Psinfo is a Volatility plugin which collects the process related information from the VAD (Virtual Address Descriptor) and PEB (Process Enivornment Block) and displays the collected information and suspicious memory regions for all the processes running on the system. This plugin should allow a security analyst to get the process related informa…
Clone or download
root
Latest commit 48c60d3 Sep 24, 2016
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
README.md First Commit Sep 24, 2016
psinfo.py First Commit Sep 24, 2016

README.md

Psinfo

Psinfo is a Volatility plugin which collects the process related information from the VAD (Virtual Address Descriptor) and PEB (Process Enivornment Block) and displays the collected information and suspicious memory regions for all the processes running on the system. This plugin should allow a security analyst to get the process related information and spot any process anamoly without having to run multiple plugins.

Full details can be found in the link: https://cysinfo.com/detecting-malicious-processes-psinfo-volatility-plugin/

Running the Plugin

Copy the plugin to volatility/plugins directory

Run the plugin against memory image as shown below

$ python vol.py -f infected.vmem --profile=Win7SP0x86 psinfo

Other Options

To filter on a specic process id use -p option

$ python vol.py -f infected.vmem --profile=Win7SP0x86 psinfo -p 1820

To filter on multiple process ids use -p followed by comma seperated process ids

$ python vol.py -f infected.vmem --profile=Win7SP0x86 psinfo -p 1820,868

To dump the suspicious memory regions use -D followed by directory name

$ python vol.py -f infected.vmem --profile=Win7SP0x86 psinfo -p 1820 -D dump/

To redirect the output to file use --output-file option

$ python vol.py -f infected.vmem --profile=Win7SP0x86 psinfo --output-file=output.txt