ProcGraph Volatility3 Plugin #1911
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
# live.py – Volatility 3 Live System Analysis Plugin `live.py` is a custom plugin for **Volatility 3** designed to extend its capabilities for **real-time forensic data collection and threat hunting** directly on a **live Windows system**, eliminating the need for a full memory dump. This tool provides an **interactive command-line shell** for dynamic investigation, leveraging system APIs through libraries like `psutil` and `pywin32` to quickly triage and analyze active endpoints. --- ## Key Capabilities ### **Live Analysis Mode** Performs immediate, low-overhead forensic data collection from an active operating system, bypassing traditional memory dump requirements. ### **Interactive Shell** Includes an integrated CLI environment offering a suite of commands for efficient, step-by-step investigation via the `LiveShellCommand` interface. ### **Advanced Threat Hunting** Provides built-in commands for targeted analysis: - **fileless** – Detects fileless malware and suspicious in-memory activity, focusing on processes such as `powershell.exe`. - **detect_sandbox** – Identifies virtualized or sandboxed environments by inspecting artifacts, process behavior, and MAC address prefixes. ### **Comprehensive Forensic Data Collection** Collects essential artifacts and system information for deep analysis: - **Process and Module Data:** `pslist`, `psscan`, `dlllist`, `handles`, `sids`, `cmdline` - **Network Activity:** `netscan` for active connections and sockets - **Persistence & Services:** Analysis of `services`, `drivers`, `registry`, and autorun entries - **Artifact Analysis:** Extraction of `shimcache`, `prefetch`, `userassist`, and `jumplists` - **Timeline Generation:** Unified event correlation using `timeliner` ---
# sandbox_detect.py – Virtualization and Sandbox Environment Detection (Volatility 3 Plugin) `sandbox_detect.py` is a specialized **Volatility 3 plugin** designed for **post-mortem forensic analysis** of **Windows memory dumps**. Its primary goal is to detect and score artifacts indicating that the analyzed system was operating within a **Virtual Machine (VM)**, **Sandbox**, or **Malware Analysis Environment**. This plugin is particularly valuable for investigators who need to determine whether a captured memory sample originated from a **controlled analysis setup** or a **real-world victim system**. --- ## Key Capabilities ### **Multi-Layered Artifact Scanning** Performs deep inspection across multiple memory and system layers to ensure comprehensive detection: - **Process Analysis:** Identifies running processes related to virtualization or analysis environments, such as `vmtoolsd.exe`, `vboxservice.exe`, `prl_cc.exe`, `wireshark.exe`, and `ollydbg.exe`. - **Driver and Module Checks:** Detects kernel modules and drivers named after virtualization platforms, including `vmmouse.sys`, `vboxguest.sys`, and `vmhgfs.sys`. - **Registry and System Keys:** Examines critical registry entries and system identifiers for virtualization traces, such as hardware IDs, BIOS strings, and known VM installation paths. --- ### **Heuristic Scoring System** Implements a scoring engine that assigns severity levels to each identified artifact. Instead of a binary result, the plugin produces a **confidence-based verdict**, such as: - **HIGH CONFIDENCE – Virtual Machine Detected** - **MODERATE CONFIDENCE – Sandbox Environment** - **LOW CONFIDENCE – Physical Host** This scoring model provides analysts with clearer, evidence-weighted conclusions. ---
# sandbox_detect.py – Virtualization and Sandbox Environment Detection (Volatility 3 Plugin) `sandbox_detect.py` is a specialized **Volatility 3 plugin** designed for **post-mortem forensic analysis** of **Windows memory dumps**. Its primary goal is to detect and score artifacts indicating that the analyzed system was operating within a **Virtual Machine (VM)**, **Sandbox**, or **Malware Analysis Environment**. This plugin is particularly valuable for investigators who need to determine whether a captured memory sample originated from a **controlled analysis setup** or a **real-world victim system**. --- ## Key Capabilities ### **Multi-Layered Artifact Scanning** Performs deep inspection across multiple memory and system layers to ensure comprehensive detection: - **Process Analysis:** Identifies running processes related to virtualization or analysis environments, such as `vmtoolsd.exe`, `vboxservice.exe`, `prl_cc.exe`, `wireshark.exe`, and `ollydbg.exe`. - **Driver and Module Checks:** Detects kernel modules and drivers named after virtualization platforms, including `vmmouse.sys`, `vboxguest.sys`, and `vmhgfs.sys`. - **Registry and System Keys:** Examines critical registry entries and system identifiers for virtualization traces, such as hardware IDs, BIOS strings, and known VM installation paths. --- ### **Heuristic Scoring System** Implements a scoring engine that assigns severity levels to each identified artifact. Instead of a binary result, the plugin produces a **confidence-based verdict**, such as: - **HIGH CONFIDENCE – Virtual Machine Detected** - **MODERATE CONFIDENCE – Sandbox Environment** - **LOW CONFIDENCE – Physical Host** This scoring model provides analysts with clearer, evidence-weighted conclusions. ---
# proccon.py – Process Connectivity & Visualization (Volatility 3 Plugin) `proccon.py` is a **Volatility 3 plugin** designed to provide **process visualization and relationship mapping** from a **Windows memory dump**. While it does not perform direct forensic analysis, it serves as a **critical utility** for post-processing and visualizing process hierarchy data. The plugin extracts **Parent-Child process relationships** and outputs them as a **Graphviz DOT file**, enabling investigators to generate graphical representations of the system’s process tree at the time of capture. --- ## Key Capabilities ### **Process Tree Extraction** Efficiently iterates through the complete process list obtained via Volatility’s `windows.pslist` plugin to map: - **PID** (Process ID) → **PPID** (Parent Process ID) This provides a foundational dataset for visual process relationship mapping. --- ### **Graphviz DOT Output** Automatically generates a **structured `.dot` file** compatible with Graphviz visualization tools such as: - `dot` - `neato` - Online renderers and graphing tools This output can be rendered into **network-style process trees**, allowing investigators to: - Visualize process spawning chains - Detect irregular or unexpected parent-child relationships - Identify suspicious execution flows in malware investigations --- ### **Visualization Focus** The plugin emphasizes **connectivity and hierarchy**, providing a clear visual representation of process structures that supports: - **Anomaly Detection:** Spot abnormal or hidden parent-child relationships - **Malware Analysis:** Map execution chains to trace malicious process origins - **System Understanding:** Reveal the operational process tree at the time of memory capture ---
# procgraph.py – Process Connectivity & Relationship Visualization (Volatility 3 Plugin) `procgraph.py` is a **Volatility 3 plugin** designed to map **process relationships and connectivity** from a Windows memory dump. It generates a **graphical representation** of process hierarchies and interactions, making it easier for analysts to understand process spawning, parent-child relationships, and potential malicious execution flows. --- ## Key Capabilities ### **Process Tree Extraction** - Iterates over all processes enumerated by Volatility (e.g., using `pslist`) - Maps **PID (Process ID)** to **PPID (Parent Process ID)** - Captures hierarchical relationships between processes for visualization ### **Graph Visualization** - Outputs a **Graphviz DOT file** representing the process tree and connectivity - DOT files can be rendered with Graphviz tools (`dot`, `neato`) or online renderers - Visualizations help identify: - Unexpected parent-child relationships - Malware spawning chains - Abnormal execution flows
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
procgraph.py – Process Connectivity & Relationship Visualization (Volatility 3 Plugin)
procgraph.pyis a Volatility 3 plugin designed to map process relationships and connectivity from a Windows memory dump.It generates a graphical representation of process hierarchies and interactions, making it easier for analysts to understand process spawning, parent-child relationships, and potential malicious execution flows.
Key Capabilities
Process Tree Extraction
pslist)Graph Visualization
dot,neato) or online renderers