Skip to content

Commit

Permalink
Merge pull request #1076 from ckusek15/windows-pstree
Browse files Browse the repository at this point in the history 
Windows: Add additional command line argument info to windows pstree
  • Loading branch information
@ikelos
ikelos authored Feb 1, 2024
2 parents 9b281c4 + a50ebb6 commit 18dd23a
Showing 1 changed file with 23 additions and 1 deletion.
24 changes: 23 additions & 1 deletion volatility3/framework/plugins/windows/pstree.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@
import logging
from typing import Callable, Dict, Set, Tuple

from volatility3.framework import objects, interfaces, renderers
from volatility3.framework import objects, interfaces, renderers, exceptions
from volatility3.framework.configuration import requirements
from volatility3.framework.renderers import format_hints
from volatility3.plugins.windows import pslist
Expand Down Expand Up @@ -132,6 +132,25 @@ def yield_processes(pid, descendant: bool = False):
proc.get_exit_time(),
)

try:
audit = proc.SeAuditProcessCreationInfo.ImageFileName.Name
# If 'audit' is set to the empty string, display NotAvailableValue
row += (audit.get_string() or renderers.NotAvailableValue(),)
except exceptions.InvalidAddressException:
row += (renderers.NotAvailableValue(),)

try:
process_params = proc.get_peb().ProcessParameters
row += (
process_params.CommandLine.get_string(),
process_params.ImagePathName.get_string(),
)
except exceptions.InvalidAddressException:
row += (
renderers.NotAvailableValue(),
renderers.NotAvailableValue(),
)

yield (self._levels[pid] - 1, row)
for child_pid in self._children.get(pid, []):
yield from yield_processes(
Expand Down Expand Up @@ -161,6 +180,9 @@ def run(self):
("Wow64", bool),
("CreateTime", datetime.datetime),
("ExitTime", datetime.datetime),
("Audit", str),
("Cmd", str),
("Path", str),
],
self._generator(
filter_func=pslist.PsList.create_pid_filter(
Expand Down

0 comments on commit 18dd23a

Please sign in to comment.