Skip to content

process_spoofing plugin#1826

Merged
ikelos merged 24 commits intovolatilityfoundation:developfrom
SolitudePy:linux_procspoof
Dec 31, 2025
Merged

process_spoofing plugin#1826
ikelos merged 24 commits intovolatilityfoundation:developfrom
SolitudePy:linux_procspoof

Conversation

@SolitudePy
Copy link
Contributor

@SolitudePy SolitudePy commented Jun 2, 2025

Hello, just playing with memory & OS internals.
apparently some legitimate processes do these techniques to have enriched information in their cmdline or so. here are some such processes:

PID     PPID    Exe_Basename    Cmdline_Basename        Comm    Notes

966     1       platform-python3.6      platform-python firewalld       ['Potential cmdline spoofing: exe_file=platform-python3.6;cmdline=platform-python', 'Potential comm spoofing: exe_file=platform-python3.6;comm=firewalld']
991     1       platform-python3.6      platform-python tuned   ['Potential cmdline spoofing: exe_file=platform-python3.6;cmdline=platform-python', 'Potential comm spoofing: exe_file=platform-python3.6;comm=tuned']
1257    1       login   login -- root   login   ['Potential cmdline spoofing: exe_file=login;cmdline=login -- root']
1923    1903    bash    bash    entrypoint.sh   ['Potential comm spoofing: exe_file=bash;comm=entrypoint.sh']
3475    3472    systemd (sd-pam)        (sd-pam)        ['Potential cmdline spoofing: exe_file=systemd;cmdline=(sd-pam)', 'Potential comm spoofing: exe_file=syst

(venv) ubuntu@ubuntuPC:~/Dev/volatility3$ vol -f ~/dumps/procspoof_dump_lin.raw -r json linux.process_spoofing | jq 'map(select(.Notes != "OK"))'
Volatility 3 Framework 2.26.2
Progress:  100.00               Stacking attempts finished           
[
  {
    "Cmdline_Basename": "[malwareX]",
    "Comm": "change_argv",
    "Exe_Basename": "change_argv",
    "Notes": "['Potential cmdline spoofing: exe_file=change_argv;cmdline=[malwareX]']",
    "PID": 6717,
    "PPID": 3482,
    "__children": []
  },
  {
    "Cmdline_Basename": "change_comm",
    "Comm": "malwareX",
    "Exe_Basename": "change_comm",
    "Notes": "['Potential comm spoofing: exe_file=change_comm;comm=malwareX']",
    "PID": 6727,
    "PPID": 3482,
    "__children": []
  }
]

@SolitudePy
Copy link
Contributor Author

SolitudePy commented Jun 4, 2025 

(venv) ubuntu@ubuntuPC:~/Dev/volatility3$ vol -f ~/dumps/deleted_proc_dump.raw -r json linux.process_spoofing --pid 4868
Volatility 3 Framework 2.26.2
/home/ubuntu/Dev/volatility3/volatility3/framework/deprecation.py:105: FutureWarning: This plugin (PluginRequirement) has been renamed and will be removed in the first release after 2026-06-01. PluginRequirement is to be deprecated. Use VersionRequirement instead.
  warnings.warn(
Progress:  100.00               Stacking attempts finished           
[
  {
    "Cmdline_Basename": "copied_bash",
    "Comm": "copied_bash",
    "Exe_Basename": "copied_bash (deleted)",
    "Notes": "['Potential Process image deletion: exe_file=copied_bash (deleted)']",
    "PID": 4868,
    "PPID": 4633,
    "__children": []
  }
]

ikelos
ikelos reviewed Jun 22, 2025
View reviewed changes
Copy link
Member

@ikelos ikelos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for your submission and sorry it took so long to find time to review, this plugin looks fun! It's mostly fine, but it smushes the results together into a string, which is longwinded for humans to read and difficult for programs/plugins to parse. Hopefully this should be pretty straight forward to refactor into returning boolean values. It also feels like as number of the methods here may be useful for other plugins, so first check that other plugins don't already implement them and otherwise consider converting them into classmethods so that they can be called externally...

@SolitudePy
Copy link
Contributor Author

SolitudePy commented Jun 25, 2025 

(venv) ubuntu@ubuntuPC:~/Dev/volatility3$ vol -f ~/dumps/deleted_proc_dump.raw linux.malware.process_spoofing --pid 4868 
Volatility 3 Framework 2.26.2
Progress:  100.00               Stacking attempts finished           
PID     PPID    Exe_Basename    Cmdline_Basename        Comm    Cmdline_Spoofed Comm_Spoofed    Exe_Deleted

4868    4633    copied_bash (deleted)   copied_bash     copied_bash     False   False   True

(venv) ubuntu@ubuntuPC:~/Dev/volatility3$ vol -f ~/dumps/procspoof_dump_lin.raw -r json linux.malware.process_spoofing --pid 6727
Volatility 3 Framework 2.26.2
Progress:  100.00               Stacking attempts finished           
[
  {
    "Cmdline_Basename": "change_comm",
    "Cmdline_Spoofed": false,
    "Comm": "malwareX",
    "Comm_Spoofed": true,
    "Exe_Basename": "change_comm",
    "Exe_Deleted": false,
    "PID": 6727,
    "PPID": 3482,
    "__children": []
  }
]

@SolitudePy SolitudePy requested a review from ikelos June 25, 2025 18:18
ikelos
ikelos approved these changes Dec 29, 2025
View reviewed changes
Copy link
Member

@ikelos ikelos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

All looks really good, just minor quibbles, but honestly it could go in like this if you're tired of tweaking it! Thanks very much for putting up with my schedule, it's really appreciated as are your plugins! 5:)

@SolitudePy
process_spoofing plugin
5aea7f9
@SolitudePy
cosmetics
cf6fa42
@SolitudePy
added mechanism for deleted exe
5c3fca3
@SolitudePy
categorize as a malware plugin
fd270a2
@SolitudePy
Plugins: precise exception handling in process_spoofing
15dc9ec
@SolitudePy
Plugins: remove exe_file dereference()
d55cf9a
@SolitudePy
Plugins: convert useful methods to classmethods
cc6aa21
@SolitudePy
Plugins: consistent return values in process_spoofing
939034c
@SolitudePy
Plugins: process_spoofing log exceptions as debug
8349479
@SolitudePy
Plugins: more precise exception handling in process_spoofing
1a92e74
@SolitudePy
Plugins: swap notes for boolean flags in process_spoofing
d11f509
@SolitudePy
black
5c7cf11
@SolitudePy
Plugins: determine process exe deletion structurally
41f964c
@SolitudePy
Plugins: make get_executable_path more accurate in process_spoofing
d384f62
@SolitudePy
Plugins: utilize linuxutilities.path_for_file (deleted) logic solely
9686b5a
@SolitudePy
Plugins: truncate deleted to check spoofing in process_spoofing
1359a11
@SolitudePy
Plugins: process_spoofing change extract_process_names to classmethod
cbe5b46
@SolitudePy
Plugins: process spoofing handle none values and set more classmethods
c3ddc09
@SolitudePy
black and ruff
4cb326f
@SolitudePy
Plugins: process_spoofing bump required_framework_version
9c5950e
@SolitudePy SolitudePy requested a review from ikelos December 29, 2025 17:55
ikelos
ikelos approved these changes Dec 31, 2025
View reviewed changes
Copy link
Member

@ikelos ikelos left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks good, thanks! 5:) We can merge as soon as the tests complete...

@ikelos ikelos merged commit ade1cf2 into volatilityfoundation:develop Dec 31, 2025
14 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@ikelos ikelos ikelos approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@SolitudePy @ikelos