Prototype generic process functions

volatility3/framework/plugins/linux/pslist.py

@@ -72,7 +72,7 @@ def create_pid_filter(cls, pid_list: List[int] = None) -> Callable[[Any], bool]:
         if filter_list:
 
             def filter_func(x):
-                return x.pid not in filter_list
+                return x.get_pid() not in filter_list
 
             return filter_func
         else:

volatility3/framework/plugins/mac/pslist.py

@@ -109,16 +109,12 @@ def _generator(self):
         ):
             offset = format_hints.Hex(task.vol.offset)
             name = utility.array_to_string(task.p_comm)
-            pid = task.p_pid
+            pid = task.get_pid()
             uid = task.p_uid
             gid = task.p_gid
-            start_time_seconds = task.p_start.tv_sec
-            start_time_microseconds = task.p_start.tv_usec
-            start_time = datetime.datetime.fromtimestamp(
-                start_time_seconds + start_time_microseconds / 1e6
-            )
+            start_time = task.get_create_time()
 
-            ppid = task.p_ppid
+            ppid = task.get_parent_pid()
 
             yield (0, (offset, name, pid, uid, gid, start_time, ppid))
 

volatility3/framework/plugins/windows/pslist.py

@@ -252,13 +252,9 @@ def _generator(self):
                 yield (
                     0,
                     (
-                        proc.UniqueProcessId,
-                        proc.InheritedFromUniqueProcessId,
-                        proc.ImageFileName.cast(
-                            "string",
-                            max_length=proc.ImageFileName.vol.count,
-                            errors="replace",
-                        ),
+                        proc.get_pid(),
+                        proc.get_parent_pid(),
+                        proc.get_name(),
                         format_hints.Hex(offset),
                         proc.ActiveThreads,
                         proc.get_handle_count(),

volatility3/framework/symbols/generic/__init__.py

@@ -4,12 +4,47 @@
 
 import random
 import string
+import datetime
 from typing import Union
 
 from volatility3.framework import objects, interfaces
 
 
-class GenericIntelProcess(objects.StructType):
+class GenericProcess(objects.StructType):
+    """A Generic Process class which is not designed to be used directly but provide a base to be used elsewhere."""
+
+    def get_pid(self) -> int:
+        """get_pid should return the pid of the process"""
+        raise NotImplementedError(
+            "The GenericProcess base class has no get_pid method defined"
+        )
+
+    def get_parent_pid(self) -> int:
+        """get_parent_pid should return the pid of the parent process"""
+        raise NotImplementedError(
+            "The GenericProcess base class has no get_parent_pid method defined"
+        )
+
+    def get_name(self) -> str:
+        """get_name should return the friendly name of the process"""
+        raise NotImplementedError(
+            "The GenericProcess base class has no get_name method defined"
+        )
+
+    def get_create_time(self) -> datetime.datetime:
+        """get_create_time should return the time the process was created/started"""
+        raise NotImplementedError(
+            "The GenericProcess base class has no get_start_time method defined"
+        )
+
+    def get_exit_time(self) -> datetime.datetime:
+        """get_exit_time should return the time the process exited/finished"""
+        raise NotImplementedError(
+            "The GenericProcess base class has no get_exit_time method defined"
+        )
+
+
+class GenericIntelProcess(GenericProcess):
     def _add_process_layer(
         self,
         context: interfaces.context.ContextInterface,

volatility3/framework/symbols/linux/extensions/__init__.py

@@ -258,6 +258,18 @@ def get_threads(self) -> Iterable[interfaces.objects.ObjectInterface]:
         ):
             yield task
 
+    def get_pid(self) -> int:
+        """Returns the pid of this process"""
+        return self.tgid
+
+    def get_parent_pid(self) -> int:
+        """Returns the pid of parent of this process"""
+        return self.parent.get_pid() if self.parent else 0
+
+    def get_name(self) -> str:
+        """Returns the name of this process"""
+        return utility.array_to_string(self.comm)
+
 
 class fs_struct(objects.StructType):
     def get_root_dentry(self):

volatility3/framework/symbols/mac/extensions/__init__.py

@@ -3,6 +3,7 @@
 #
 import contextlib
 import logging
+import datetime
 from typing import Generator, Iterable, Optional, Set, Tuple
 
 from volatility3.framework import constants, exceptions, interfaces, objects
@@ -108,6 +109,22 @@ def get_process_memory_sections(
 
             yield (start, end - start)
 
+    def get_pid(self) -> int:
+        return self.p_pid
+
+    def get_parent_pid(self) -> int:
+        return self.p_ppid
+
+    def get_name(self) -> str:
+        return utility.array_to_string(self.p_comm)
+
+    def get_create_time(self) -> datetime.datetime:
+        start_time_seconds = self.p_start.tv_sec
+        start_time_microseconds = self.p_start.tv_usec
+        return datetime.datetime.fromtimestamp(
+            start_time_seconds + start_time_microseconds / 1e6
+        )
+
 
 class fileglob(objects.StructType):
     def get_fg_type(self):

volatility3/framework/symbols/windows/extensions/__init__.py

@@ -812,6 +812,20 @@ def environment_variables(self):
                 yield env, var
         return  # Generation finished
 
+    def get_pid(self) -> int:
+        """Returns the pid of this process"""
+        return self.UniqueProcessId
+
+    def get_parent_pid(self) -> int:
+        """Returns the pid of parent of this process"""
+        return self.InheritedFromUniqueProcessId
+
+    def get_name(self) -> str:
+        """Returns the name of this process"""
+        return self.ImageFileName.cast(
+            "string", max_length=self.ImageFileName.vol.count, errors="replace"
+        )
+
 
 class LIST_ENTRY(objects.StructType, collections.abc.Iterable):
     """A class for double-linked lists on Windows."""