Skip to content

Conversation

@SolitudePy
Copy link
Contributor

Hello, trying my way around os internals & memory :P

(venv) ubuntu@ubuntuPC:~/Dev/volatility3$ vol -f ~/dumps/peb_masq_dump.raw -r json windows.pebmasquerade | jq 'map(select(.Notes != "OK"))'
Volatility 3 Framework 2.26.2
[               
  {
    "EPROCESS_ImageFileName": "powershell_ise",
    "EPROCESS_SeAudit_ImageFileName": "\\Device\\HarddiskVolume3\\Windows\\System32\\WindowsPowerShell\\v1.0\\powershell_ise.exe",
    "Notes": "['Potential PEB.ImageFilePath Spoofing: EPROCESS=powershell_ise;PEB=explorer.exe', 'Potential PEB.CommandLine Spoofing: EPROCESS=powershell_ise;PEB=explorer.exe', 'Potential PEB.ImageFilePath Spoofing (via _EPROCESS.SeAuditProcessCreationInfo): EPROCESS=windows/system32/windowspowershell/v1.0/powershell_ise.exe;PEB=windows/explorer.exe']",
    "PEB_CommandLine_Path": "C:\\Windows\\explorer.exe",
    "PEB_ImageFilePath": "C:\\Windows\\explorer.exe",
    "PID": 11096,
    "ProcessName": "powershell_ise",
    "__children": []
  },
  {
    "EPROCESS_ImageFileName": "peb_masquerade",
    "EPROCESS_SeAudit_ImageFileName": "\\Device\\HarddiskVolume3\\Users\\Robot\\Dev\\peb_masquerade.exe",
    "Notes": "['Potential PEB.ImageFilePath Spoofing: EPROCESS=peb_masquerade;PEB=notepad.exe', 'Potential PEB.CommandLine Spoofing: EPROCESS=peb_masquerade;PEB=notepad.exe', 'Potential PEB.ImageFilePath Spoofing (via _EPROCESS.SeAuditProcessCreationInfo): EPROCESS=users/robot/dev/peb_masquerade.exe;PEB=windows/system32/notepad.exe']",
    "PEB_CommandLine_Path": "C:\\windows\\system32\\notepad.exe",
    "PEB_ImageFilePath": "C:\\windows\\system32\\notepad.exe",
    "PID": 12372,
    "ProcessName": "peb_masquerade",
    "__children": []
  }
]

@SolitudePy
Copy link
Contributor Author

added _UNICODE_STRING length checks.
ProcessParameters.CommandLine introduced 2 "false positives" on my test:

(venv) ubuntu@ubuntuPC:~/Dev/volatility3$ vol -f ~/dumps/peb_masq_dump.raw -r json windows.pebmasquerade | jq 'map(select(.Notes != "OK"))'
Volatility 3 Framework 2.26.2
/home/ubuntu/Dev/volatility3/volatility3/framework/deprecation.py:105: FutureWarning: This plugin (PluginRequirement) has been renamed and will be removed in the first release after 2026-06-01. PluginRequirement is to be deprecated. Use VersionRequirement instead.
  warnings.warn(
[rogress:  100.00               PDB scanning finished                        
  {
    "EPROCESS_ImageFileName": "WmiPrvSE.exe",
    "EPROCESS_SeAudit_ImageFileName": "\\Device\\HarddiskVolume3\\Windows\\System32\\wbem\\WmiPrvSE.exe",
    "Notes": "['PEB.CommandLine Length Mismatch: Commandline=C:\\Windows\\system32\\wbem\\wmiprvse.exe, Length=48, MaximumLength=48, Actual=37']",
    "PEB_CommandLine_Path": "C:\\Windows\\system32\\wbem\\wmiprvse.exe",
    "PEB_ImageFilePath": "C:\\Windows\\system32\\wbem\\wmiprvse.exe",
    "PID": 2640,
    "ProcessName": "WmiPrvSE.exe",
    "__children": []
  },
  {
    "EPROCESS_ImageFileName": "audiodg.exe",
    "EPROCESS_SeAudit_ImageFileName": "\\Device\\HarddiskVolume3\\Windows\\System32\\audiodg.exe",
    "Notes": "['PEB.CommandLine Length Mismatch: Commandline=C:\\Windows\\system32\\AUDIODG.EXE 0x540, Length=43, MaximumLength=43, Actual=37']",
    "PEB_CommandLine_Path": "C:\\Windows\\system32\\AUDIODG.EXE",
    "PEB_ImageFilePath": "C:\\Windows\\system32\\AUDIODG.EXE",
    "PID": 11384,
    "ProcessName": "audiodg.exe",
    "__children": []
  }
]

Copy link
Member

@ikelos ikelos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

A number of little issues around this one, it feels like a lot of string manipulation that don't necessarily feel robust. I'll give it another look once you've addressed the comments though...

),
]

@staticmethod
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Please use classmethods rather than staticmethods. Staticmethods can't determine what class they're a part of, therefore can't access any version information about themselves, which can be important (for instance, for deprecating it in the future).

Copy link
Member

@ikelos ikelos Sep 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This still needs resolving. Staticmethod splits the method from the plugin, meaning we can't then use introspection effectively to determine things like which version of the plugin this was attached to. We've run into this before, I realize it feels like it should make no difference, but please use classmethods.

@SolitudePy
Copy link
Contributor Author

Removed Notes column & path extracted from cmdline and added 2 boolean columns for the length checks.

(venv) ubuntu@ubuntuPC:~/Dev/volatility3$ vol -f ~/dumps/peb_masq_dump.raw -r json windows.malware.pebmasquerade --pid 12372
Volatility 3 Framework 2.26.2
Progress:  100.00               PDB scanning finished                        
[
  {
    "EPROCESS_ImageFileName": "peb_masquerade",
    "EPROCESS_SeAudit_ImageFileName": "\\Device\\HarddiskVolume3\\Users\\Robot\\Dev\\peb_masquerade.exe",
    "PEB_CommandLine_Spoofed": true,
    "PEB_ImageFilePath": "C:\\windows\\system32\\notepad.exe",
    "PEB_ImageFilePath_Spoofed": true,
    "PID": 12372,
    "__children": []
  }
]

Copy link
Member

@ikelos ikelos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks very much and sorry for the delay in getting this re-reviewed. It's looking really good now, just that one outstanding comment that unfortunately does still need resolving, but then I think this can go in! 5:)

),
]

@staticmethod
Copy link
Member

@ikelos ikelos Sep 14, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This still needs resolving. Staticmethod splits the method from the plugin, meaning we can't then use introspection effectively to determine things like which version of the plugin this was attached to. We've run into this before, I realize it feels like it should make no difference, but please use classmethods.

Copy link
Member

@ikelos ikelos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Generally looks good. I'm a little concerned about false positives because we do our own unicode length maths, and I worry about unusual encodings or something else that throws the count off, but if you're happy this is a useful addition then I have no real problem with it going in. Just need to check that the required_framework_version is actually accurate, and not just copied by default from other plugins... It may well be fine, but if you aren't sure, then I'll like people to get in the habit of setting it to the version they're adding it to please...

Copy link
Member

@ikelos ikelos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks, looks ready for primetime then. 5:)

@ikelos ikelos merged commit 2dbc06f into volatilityfoundation:develop Sep 23, 2025
14 checks passed
@SolitudePy SolitudePy deleted the pebmasq branch September 23, 2025 21:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants