added mechanism for deleted exe

SolitudePy · SolitudePy · commit 5e654b1566e4 · 2025-06-07T13:48:52.000+03:00
diff --git a/volatility3/framework/plugins/linux/process_spoofing.py b/volatility3/framework/plugins/linux/process_spoofing.py
@@ -21,7 +21,8 @@ class ProcessSpoofing(plugins.PluginInterface):
     """Detects process spoofing by comparing executable path to cmdline & comm fields"""
 
     _required_framework_version = (2, 0, 0)
-    _version = (1, 0, 0)
+    _version = (1, 1, 0)
+    deleted = " (deleted)"
 
     @classmethod
     def get_requirements(cls):
@@ -64,10 +65,17 @@ def _get_executable_path(
                 return None
 
             exe_file = mm.exe_file
+
             if not exe_file or not exe_file.is_readable():
                 return None
+
+            exe_inode = exe_file.dereference().f_path.dentry.d_inode
             exe_path = linux.LinuxUtilities.path_for_file(self.context, task, exe_file)
 
+            # If the inode link count is 0, the process image has been deleted
+            if exe_inode.i_nlink == 0:
+                exe_path += self.deleted
+
             return exe_path if exe_path else None
 
         except (exceptions.InvalidAddressException, AttributeError):
@@ -176,6 +184,11 @@ def _detect_spoofing(
             1 for name in [exe_basename, cmdline_basename, comm] if name
         )
 
+        is_deleted = exe_basename.endswith(self.deleted)
+        if is_deleted:
+            notes.append(f"'Potential Process image deletion: exe_file={exe_basename}'")
+            exe_basename = exe_basename[: len(self.deleted) * -1]
+
         if available_sources < 2:
             return None
 
