volatility3
volatility3 copied to clipboard
volatilityfoundation
PSParent Plugin Volatility 3
PSParent Plugin Volatility 3
PSParent is a custom plugin for the Volatility 3 memory forensics framework.
It performs dynamic parent-child process relationship validation, using built-in Windows behavioral rules to identify process hierarchy anomalies that may indicate process injection, PPID spoofing, or other malicious tampering.
Overview
The plugin analyzes parent-child process relationships by examining:
- Session consistency between parent and child processes
- Process creation timestamps
- Integrity level inheritance
- Protected process behavior
- Valid parent existence
- Legitimate Windows parent-child rules for system processes
These checks allow the plugin to flag suspicious or malicious process hierarchies that deviate from expected Windows behaviors.
Detection Rules
| Rule | Description | Detection |
|---|---|---|
| Parent Existence | Parent process missing or terminated | Process Orphaning |
| Session Consistency | Child and parent in different sessions | Cross-Session Injection |
| Integrity Level | Child has higher integrity than parent | Token Manipulation |
| Creation Time | Child created before parent | Process Tampering |
| Protection Consistency | Protected process spawned by unprotected parent | Protected Process Bypass |
| System Process Rules | Critical system process spawned by invalid parent | PPID Spoofing / Process Hollowing |
Output Fields
When --verbose is off (default):
| Field | Description |
|---|---|
| Process | Process name |
| PID | Process ID |
| PPID | Parent Process ID |
| Parent Name | Name of the parent process |
| Status | Classification of relationship (LEGITIMATE, SUSPICIOUS, MALICIOUS) |
| Severity | Risk level (INFO, MEDIUM, HIGH, CRITICAL) |
| Evidence | Explanation of anomaly |
When --verbose is on:
| Additional Fields | Description |
|---|---|
| Technique | Detection technique used |
| Confidence | Confidence level of detection |
| Session | Session ID of the process |
Optional Arguments
| Argument | Type | Description |
|---|---|---|
--pid |
Integer | Analyze a specific Process ID |
--verbose |
Boolean | Show detailed process relationship information |
--debug |
Boolean | Enable detailed logging and debug output |
--show-legitimate |
Boolean | Display legitimate relationships (default: True) |
