volatility3 icon indicating copy to clipboard operation
volatility3 copied to clipboard

Published 20 hours ago verified publisher icon volatilityfoundation

Linux threads Plugin

Open samuelzurowski opened this issue 2 years ago • 1 comments

Hello,

I know volatility2 had a threads plugin. I know in my previous PR mentioned was adding it to one of the Linux ps plugins. However, because I already had this done, I thought I would submit it to see if it's something volatility3 would want. (See https://github.com/volatilityfoundation/volatility3/pull/667)

image

Here are two usage examples. It includes offset, PID, COMM, Thread PID, Thread name, thread offset, and more properties depicted in the screenshot.

Banner tested against: Identified banner: b'Linux version 4.18.0-348.7.1.el8_5.x86_64 ([email protected]) (gcc version 8.5.0 20210514 (Red Hat 8.5.0-4) (GCC)) #1 SMP Wed Dec 22 13:25:12 UTC 2021\n\x00

samuelzurowski avatar Apr 27 '22 21:04 samuelzurowski

Aren't you missing out on single threaded processes? We should add sentinel=False to the input parameter of the to_list function in the get_threads.

paulkermann avatar Apr 28 '22 06:04 paulkermann