Skip to content

process_spoofing plugin #1826

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: develop
Choose a base branch
from
Open

process_spoofing plugin #1826

wants to merge 4 commits into from

Conversation

SolitudePy
Copy link
Contributor

Hello, just playing with memory & OS internals.
apparently some legitimate processes do these techniques to have enriched information in their cmdline or so. here are some such processes:

PID     PPID    Exe_Basename    Cmdline_Basename        Comm    Notes

966     1       platform-python3.6      platform-python firewalld       ['Potential cmdline spoofing: exe_file=platform-python3.6;cmdline=platform-python', 'Potential comm spoofing: exe_file=platform-python3.6;comm=firewalld']
991     1       platform-python3.6      platform-python tuned   ['Potential cmdline spoofing: exe_file=platform-python3.6;cmdline=platform-python', 'Potential comm spoofing: exe_file=platform-python3.6;comm=tuned']
1257    1       login   login -- root   login   ['Potential cmdline spoofing: exe_file=login;cmdline=login -- root']
1923    1903    bash    bash    entrypoint.sh   ['Potential comm spoofing: exe_file=bash;comm=entrypoint.sh']
3475    3472    systemd (sd-pam)        (sd-pam)        ['Potential cmdline spoofing: exe_file=systemd;cmdline=(sd-pam)', 'Potential comm spoofing: exe_file=syst

(venv) ubuntu@ubuntuPC:~/Dev/volatility3$ vol -f ~/dumps/procspoof_dump_lin.raw -r json linux.process_spoofing | jq 'map(select(.Notes != "OK"))'
Volatility 3 Framework 2.26.2
Progress:  100.00               Stacking attempts finished           
[
  {
    "Cmdline_Basename": "[malwareX]",
    "Comm": "change_argv",
    "Exe_Basename": "change_argv",
    "Notes": "['Potential cmdline spoofing: exe_file=change_argv;cmdline=[malwareX]']",
    "PID": 6717,
    "PPID": 3482,
    "__children": []
  },
  {
    "Cmdline_Basename": "change_comm",
    "Comm": "malwareX",
    "Exe_Basename": "change_comm",
    "Notes": "['Potential comm spoofing: exe_file=change_comm;comm=malwareX']",
    "PID": 6727,
    "PPID": 3482,
    "__children": []
  }
]

@SolitudePy
Copy link
Contributor Author 

(venv) ubuntu@ubuntuPC:~/Dev/volatility3$ vol -f ~/dumps/deleted_proc_dump.raw -r json linux.process_spoofing --pid 4868
Volatility 3 Framework 2.26.2
/home/ubuntu/Dev/volatility3/volatility3/framework/deprecation.py:105: FutureWarning: This plugin (PluginRequirement) has been renamed and will be removed in the first release after 2026-06-01. PluginRequirement is to be deprecated. Use VersionRequirement instead.
  warnings.warn(
Progress:  100.00               Stacking attempts finished           
[
  {
    "Cmdline_Basename": "copied_bash",
    "Comm": "copied_bash",
    "Exe_Basename": "copied_bash (deleted)",
    "Notes": "['Potential Process image deletion: exe_file=copied_bash (deleted)']",
    "PID": 4868,
    "PPID": 4633,
    "__children": []
  }
]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@SolitudePy