Process Connection Volatility3 Plugin #1907
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# live.py – Volatility 3 Live System Analysis Plugin `live.py` is a custom plugin for **Volatility 3** designed to extend its capabilities for **real-time forensic data collection and threat hunting** directly on a **live Windows system**, eliminating the need for a full memory dump. This tool provides an **interactive command-line shell** for dynamic investigation, leveraging system APIs through libraries like `psutil` and `pywin32` to quickly triage and analyze active endpoints. --- ## Key Capabilities ### **Live Analysis Mode** Performs immediate, low-overhead forensic data collection from an active operating system, bypassing traditional memory dump requirements. ### **Interactive Shell** Includes an integrated CLI environment offering a suite of commands for efficient, step-by-step investigation via the `LiveShellCommand` interface. ### **Advanced Threat Hunting** Provides built-in commands for targeted analysis: - **fileless** – Detects fileless malware and suspicious in-memory activity, focusing on processes such as `powershell.exe`. - **detect_sandbox** – Identifies virtualized or sandboxed environments by inspecting artifacts, process behavior, and MAC address prefixes. ### **Comprehensive Forensic Data Collection** Collects essential artifacts and system information for deep analysis: - **Process and Module Data:** `pslist`, `psscan`, `dlllist`, `handles`, `sids`, `cmdline` - **Network Activity:** `netscan` for active connections and sockets - **Persistence & Services:** Analysis of `services`, `drivers`, `registry`, and autorun entries - **Artifact Analysis:** Extraction of `shimcache`, `prefetch`, `userassist`, and `jumplists` - **Timeline Generation:** Unified event correlation using `timeliner` ---
# sandbox_detect.py – Virtualization and Sandbox Environment Detection (Volatility 3 Plugin) `sandbox_detect.py` is a specialized **Volatility 3 plugin** designed for **post-mortem forensic analysis** of **Windows memory dumps**. Its primary goal is to detect and score artifacts indicating that the analyzed system was operating within a **Virtual Machine (VM)**, **Sandbox**, or **Malware Analysis Environment**. This plugin is particularly valuable for investigators who need to determine whether a captured memory sample originated from a **controlled analysis setup** or a **real-world victim system**. --- ## Key Capabilities ### **Multi-Layered Artifact Scanning** Performs deep inspection across multiple memory and system layers to ensure comprehensive detection: - **Process Analysis:** Identifies running processes related to virtualization or analysis environments, such as `vmtoolsd.exe`, `vboxservice.exe`, `prl_cc.exe`, `wireshark.exe`, and `ollydbg.exe`. - **Driver and Module Checks:** Detects kernel modules and drivers named after virtualization platforms, including `vmmouse.sys`, `vboxguest.sys`, and `vmhgfs.sys`. - **Registry and System Keys:** Examines critical registry entries and system identifiers for virtualization traces, such as hardware IDs, BIOS strings, and known VM installation paths. --- ### **Heuristic Scoring System** Implements a scoring engine that assigns severity levels to each identified artifact. Instead of a binary result, the plugin produces a **confidence-based verdict**, such as: - **HIGH CONFIDENCE – Virtual Machine Detected** - **MODERATE CONFIDENCE – Sandbox Environment** - **LOW CONFIDENCE – Physical Host** This scoring model provides analysts with clearer, evidence-weighted conclusions. ---
# sandbox_detect.py – Virtualization and Sandbox Environment Detection (Volatility 3 Plugin) `sandbox_detect.py` is a specialized **Volatility 3 plugin** designed for **post-mortem forensic analysis** of **Windows memory dumps**. Its primary goal is to detect and score artifacts indicating that the analyzed system was operating within a **Virtual Machine (VM)**, **Sandbox**, or **Malware Analysis Environment**. This plugin is particularly valuable for investigators who need to determine whether a captured memory sample originated from a **controlled analysis setup** or a **real-world victim system**. --- ## Key Capabilities ### **Multi-Layered Artifact Scanning** Performs deep inspection across multiple memory and system layers to ensure comprehensive detection: - **Process Analysis:** Identifies running processes related to virtualization or analysis environments, such as `vmtoolsd.exe`, `vboxservice.exe`, `prl_cc.exe`, `wireshark.exe`, and `ollydbg.exe`. - **Driver and Module Checks:** Detects kernel modules and drivers named after virtualization platforms, including `vmmouse.sys`, `vboxguest.sys`, and `vmhgfs.sys`. - **Registry and System Keys:** Examines critical registry entries and system identifiers for virtualization traces, such as hardware IDs, BIOS strings, and known VM installation paths. --- ### **Heuristic Scoring System** Implements a scoring engine that assigns severity levels to each identified artifact. Instead of a binary result, the plugin produces a **confidence-based verdict**, such as: - **HIGH CONFIDENCE – Virtual Machine Detected** - **MODERATE CONFIDENCE – Sandbox Environment** - **LOW CONFIDENCE – Physical Host** This scoring model provides analysts with clearer, evidence-weighted conclusions. ---
# proccon.py – Process Connectivity & Visualization (Volatility 3 Plugin) `proccon.py` is a **Volatility 3 plugin** designed to provide **process visualization and relationship mapping** from a **Windows memory dump**. While it does not perform direct forensic analysis, it serves as a **critical utility** for post-processing and visualizing process hierarchy data. The plugin extracts **Parent-Child process relationships** and outputs them as a **Graphviz DOT file**, enabling investigators to generate graphical representations of the system’s process tree at the time of capture. --- ## Key Capabilities ### **Process Tree Extraction** Efficiently iterates through