volatility3
volatility3 copied to clipboard
volatilityfoundation
Feature: implement `JobLinks` plugin.
Description
Hello, everyone in the community! 😃
There are some plugins that have not been implemented as they are updated from Volatility2 to 3.
I found that JobLinks plugin has not yet migrated to 3.
So I'm implemented (or porting) of JobLinks plugin according to the Volatility3 structure.
It was implemented so that the same results as Volatility 2 can be obtained by referring to the existing code. And I tested several versions of Windows, and the results of versions 2 and 3 matched.
Command
Help Command
> python3 vol.py -h
windows.joblinks.JobLinks Print process job link information
Run Command
> python3 vol.py -f case.vmem windows.joblinks
Output Example
> python3 vol.py -f case.vmem -r pretty windows.joblinks
Volatility 3 Framework 2.3.0
Formatting...0.00 PDB scanning finished
| Offset(V) | Name | PID | PPID | Sess | JobSess | Wow64 | Total | Active | Term | JobLink | Process
* | 0x97065fd2d280 | WmiPrvSE.exe | 2136 | 760 | 0 | 0 | False | 2 | 2 | 0 | N/A | (Original Process)
** | 0x97065fd2d280 | WmiPrvSE.exe | 2136 | 760 | 0 | 0 | False | 0 | 0 | 0 | Yes | C:\Windows\system32\wbem\wmiprvse.exe
** | 0x97065f358080 | WmiPrvSE.exe | 3744 | 760 | 0 | 0 | False | 0 | 0 | 0 | Yes | C:\Windows\system32\wbem\wmiprvse.exe
* | 0x97065febf2c0 | taskhostw.exe | 3336 | 492 | 1 | 1 | False | 1 | 1 | 0 | N/A | (Original Process)
** | 0x97065febf2c0 | taskhostw.exe | 3336 | 492 | 1 | 0 | False | 0 | 0 | 0 | Yes | C:\Windows\system32\taskhostw.exe
* | 0x9706600072c0 | StartMenuExper | 4292 | 760 | 1 | 1 | False | 1 | 1 | 0 | N/A | (Original Process)
** | 0x9706600072c0 | StartMenuExper | 4292 | 760 | 1 | 0 | False | 0 | 0 | 0 | Yes | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
* | 0x97065fdad080 | RuntimeBroker. | 4376 | 760 | 1 | 1 | False | 1 | 1 | 0 | N/A | (Original Process)
* | 0x97065fdb7080 | SearchApp.exe | 4484 | 760 | 1 | 1 | False | 1 | 1 | 0 | N/A | (Original Process)
* | 0x97066043c080 | RuntimeBroker. | 4632 | 760 | 1 | 1 | False | 1 | 1 | 0 | N/A | (Original Process)
** | 0x97066043c080 | RuntimeBroker. | 4632 | 760 | 1 | 0 | False | 0 | 0 | 0 | Yes | C:\Windows\System32\RuntimeBroker.exe
* | 0x97065f358080 | WmiPrvSE.exe | 3744 | 760 | 0 | 0 | False | 2 | 2 | 0 | N/A | (Original Process)
** | 0x97065fd2d280 | WmiPrvSE.exe | 2136 | 760 | 0 | 0 | False | 0 | 0 | 0 | Yes | C:\Windows\system32\wbem\wmiprvse.exe
** | 0x97065f358080 | WmiPrvSE.exe | 3744 | 760 | 0 | 0 | False | 0 | 0 | 0 | Yes | C:\Windows\system32\wbem\wmiprvse.exe
If you are interested in or have any comments on this PR, please feel free to leave a thread! 🙌
