volatility3 icon indicating copy to clipboard operation
volatility3 copied to clipboard
verified publisher icon volatilityfoundation

Prototype generic process functions

Open eve-mem opened this issue 2 years ago • 9 comments

Hello,

This draft PR is to add some experimental features to provide a generic way of getting basic information from processes regardless of operating system. The idea was discussed in the comments of this issue: https://github.com/volatilityfoundation/volatility3/issues/981

The idea being to provide a set of functions that can be used in plugins to make them easier to make (or volshell), and be consistent across the different operating systems so it's easier to switch between them.

It is very basic, just adding the following functions. Mostly just be shifting code out of various pslist plugins to the extensions so they can used from anywhere.

Function Windows Linux Mac
get_pid 🟢 🟢 🟢
get_parent_pid 🟢 🟢 🟢
get_name 🟢 🟢 🟢
get_create_time 🔴 🟢
get_exit_time 🔴 🔴

(This is what I mean with the colours if it's not clear - 🟢: Added in this PR, ⚫: Function already existed, 🔴: Not added in this PR)

It was interesting to work on this. I noticed after that the linux module class also inherits from GenericIntelProcess and already has a get_name function.

Also that the windows EPROCESS already had the get_create_time and get_exit_time functions so I used those names in the generic part.

I've then modified the pslist plugins for windows/linux/mac to show how this could be used. If this is useful I'm happy to modify the existing plugins to use this, it shouldn't affect how they work - but might make them easier to read.

I'm not sure if this is the best (or even a good) way of doing this - so I'd be very interested in your thoughts.

Thanks!

eve-mem avatar Sep 04 '23 06:09 eve-mem

@ikelos - I'd love your thoughts on this. The idea to have a simple to use way to get key information about a process for plugins. That way there can be a central way to do these lookups within plugins so that they're consistent and if an update needs to be done it only needs to happen in one place. It could be bulked out to include extra bits for a process like getting memory regions etc.

It should hopefully mean that we'd be able to make non-OS specific plugins - assuming it's done in the right way. Given it's above intel process that might be a good place for it given the arm work at the moment?

Thanks again.

eve-mem avatar Apr 30 '24 05:04 eve-mem