Psinfo

Psinfo is a Volatility plugin which collects the process related information from the VAD (Virtual Address Descriptor) and PEB (Process Enivornment Block) and displays the collected information and suspicious memory regions for all the processes running on the system. This plugin should allow a security analyst to get the process related information and spot any process anamoly without having to run multiple plugins.

Full details can be found in the link: https://cysinfo.com/detecting-malicious-processes-psinfo-volatility-plugin/

Running the Plugin

Copy the plugin to volatility/plugins directory

Run the plugin against memory image as shown below

$ python vol.py -f infected.vmem --profile=Win7SP0x86 psinfo

Other Options

To filter on a specic process id use -p option

$ python vol.py -f infected.vmem --profile=Win7SP0x86 psinfo -p 1820

To filter on multiple process ids use -p followed by comma seperated process ids

$ python vol.py -f infected.vmem --profile=Win7SP0x86 psinfo -p 1820,868

To dump the suspicious memory regions use -D followed by directory name

$ python vol.py -f infected.vmem --profile=Win7SP0x86 psinfo -p 1820 -D dump/

To redirect the output to file use --output-file option

$ python vol.py -f infected.vmem --profile=Win7SP0x86 psinfo --output-file=output.txt

Name		Name	Last commit message	Last commit date
Latest commit History 2 Commits
README.md		README.md
psinfo.py		psinfo.py

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

Psinfo

Running the Plugin

Other Options

About

Releases

Packages

Contributors 2

Languages

monnappa22/Psinfo

Folders and files

Latest commit

History

Repository files navigation

Psinfo

Running the Plugin

Other Options

About

Resources

Stars

Watchers

Forks

Releases

Packages 0

Contributors 2

Languages

Packages