search

volatilityfoundation / volatility3

Volatility 3.0 development
http://volatilityfoundation.org/
Other
2.61k stars 447 forks source link

Psxview is urgently needed for volatility 3 #973

Closed resposo closed 2 months ago

resposo commented 1 year ago

In volatility2, psxview was useful as a way to detect hidden processes. However, in volatility3, psxview does not exist, making it difficult to detect hidden processes. Is anyone porting that plugin by any chance?

eve-mem commented 1 year ago

Hello,

There aren't any pull requests at the moment for a psxview plugin replacement, but someone might be out there working on it on there own. There is no harm in asking on the volatility3 channel in our slack group.

This thrdscan plugin that is in the works may prove useful to you: https://github.com/volatilityfoundation/volatility3/pull/960

Perhaps you could test that and see if it illuminates something useful for you?

ikelos commented 1 year ago

Might be worth seeing if @iMHLv2 had any plans to recreate it, or knows of someone that's looking for a starter plugin to try out their plugin authoring skills on... 5;)

MY7H404 commented 2 months ago

Hey everyone,

Just wanted to give a quick heads-up that I'm working on a PsXview plugin for Volatility 3. I know a lot of folks have been missing this tool from Volatility 2 for detecting hidden processes.

It's still a work in progress, and there are a few things left to sort out, but I thought it might be useful for some of you who have been asking about it. If anyone's interested in giving it a test run or even contributing, that would be awesome! You can check out what I've got so far on my GitHub: https://github.com/MY7H404/psxview

Just to add, I'm still learning about Volatility and memory analysis. Although this is a useful plugin and can be reproduced, I have absolutely no background in memory analysis in general. The exploration I did was out of curiosity. So there is no “scientific proof” that this is the correct way to parse the content.

Thanks, and I'd love to hear any feedback or suggestions you might have!

ikelos commented 2 months ago

There is a pull request for this going through review at the moment...

https://github.com/volatilityfoundation/volatility3/pull/1219

ikelos commented 2 months ago

1219 has now been merged, as such I'm going to mark this issue as closed. Please file a new one if there's features you'd like or something else that could be improved with the psxview plugin.