Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/monnappa22/Psinfo
Psinfo is a Volatility plugin which collects the process related information from the VAD (Virtual Address Descriptor) and PEB (Process Enivornment Block) and displays the collected information and suspicious memory regions for all the processes running on the system. This plugin should allow a security analyst to get the process related information and spot any process anamoly without having to run multiple plugins.
https://github.com/monnappa22/Psinfo
Last synced: 11 days ago
JSON representation
Psinfo is a Volatility plugin which collects the process related information from the VAD (Virtual Address Descriptor) and PEB (Process Enivornment Block) and displays the collected information and suspicious memory regions for all the processes running on the system. This plugin should allow a security analyst to get the process related information and spot any process anamoly without having to run multiple plugins.
- Host: GitHub
- URL: https://github.com/monnappa22/Psinfo
- Owner: monnappa22
- Created: 2016-09-24T14:19:42.000Z (about 8 years ago)
- Default Branch: master
- Last Pushed: 2016-09-24T14:27:50.000Z (about 8 years ago)
- Last Synced: 2024-08-02T03:07:30.336Z (3 months ago)
- Language: Python
- Size: 2.93 KB
- Stars: 35
- Watchers: 7
- Forks: 15
- Open Issues: 2
-
Metadata Files:
- Readme: README.md
Awesome Lists containing this project
- awesome-volatility - Psinfo - plugin which collects the process related information from the VAD (Virtual Address Descriptor) and PEB (Process Enivornment Block) and displays the collected information and suspicious memory regions for all the processes running on the system (Volatility 2 / Plugins)
README
# Psinfo
Psinfo is a Volatility plugin which collects the process related information from the VAD (Virtual Address Descriptor) and PEB (Process Enivornment Block) and displays the collected information and suspicious memory regions for all the processes running on the system. This plugin should allow a security analyst to get the process related information and spot any process anamoly without having to run multiple plugins.
Full details can be found in the link:
https://cysinfo.com/detecting-malicious-processes-psinfo-volatility-plugin/
### Running the Plugin
Copy the plugin to volatility/plugins directory
Run the plugin against memory image as shown below
```sh
$ python vol.py -f infected.vmem --profile=Win7SP0x86 psinfo
```
### Other Options
To filter on a specic process id use -p option
```sh
$ python vol.py -f infected.vmem --profile=Win7SP0x86 psinfo -p 1820
```
To filter on multiple process ids use -p followed by comma seperated process ids
```sh
$ python vol.py -f infected.vmem --profile=Win7SP0x86 psinfo -p 1820,868
```
To dump the suspicious memory regions use -D followed by directory name
```sh
$ python vol.py -f infected.vmem --profile=Win7SP0x86 psinfo -p 1820 -D dump/
```
To redirect the output to file use --output-file option
```sh
$ python vol.py -f infected.vmem --profile=Win7SP0x86 psinfo --output-file=output.txt
```