From 83a756b7ea06dd3da9788c41a5a7669fb02b9da4 Mon Sep 17 00:00:00 2001
From: Eve <eevvee@tuta.io>
Date: Mon, 4 Sep 2023 06:56:26 +0100
Subject: [PATCH 1/4] Add experimental GenericProcess class

---
 .../framework/symbols/generic/__init__.py     | 37 ++++++++++++++++++-
 1 file changed, 36 insertions(+), 1 deletion(-)

diff --git a/volatility3/framework/symbols/generic/__init__.py b/volatility3/framework/symbols/generic/__init__.py
index 9d6da5aa4..664a9b141 100644
--- a/volatility3/framework/symbols/generic/__init__.py
+++ b/volatility3/framework/symbols/generic/__init__.py
@@ -4,12 +4,47 @@
 
 import random
 import string
+import datetime
 from typing import Union
 
 from volatility3.framework import objects, interfaces
 
 
-class GenericIntelProcess(objects.StructType):
+class GenericProcess(objects.StructType):
+    """A Generic Process class which is not designed to be used directly but provide a base to be used elsewhere."""
+
+    def get_pid(self) -> int:
+        """get_pid should return the pid of the process"""
+        raise NotImplementedError(
+            "The GenericProcess base class has no get_pid method defined"
+        )
+
+    def get_parent_pid(self) -> int:
+        """get_parent_pid should return the pid of the parent process"""
+        raise NotImplementedError(
+            "The GenericProcess base class has no get_parent_pid method defined"
+        )
+
+    def get_name(self) -> str:
+        """get_name should return the friendly name of the process"""
+        raise NotImplementedError(
+            "The GenericProcess base class has no get_name method defined"
+        )
+
+    def get_create_time(self) -> datetime.datetime:
+        """get_create_time should return the time the process was created/started"""
+        raise NotImplementedError(
+            "The GenericProcess base class has no get_start_time method defined"
+        )
+
+    def get_exit_time(self) -> datetime.datetime:
+        """get_exit_time should return the time the process exited/finished"""
+        raise NotImplementedError(
+            "The GenericProcess base class has no get_exit_time method defined"
+        )
+
+
+class GenericIntelProcess(GenericProcess):
     def _add_process_layer(
         self,
         context: interfaces.context.ContextInterface,

From cb12823cdc1aba807f6391ceb523b68650a080cc Mon Sep 17 00:00:00 2001
From: Eve <eevvee@tuta.io>
Date: Mon, 4 Sep 2023 07:02:58 +0100
Subject: [PATCH 2/4] Add functions to linux/windows/mac extensions to for
 experimental GenericProcess class

---
 .../symbols/linux/extensions/__init__.py        | 12 ++++++++++++
 .../symbols/mac/extensions/__init__.py          | 17 +++++++++++++++++
 .../symbols/windows/extensions/__init__.py      | 14 ++++++++++++++
 3 files changed, 43 insertions(+)

diff --git a/volatility3/framework/symbols/linux/extensions/__init__.py b/volatility3/framework/symbols/linux/extensions/__init__.py
index 3fb772135..acf3bc1ef 100644
--- a/volatility3/framework/symbols/linux/extensions/__init__.py
+++ b/volatility3/framework/symbols/linux/extensions/__init__.py
@@ -258,6 +258,18 @@ def get_threads(self) -> Iterable[interfaces.objects.ObjectInterface]:
         ):
             yield task
 
+    def get_pid(self) -> int:
+        """Returns the pid of this process"""
+        return self.tgid
+
+    def get_parent_pid(self) -> int:
+        """Returns the pid of parent of this process"""
+        return self.parent.get_pid() if self.parent else 0
+
+    def get_name(self) -> str:
+        """Returns the name of this process"""
+        return utility.array_to_string(self.comm)
+
 
 class fs_struct(objects.StructType):
     def get_root_dentry(self):
diff --git a/volatility3/framework/symbols/mac/extensions/__init__.py b/volatility3/framework/symbols/mac/extensions/__init__.py
index c89b527e6..9b4ceee55 100644
--- a/volatility3/framework/symbols/mac/extensions/__init__.py
+++ b/volatility3/framework/symbols/mac/extensions/__init__.py
@@ -3,6 +3,7 @@
 #
 import contextlib
 import logging
+import datetime
 from typing import Generator, Iterable, Optional, Set, Tuple
 
 from volatility3.framework import constants, exceptions, interfaces, objects
@@ -108,6 +109,22 @@ def get_process_memory_sections(
 
             yield (start, end - start)
 
+    def get_pid(self) -> int:
+        return self.p_pid
+
+    def get_parent_pid(self) -> int:
+        return self.p_ppid
+
+    def get_name(self) -> str:
+        return utility.array_to_string(self.p_comm)
+
+    def get_create_time(self) -> datetime.datetime:
+        start_time_seconds = self.p_start.tv_sec
+        start_time_microseconds = self.p_start.tv_usec
+        return datetime.datetime.fromtimestamp(
+            start_time_seconds + start_time_microseconds / 1e6
+        )
+
 
 class fileglob(objects.StructType):
     def get_fg_type(self):
diff --git a/volatility3/framework/symbols/windows/extensions/__init__.py b/volatility3/framework/symbols/windows/extensions/__init__.py
index ba00a4053..cb5e408ac 100755
--- a/volatility3/framework/symbols/windows/extensions/__init__.py
+++ b/volatility3/framework/symbols/windows/extensions/__init__.py
@@ -812,6 +812,20 @@ def environment_variables(self):
                 yield env, var
         return  # Generation finished
 
+    def get_pid(self) -> int:
+        """Returns the pid of this process"""
+        return self.UniqueProcessId
+
+    def get_parent_pid(self) -> int:
+        """Returns the pid of parent of this process"""
+        return self.InheritedFromUniqueProcessId
+
+    def get_name(self) -> str:
+        """Returns the name of this process"""
+        return self.ImageFileName.cast(
+            "string", max_length=self.ImageFileName.vol.count, errors="replace"
+        )
+
 
 class LIST_ENTRY(objects.StructType, collections.abc.Iterable):
     """A class for double-linked lists on Windows."""

From 7f03a615e4d277cd676694ea021cc2bf4804f4c4 Mon Sep 17 00:00:00 2001
From: Eve <eevvee@tuta.io>
Date: Mon, 4 Sep 2023 07:05:25 +0100
Subject: [PATCH 3/4] Modify linux/windows/mac pslist plugins to use
 experimental GenericProcess functions

---
 volatility3/framework/plugins/linux/pslist.py   |  2 +-
 volatility3/framework/plugins/mac/pslist.py     | 10 +++-------
 volatility3/framework/plugins/windows/pslist.py | 10 +++-------
 3 files changed, 7 insertions(+), 15 deletions(-)

diff --git a/volatility3/framework/plugins/linux/pslist.py b/volatility3/framework/plugins/linux/pslist.py
index 16e370b6e..328c0de27 100644
--- a/volatility3/framework/plugins/linux/pslist.py
+++ b/volatility3/framework/plugins/linux/pslist.py
@@ -72,7 +72,7 @@ def create_pid_filter(cls, pid_list: List[int] = None) -> Callable[[Any], bool]:
         if filter_list:
 
             def filter_func(x):
-                return x.pid not in filter_list
+                return x.get_pid() not in filter_list
 
             return filter_func
         else:
diff --git a/volatility3/framework/plugins/mac/pslist.py b/volatility3/framework/plugins/mac/pslist.py
index 88045a277..d9bcbda64 100644
--- a/volatility3/framework/plugins/mac/pslist.py
+++ b/volatility3/framework/plugins/mac/pslist.py
@@ -109,16 +109,12 @@ def _generator(self):
         ):
             offset = format_hints.Hex(task.vol.offset)
             name = utility.array_to_string(task.p_comm)
-            pid = task.p_pid
+            pid = task.get_pid()
             uid = task.p_uid
             gid = task.p_gid
-            start_time_seconds = task.p_start.tv_sec
-            start_time_microseconds = task.p_start.tv_usec
-            start_time = datetime.datetime.fromtimestamp(
-                start_time_seconds + start_time_microseconds / 1e6
-            )
+            start_time = task.create_time()
 
-            ppid = task.p_ppid
+            ppid = task.get_parent_pid()
 
             yield (0, (offset, name, pid, uid, gid, start_time, ppid))
 
diff --git a/volatility3/framework/plugins/windows/pslist.py b/volatility3/framework/plugins/windows/pslist.py
index 88697e71a..52d5840af 100644
--- a/volatility3/framework/plugins/windows/pslist.py
+++ b/volatility3/framework/plugins/windows/pslist.py
@@ -252,13 +252,9 @@ def _generator(self):
                 yield (
                     0,
                     (
-                        proc.UniqueProcessId,
-                        proc.InheritedFromUniqueProcessId,
-                        proc.ImageFileName.cast(
-                            "string",
-                            max_length=proc.ImageFileName.vol.count,
-                            errors="replace",
-                        ),
+                        proc.get_pid(),
+                        proc.get_parent_pid(),
+                        proc.get_name(),
                         format_hints.Hex(offset),
                         proc.ActiveThreads,
                         proc.get_handle_count(),

From f2718655e92d2edaa072f89498fead8a3a6523f0 Mon Sep 17 00:00:00 2001
From: Eve <eevvee@tuta.io>
Date: Mon, 4 Sep 2023 07:55:17 +0100
Subject: [PATCH 4/4] Fix: mac pslist plugin to use get_create_time rather than
 create_time which does not exist

---
 volatility3/framework/plugins/mac/pslist.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/volatility3/framework/plugins/mac/pslist.py b/volatility3/framework/plugins/mac/pslist.py
index d9bcbda64..2845f71cb 100644
--- a/volatility3/framework/plugins/mac/pslist.py
+++ b/volatility3/framework/plugins/mac/pslist.py
@@ -112,7 +112,7 @@ def _generator(self):
             pid = task.get_pid()
             uid = task.p_uid
             gid = task.p_gid
-            start_time = task.create_time()
+            start_time = task.get_create_time()
 
             ppid = task.get_parent_pid()