the complete process list obtained via Volatility’s `windows.pslist` plugin to map: - **PID** (Process ID) → **PPID** (Parent Process ID) This provides a foundational dataset for visual process relationship mapping. --- ### **Graphviz DOT Output** Automatically generates a **structured `.dot` file** compatible with Graphviz visualization tools such as: - `dot` - `neato` - Online renderers and graphing tools This output can be rendered into **network-style process trees**, allowing investigators to: - Visualize process spawning chains - Detect irregular or unexpected parent-child relationships - Identify suspicious execution flows in malware investigations --- ### **Visualization Focus** The plugin emphasizes **connectivity and hierarchy**, providing a clear visual representation of process structures that supports: - **Anomaly Detection:** Spot abnormal or hidden parent-child relationships - **Malware Analysis:** Map execution chains to trace malicious process origins - **System Understanding:** Reveal the operational process tree at the time of memory capture ---
# proccon.py – Process Connectivity & Visualization (Volatility 3 Plugin) `proccon.py` is a **Volatility 3 plugin** designed to provide **process visualization and relationship mapping** from a **Windows memory dump**. While it does not perform direct forensic analysis, it serves as a **critical utility** for post-processing and visualizing process hierarchy data. The plugin extracts **Parent-Child process relationships** and outputs them as a **Graphviz DOT file**, enabling investigators to generate graphical representations of the system’s process tree at the time of capture. --- ## Key Capabilities ### **Process Tree Extraction** Efficiently iterates through the complete process list obtained via Volatility’s `windows.pslist` plugin to map: - **PID** (Process ID) → **PPID** (Parent Process ID) This provides a foundational dataset for visual process relationship mapping. --- ### **Graphviz DOT Output** Automatically generates a **structured `.dot` file** compatible with Graphviz visualization tools such as: - `dot` - `neato` - Online renderers and graphing tools This output can be rendered into **network-style process trees**, allowing investigators to: - Visualize process spawning chains - Detect irregular or unexpected parent-child relationships - Identify suspicious execution flows in malware investigations --- ### **Visualization Focus** The plugin emphasizes **connectivity and hierarchy**, providing a clear visual representation of process structures that supports: - **Anomaly Detection:** Spot abnormal or hidden parent-child relationships - **Malware Analysis:** Map execution chains to trace malicious process origins - **System Understanding:** Reveal the operational process tree at the time of memory capture ---
ikelos
reviewed
Nov 18, 2025
Member
ikelos
left a comment
ikelos
left a comment
There was a problem hiding this comment.
Generally this looks good, but it writes files directly to the disk of whereever volatility is running, which will not work as expected when volatility is run as a library that's part of a web service, for example. Please use self.open instead of open. It only takes a preferred filename and will expect bytes, but otherwise the output should function similarly.
| root_pids = [] | ||
| for pid, proc_data in processes.items(): | ||
| ppid = proc_data["ppid"] | ||
| if ppid == 0 or ppid not in processes: |
Member
There was a problem hiding this comment.
ppid == 0 can be written in a more pythonic way as not ppid, but it's just a stylistic point, not show stopper
| if safe_path != safe_name: | ||
| # Extract just the directory and filename | ||
| if '\\\\' in safe_path: | ||
| parts = safe_path.split('\\\\') |
Member
There was a problem hiding this comment.
Consider using python's path manipulation functions (pathlib), rather than manual string manipulation that may not take into account various complexities of paths for various operating systems.
| depth = calculate_depth(pid) | ||
| if pid in root_pids: | ||
| role = "ROOT" | ||
| fillcolor = "lightcoral" |
Member
There was a problem hiding this comment.
Consider extracting the various colours to class variables, so they can be more easily changed and ensure they are consistent throughout the output.
|
|
||
| # Write to file | ||
| try: | ||
| with open(output_file, 'w', encoding='utf-8') as f: |
Member
There was a problem hiding this comment.
Please don't directly write out files. If this is running as part of a webserver, this will write the data out into the web server, rather than being able to return it to the user. Instead use the built-in FileHandlerInterface, by calling self.open. The parameter it takes is a suggested filename, and will work correctly however the library is called.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
proccon.py – Process Connectivity & Visualization (Volatility 3 Plugin)
proccon.pyis a Volatility 3 plugin designed to provide process visualization and relationship mapping from a Windows memory dump.While it does not perform direct forensic analysis, it serves as a critical utility for post-processing and visualizing process hierarchy data.
The plugin extracts Parent-Child process relationships and outputs them as a Graphviz DOT file, enabling investigators to generate graphical representations of the system’s process tree at the time of capture.
Key Capabilities
Process Tree Extraction
Efficiently iterates through the complete process list obtained via Volatility’s
windows.pslistplugin to map:This provides a foundational dataset for visual process relationship mapping.
Graphviz DOT Output
Automatically generates a structured
.dotfile compatible with Graphviz visualization tools such as:dotneatoThis output can be rendered into network-style process trees, allowing investigators to:
Visualization Focus
The plugin emphasizes connectivity and hierarchy, providing a clear visual representation of process structures that supports: