volatility3
volatility3 copied to clipboard
Published
20 hours ago •
volatilityfoundation
volatilityfoundation
pebmasquerade plugin
Hello, trying my way around os internals & memory :P
(venv) ubuntu@ubuntuPC:~/Dev/volatility3$ vol -f ~/dumps/peb_masq_dump.raw -r json windows.pebmasquerade | jq 'map(select(.Notes != "OK"))'
Volatility 3 Framework 2.26.2
[
{
"EPROCESS_ImageFileName": "powershell_ise",
"EPROCESS_SeAudit_ImageFileName": "\\Device\\HarddiskVolume3\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe",
"Notes": "['Potential PEB.ImageFilePath Spoofing: EPROCESS=powershell_ise;PEB=explorer.exe', 'Potential PEB.CommandLine Spoofing: EPROCESS=powershell_ise;PEB=explorer.exe', 'Potential PEB.ImageFilePath Spoofing (via _EPROCESS.SeAuditProcessCreationInfo): EPROCESS=windows/system32/windowspowershell/v1.0/powershell_ise.exe;PEB=windows/explorer.exe']",
"PEB_CommandLine_Path": "C:\\Windows\\explorer.exe",
"PEB_ImageFilePath": "C:\\Windows\\explorer.exe",
"PID": 11096,
"ProcessName": "powershell_ise",
"__children": []
},
{
"EPROCESS_ImageFileName": "peb_masquerade",
"EPROCESS_SeAudit_ImageFileName": "\\Device\\HarddiskVolume3\\Users\\Robot\\Dev\\peb_masquerade.exe",
"Notes": "['Potential PEB.ImageFilePath Spoofing: EPROCESS=peb_masquerade;PEB=notepad.exe', 'Potential PEB.CommandLine Spoofing: EPROCESS=peb_masquerade;PEB=notepad.exe', 'Potential PEB.ImageFilePath Spoofing (via _EPROCESS.SeAuditProcessCreationInfo): EPROCESS=users/robot/dev/peb_masquerade.exe;PEB=windows/system32/notepad.exe']",
"PEB_CommandLine_Path": "C:\\windows\\system32\\notepad.exe",
"PEB_ImageFilePath": "C:\\windows\\system32\\notepad.exe",
"PID": 12372,
"ProcessName": "peb_masquerade",
"__children": []
}
]
added _UNICODE_STRING length checks. ProcessParameters.CommandLine introduced 2 "false positives" on my test:
(venv) ubuntu@ubuntuPC:~/Dev/volatility3$ vol -f ~/dumps/peb_masq_dump.raw -r json windows.pebmasquerade | jq 'map(select(.Notes != "OK"))'
Volatility 3 Framework 2.26.2
/home/ubuntu/Dev/volatility3/volatility3/framework/deprecation.py:105: FutureWarning: This plugin (PluginRequirement) has been renamed and will be removed in the first release after 2026-06-01. PluginRequirement is to be deprecated. Use VersionRequirement instead.
warnings.warn(
[rogress: 100.00 PDB scanning finished
{
"EPROCESS_ImageFileName": "WmiPrvSE.exe",
"EPROCESS_SeAudit_ImageFileName": "\\Device\\HarddiskVolume3\\Windows\\System32\\wbem\\WmiPrvSE.exe",
"Notes": "['PEB.CommandLine Length Mismatch: Commandline=C:\\Windows\\system32\\wbem\\wmiprvse.exe, Length=48, MaximumLength=48, Actual=37']",
"PEB_CommandLine_Path": "C:\\Windows\\system32\\wbem\\wmiprvse.exe",
"PEB_ImageFilePath": "C:\\Windows\\system32\\wbem\\wmiprvse.exe",
"PID": 2640,
"ProcessName": "WmiPrvSE.exe",
"__children": []
},
{
"EPROCESS_ImageFileName": "audiodg.exe",
"EPROCESS_SeAudit_ImageFileName": "\\Device\\HarddiskVolume3\\Windows\\System32\\audiodg.exe",
"Notes": "['PEB.CommandLine Length Mismatch: Commandline=C:\\Windows\\system32\\AUDIODG.EXE 0x540, Length=43, MaximumLength=43, Actual=37']",
"PEB_CommandLine_Path": "C:\\Windows\\system32\\AUDIODG.EXE",
"PEB_ImageFilePath": "C:\\Windows\\system32\\AUDIODG.EXE",
"PID": 11384,
"ProcessName": "audiodg.exe",
"__children": []
}
]
Removed Notes column & path extracted from cmdline and added 2 boolean columns for the length checks.
(venv) ubuntu@ubuntuPC:~/Dev/volatility3$ vol -f ~/dumps/peb_masq_dump.raw -r json windows.malware.pebmasquerade --pid 12372
Volatility 3 Framework 2.26.2
Progress: 100.00 PDB scanning finished
[
{
"EPROCESS_ImageFileName": "peb_masquerade",
"EPROCESS_SeAudit_ImageFileName": "\\Device\\HarddiskVolume3\\Users\\Robot\\Dev\\peb_masquerade.exe",
"PEB_CommandLine_Spoofed": true,
"PEB_ImageFilePath": "C:\\windows\\system32\\notepad.exe",
"PEB_ImageFilePath_Spoofed": true,
"PID": 12372,
"__children": []
}
]