Thursday, October 2, 2008

pstree - a volatility plugin

I have been lurking on the volatility irc channel (#volatility @ irc.freenode.net) and I overheard a challenge to make a pstree like plugin. I thought this would be a great way to learn more of the code base.

The volatility code base is very nice and well written. It can be improved however, and this plugin demonstrates what I propose to make the code more reusable. As can be seen producing the data and rendering it are separated into 2 methods. The calculate() method just produces a data structure, and the render method output the data to the screen. This architecture is better because other tools can then just over ride the render method to output the data in any format they see fit - e.g. XML, HTML etc.

Ed: After posting the initial version I had lots of discussions from the IRC channel. The next challenge was to recover the path and name of the binary for each task. There are lots of ways to do this and I was offered 3:

First off we can get the CommandLine from the PEB. This is what volatility already does in dlllist for example

Second we can get the ImagePathName from the PEB (as moyix and msuiche point out - thanks guys for the help). Note that for those two options we need to switch to process address space first.

Lastly aschuster pointer out that same information is also stored in the auditing subsystem SeAuditProcessCreationInfo (thanks aschuster).

So there are many ways to skin this cat. Here is a sample output. Hopefully all these agree with each other.

No comments: