From ef4f16ebbd13edab1594f0658f3422041a212f7b Mon Sep 17 00:00:00 2001 From: Odysseas Stavrou Date: Wed, 4 Dec 2024 22:57:01 +0200 Subject: [PATCH 1/3] windows.Volshell: Add method to retrieve EPROCESS based on pid --- doc/source/volshell.rst | 7 +++++++ volatility3/cli/volshell/windows.py | 10 ++++++++++ 2 files changed, 17 insertions(+) diff --git a/doc/source/volshell.rst b/doc/source/volshell.rst index 5a4b21adeb..9c773f1c62 100644 --- a/doc/source/volshell.rst +++ b/doc/source/volshell.rst @@ -61,6 +61,13 @@ python environment, we can do the following: (layer_name) >>> proc +Alternatively, given a PID of a process we can grab and assign the data using the `gp()` (`get_process`) function as so: + +:: + (layer_name) >>> proc = gp(736) + (layer_name) >>> proc + + When printing a volatility structure, various information is output, in this case the `type_name`, the `layer` and `offset` that it's been constructed on, and the size of the structure. diff --git a/volatility3/cli/volshell/windows.py b/volatility3/cli/volshell/windows.py index 5c2190c027..81b22a877c 100644 --- a/volatility3/cli/volshell/windows.py +++ b/volatility3/cli/volshell/windows.py @@ -43,12 +43,22 @@ def list_processes(self): self.context, self.current_layer, self.current_symbol_table ) ) + + def get_process(self, pid): + """Returns the EPROCESS object that matches the pid""" + processes = self.list_processes() + for process in processes: + if process.UniqueProcessId == pid: + return process + print(f"No process with process ID {pid} found") + return None def construct_locals(self) -> List[Tuple[List[str], Any]]: result = super().construct_locals() result += [ (["cp", "change_process"], self.change_process), (["lp", "list_processes", "ps"], self.list_processes), + (["gp", "get_process"], self.get_process), (["symbols"], self.context.symbol_space[self.current_symbol_table]), ] if self.config.get("pid", None) is not None: From 90d4a0194d2cf8ee3134b74a88162927d8513854 Mon Sep 17 00:00:00 2001 From: Odysseas Stavrou Date: Thu, 5 Dec 2024 04:40:01 +0200 Subject: [PATCH 2/3] linux.Volshell: Update pslist version requirements --- volatility3/cli/volshell/linux.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/volatility3/cli/volshell/linux.py b/volatility3/cli/volshell/linux.py index c5e555ec7d..b197ab66fc 100644 --- a/volatility3/cli/volshell/linux.py +++ b/volatility3/cli/volshell/linux.py @@ -20,7 +20,7 @@ def get_requirements(cls): name="kernel", description="Linux kernel module" ), requirements.PluginRequirement( - name="pslist", plugin=pslist.PsList, version=(2, 0, 0) + name="pslist", plugin=pslist.PsList, version=(3, 0, 0) ), requirements.IntRequirement( name="pid", description="Process ID", optional=True From eed98016310a48504254fc8e94c9a9a50525fc3b Mon Sep 17 00:00:00 2001 From: Odysseas Stavrou Date: Thu, 5 Dec 2024 05:24:48 +0200 Subject: [PATCH 3/3] linux.Volshell: Add method to retrieve Task based on pid --- volatility3/cli/volshell/linux.py | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/volatility3/cli/volshell/linux.py b/volatility3/cli/volshell/linux.py index b197ab66fc..152fc9588b 100644 --- a/volatility3/cli/volshell/linux.py +++ b/volatility3/cli/volshell/linux.py @@ -40,6 +40,14 @@ def change_task(self, pid=None): return None print(f"No task with task ID {pid} found") + def get_task(self, pid): + """Get Task based on a process ID. Does not retrieve the layer, to change layer use the .pid attribute""" + tasks = self.list_tasks() + for task in tasks: + if task.pid == pid: + return task + print(f"No task with task ID {pid} found") + def list_tasks(self): """Returns a list of task objects from the primary layer""" # We always use the main kernel memory and associated symbols @@ -50,6 +58,7 @@ def construct_locals(self) -> List[Tuple[List[str], Any]]: result += [ (["ct", "change_task", "cp"], self.change_task), (["lt", "list_tasks", "ps"], self.list_tasks), + (["gp", "get_task"], self.get_task), (["symbols"], self.context.symbol_space[self.current_symbol_table]), ] if self.config.get("pid", None) is not None: