Base b2a61000 Limit b2a5e000 Call 0
        Priority 9 BasePriority 7 PriorityDecrement 0 DecrementCount 0
        ChildEBP RetAddr  
        b2a60974 8050017a nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
        b2a60980 804f973e nt!KiSwapThread+0x46 (FPO: [0,0,0])
        b2a609b8 805b4d6a nt!KeWaitForMultipleObjects+0x284 (FPO: [Non-Fpo])
        b2a60d48 8053c808 nt!NtWaitForMultipleObjects+0x2a2 (FPO: [Non-Fpo])
        b2a60d48 7c90eb94 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b2a60d64)
        0142fd60 7c90e9ab ntdll!KiFastSystemCallRet (FPO: [0,0,0])
        0142fd64 7c8094f2 ntdll!ZwWaitForMultipleObjects+0xc (FPO: [5,0,0])
        0142fe00 77d4bbfe kernel32!WaitForMultipleObjectsEx+0x12c (FPO: [Non-Fpo])
        0142fe5c 77d4bcad USER32!RealMsgWaitForMultipleObjectsEx+0x13e (FPO: [Non-Fpo])
        0142fe78 75f843c1 USER32!MsgWaitForMultipleObjects+0x1f (FPO: [Non-Fpo])
        0142fed0 75f84871 BROWSEUI!CACThread::_ThreadLoop+0xd4 (FPO: [Non-Fpo])
        0142fee0 77f68ea5 BROWSEUI!CACThread::_ThreadProc+0x1c (FPO: [Non-Fpo])
        0142fef8 7c927545 SHLWAPI!ExecuteWorkItem+0x1d (FPO: [Non-Fpo])
        0142ff40 7c927583 ntdll!RtlpWorkerCallout+0x70 (FPO: [Non-Fpo])
        0142ff60 7c927645 ntdll!RtlpExecuteWorkerRequest+0x1a (FPO: [Non-Fpo])
        0142ff74 7c92761c ntdll!RtlpApcCallout+0x11 (FPO: [Non-Fpo])
        0142ffb4 7c80b50b ntdll!RtlpWorkerThread+0x87 (FPO: [Non-Fpo])
        0142ffec 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo])
        THREAD 821e5020  Cid 0594.038c  Teb: 7ffd9000 Win32Thread: e35f88a0 WAIT: (UserRequest) UserMode 

Non-Alertable
            8218f960  SynchronizationEvent
            828d4690  SynchronizationEvent
        Not impersonating
        DeviceMap                 e1cba0b0
        Owning Process            827f9020       Image:         explorer.exe
        Attached Process          N/A            Image:         N/A
        Wait Start TickCount      696151         Ticks: 642 (0:00:00:10.031)
        Context Switch Count      6516                 LargeStack
        UserTime                  00:00:03.718
        KernelTime                00:00:08.625
        Win32 Start Address BROWSEUI!BrowserProtectedThreadProc (0x75fae9d5)
        Start Address kernel32!BaseThreadStartThunk (0x7c810856)
        Stack Init b2b70c80 Current b2b705dc Base b2b71000 Limit b2b6b000 Call b2b70c80
        Priority 12 BasePriority 8 PriorityDecrement 2 DecrementCount 16
        ChildEBP RetAddr  
        b2b705f4 8050017a nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
        b2b70600 804f973e nt!KiSwapThread+0x46 (FPO: [0,0,0])
        b2b70638 805b4d6a nt!KeWaitForMultipleObjects+0x284 (FPO: [Non-Fpo])
        b2b709c8 8053c808 nt!NtWaitForMultipleObjects+0x2a2 (FPO: [Non-Fpo])
        b2b709c8 7c90eb94 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b2b709e4)
        00f3fb48 7c90e9ab ntdll!KiFastSystemCallRet (FPO: [0,0,0])
        00f3fb4c 7c8094f2 ntdll!ZwWaitForMultipleObjects+0xc (FPO: [5,0,0])
        00f3fbe8 77d4bbfe kernel32!WaitForMultipleObjectsEx+0x12c (FPO: [Non-Fpo])
        00f3fc44 6c1e4b92 USER32!RealMsgWaitForMultipleObjectsEx+0x13e (FPO: [Non-Fpo])
        00f3fc64 6c1e4cfd DUSER!CoreSC::Wait+0x3a (FPO: [Non-Fpo])
        00f3fc88 6c1e4ef9 DUSER!CoreSC::WaitMessage+0x40 (FPO: [Non-Fpo])
        00f3fc98 77d88a2c DUSER!MphWaitMessageEx+0x22 (FPO: [Non-Fpo])
        00f3fcb4 7c90eae3 USER32!__ClientWaitMessageExMPH+0x1e (FPO: [Non-Fpo])
        00f3fcb4 804feb6c ntdll!KiUserCallbackDispatcher+0x13 (FPO: [0,0,0])
        b2b70c98 80595bbf nt!KiCallUserMode+0x4 (FPO: [2,3,4])
        b2b70cf4 bf92a862 nt!KeUserModeCallback+0x87 (FPO: [Non-Fpo])
WARNING: Frame IP not in any known module. Following frames may be wrong.
        b2b70d5c 8053c808 0xbf92a862
        b2b70d5c 7c90eb94 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b2b70d64)
        00f3fcb4 7c90eae3 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
        00f3fcc8 77d493f5 ntdll!KiUserCallbackDispatcher+0x13 (FPO: [0,0,0])
        00f3ff28 75faea19 USER32!NtUserWaitMessage+0xc
        00f3ffb4 7c80b50b BROWSEUI!BrowserProtectedThreadProc+0x44 (FPO: [Non-Fpo])
        00f3ffec 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo])
        THREAD 821bd020  Cid 0594.0214  Teb: 7ffa5000 Win32Thread: e2cbaa28 WAIT: (UserRequest) UserMode 

Non-Alertable
            826b6870  SynchronizationEvent
            82868198  SynchronizationEvent
        Not impersonating
        DeviceMap                 e1cba0b0
        Owning Process            827f9020       Image:         explorer.exe
        Attached Process          N/A            Image:         N/A
        Wait Start TickCount      696151         Ticks: 642 (0:00:00:10.031)
        Context Switch Count      4265                 LargeStack
        UserTime                  00:00:01.875
        KernelTime                00:00:03.203
        Win32 Start Address BROWSEUI!BrowserProtectedThreadProc (0x75fae9d5)
        Start Address kernel32!BaseThreadStartThunk (0x7c810856)
        Stack Init b1f4ac80 Current b1f4a5dc Base b1f4b000 Limit b1f47000 Call b1f4ac80
        Priority 10 BasePriority 8 PriorityDecrement 0 DecrementCount 16
        ChildEBP RetAddr  
        b1f4a5f4 8050017a nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
        b1f4a600 804f973e nt!KiSwapThread+0x46 (FPO: [0,0,0])
        b1f4a638 805b4d6a nt!KeWaitForMultipleObjects+0x284 (FPO: [Non-Fpo])
        b1f4a9c8 8053c808 nt!NtWaitForMultipleObjects+0x2a2 (FPO: [Non-Fpo])
        b1f4a9c8 7c90eb94 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b1f4a9e4)
        0239fb48 7c90e9ab ntdll!KiFastSystemCallRet (FPO: [0,0,0])
        0239fb4c 7c8094f2 ntdll!ZwWaitForMultipleObjects+0xc (FPO: [5,0,0])
        0239fbe8 77d4bbfe kernel32!WaitForMultipleObjectsEx+0x12c (FPO: [Non-Fpo])
        0239fc44 6c1e4b92 USER32!RealMsgWaitForMultipleObjectsEx+0x13e (FPO: [Non-Fpo])
        0239fc64 6c1e4cfd DUSER!CoreSC::Wait+0x3a (FPO: [Non-Fpo])
        0239fc88 6c1e4ef9 DUSER!CoreSC::WaitMessage+0x40 (FPO: [Non-Fpo])
        0239fc98 77d88a2c DUSER!MphWaitMessageEx+0x22 (FPO: [Non-Fpo])
        0239fcb4 7c90eae3 USER32!__ClientWaitMessageExMPH+0x1e (FPO: [Non-Fpo])
        0239fcb4 804feb6c ntdll!KiUserCallbackDispatcher+0x13 (FPO: [0,0,0])
        b1f4ac98 80595bbf nt!KiCallUserMode+0x4 (FPO: [2,3,4])
        b1f4acf4 bf92a862 nt!KeUserModeCallback+0x87 (FPO: [Non-Fpo])
WARNING: Frame IP not in any known module. Following frames may be wrong.
        b1f4ad5c 8053c808 0xbf92a862
        b1f4ad5c 7c90eb94 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b1f4ad64)
        0239fcb4 7c90eae3 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
        0239fcc8 77d493f5 ntdll!KiUserCallbackDispatcher+0x13 (FPO: [0,0,0])
        0239ff28 75faea19 USER32!NtUserWaitMessage+0xc
        0239ffb4 7c80b50b BROWSEUI!BrowserProtectedThreadProc+0x44 (FPO: [Non-Fpo])
        0239ffec 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo])
        THREAD 821b4788  Cid 0594.07d0  Teb: 7ffa6000 Win32Thread: e32efc00 WAIT: (UserRequest) UserMode 

Non-Alertable
            824bf510  SynchronizationEvent
            8211b150  SynchronizationEvent
        IRP List:
            82829d38: (0006,01b4) Flags: 00000000  Mdl: 00000000
        Not impersonating
        DeviceMap                 e1cba0b0
        Owning Process            827f9020       Image:         explorer.exe
        Attached Process          N/A            Image:         N/A
        Wait Start TickCount      696274         Ticks: 519 (0:00:00:08.109)
        Context Switch Count      14267                 LargeStack
        UserTime                  00:00:06.234
        KernelTime                00:00:13.843
        Win32 Start Address BROWSEUI!BrowserProtectedThreadProc (0x75fae9d5)
        Start Address kernel32!BaseThreadStartThunk (0x7c810856)
        Stack Init b1f2ac80 Current b1f2a5dc Base b1f2b000 Limit b1f25000 Call b1f2ac80
        Priority 10 BasePriority 8 PriorityDecrement 0 DecrementCount 16
        ChildEBP RetAddr  
        b1f2a5f4 8050017a nt!KiSwapContext+0x2e (FPO: [Uses EBP] [0,0,4])
        b1f2a600 804f973e nt!KiSwapThread+0x46 (FPO: [0,0,0])
        b1f2a638 805b4d6a nt!KeWaitForMultipleObjects+0x284 (FPO: [Non-Fpo])
        b1f2a9c8 8053c808 nt!NtWaitForMultipleObjects+0x2a2 (FPO: [Non-Fpo])
        b1f2a9c8 7c90eb94 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b1f2a9e4)
        0219fb48 7c90e9ab ntdll!KiFastSystemCallRet (FPO: [0,0,0])
        0219fb4c 7c8094f2 ntdll!ZwWaitForMultipleObjects+0xc (FPO: [5,0,0])
        0219fbe8 77d4bbfe kernel32!WaitForMultipleObjectsEx+0x12c (FPO: [Non-Fpo])
        0219fc44 6c1e4b92 USER32!RealMsgWaitForMultipleObjectsEx+0x13e (FPO: [Non-Fpo])
        0219fc64 6c1e4cfd DUSER!CoreSC::Wait+0x3a (FPO: [Non-Fpo])
        0219fc88 6c1e4ef9 DUSER!CoreSC::WaitMessage+0x40 (FPO: [Non-Fpo])
        0219fc98 77d88a2c DUSER!MphWaitMessageEx+0x22 (FPO: [Non-Fpo])
        0219fcb4 7c90eae3 USER32!__ClientWaitMessageExMPH+0x1e (FPO: [Non-Fpo])
        0219fcb4 804feb6c ntdll!KiUserCallbackDispatcher+0x13 (FPO: [0,0,0])
        b1f2ac98 80595bbf nt!KiCallUserMode+0x4 (FPO: [2,3,4])
        b1f2acf4 bf92a862 nt!KeUserModeCallback+0x87 (FPO: [Non-Fpo])
WARNING: Frame IP not in any known module. Following frames may be wrong.
        b1f2ad5c 8053c808 0xbf92a862
        b1f2ad5c 7c90eb94 nt!KiFastCallEntry+0xf8 (FPO: [0,0] TrapFrame @ b1f2ad64)
        0219fcb4 7c90eae3 ntdll!KiFastSystemCallRet (FPO: [0,0,0])
        0219fcc8 77d493f5 ntdll!KiUserCallbackDispatcher+0x13 (FPO: [0,0,0])
        0219ff28 75faea19 USER32!NtUserWaitMessage+0xc
        0219ffb4 7c80b50b BROWSEUI!BrowserProtectedThreadProc+0x44 (FPO: [Non-Fpo])
        0219ffec 00000000 kernel32!BaseThreadStart+0x37 (FPO: [Non-Fpo])
        THREAD 8222eba0  Cid 0594.0218  Teb: 7ffd5000 Win32Thread: e166b8c0 WAIT: (UserRequest) UserMode 

Non-Alertable
           

Here are few of the thread’s base addree from list


        THREAD 828f02a0  Cid 0594.06d4  Teb: 7ffa8000 Win32Thread: 00000000 WAIT: (UserRequest) UserMode

Non-Alertable
            827acd28  NotificationEvent
            823a7220  SynchronizationEvent
        Not impersonating
        DeviceMap                 e1cba0b0
        Owning Process            827f9020       Image:         explorer.exe
        Attached Process          N/A            Image:         N/A
        Wait Start TickCount      696151         Ticks: 642 (0:00:00:10.031)
        Context Switch Count      17            
        UserTime                  00:00:00.000
        KernelTime                00:00:00.000
        Win32 Start Address 0x02476cf6

 

If you see the address 0x02476cf6 (02470000)  for exploere.exe in VMMAP  tool you can see the the address lies in a  data region and has execute permission which raises the suspicion.

image

 

So we need to check address ranges of different threads base address.

There can be lots of easier and accurate ways. This is one of the ways I make out.

References:

http://blogs.technet.com/b/markrussinovich/archive/2011/03/30/3416253.aspx

http://reconstructer.org/papers/Hunting%20malware%20with%20Volatility%20v2.0.pdf