search

ksanchezcld / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
1 stars 0 forks source link

pslist does not report timestamps for terminated processes #215

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
Processes which have terminated remain in the list of active processes until 
all of their resources have been returned to the system. During this time, 
Windows records the timestamp of when the process exited in the EPROCESS block. 
That timestamp is not displayed by pslist, but should be. The attached patch 
adds the exit time.

Here's what I see now with pslist:

$ python vol.py pslist -f ~/memory-images/xp-laptop-2005-07-04-1430.img 
Volatile Systems Volatility Framework 2.1_alpha
 Offset(V)  Name                 PID    PPID   Thds   Hnds   Time 
---------- -------------------- ------ ------ ------ ------ ------------------- 
0x81488350 PluckUpdater.ex         368   3352      0 ------ 2005-07-04 18:24:30 

Here's what I would like to see:
Volatile Systems Volatility Framework 2.0-SANS
 Offset(V)  Name                 PID    PPID   Thds    Hnds    Start Time         Exit Time
---------- -------------------- ------ ------ ------ -------- 
------------------- -------------------
0x81488350 PluckUpdater.ex         368   3352      0 -------- 2005-07-04 
18:24:30  2005-07-04 18:26:44 

What version of the product are you using? On what operating system?
svn trunk as of 20 Feb 2012 on OS X.

Original issue reported on code.google.com by jessekornblum on 20 Feb 2012 at 2:52

Attachments:

GoogleCodeExporter commented 9 years ago 
This is something we have known about for a while, see our docs, particularly 
MHL's blogpost listed there:

http://code.google.com/p/volatility/wiki/CommandReference#pslist

That being said, it might be good to put this info since psscan already shows 
it.  I'm leaving it open for a vote from others...

Original comment by jamie.l...@gmail.com on 20 Feb 2012 at 6:04

GoogleCodeExporter commented 9 years ago 
Guys, I downgraded this from medium priority defect to low priority 
enhancement, as its just a request to see an extra field in the output. Let's 
take care of some more important issues first.

Original comment by michael.hale@gmail.com on 21 Feb 2012 at 2:28

GoogleCodeExporter commented 9 years ago 
closed in r1791

Original comment by michael.hale@gmail.com on 22 May 2012 at 2:23