Process Analysis
Process analysis is typically the first step in memory forensics β establishing what was running, what spawned it, and whether the process tree looks legitimate before drilling into specific processes of interest.
Process Listingβ
pslist β Active Process Listβ
Lists processes by walking the doubly-linked EPROCESS list in the kernel. Fast and clean, but rootkits can hide processes by unlinking them from this list.
vol.py -f <image> --profile=<profile> pslist
vol3 -f <image> windows.pslist
Key fields: PID, PPID, Name, Offset, Start time, Exit time (if terminated).
psscan β EPROCESS Structure Scanβ
Scans raw memory for EPROCESS pool tags rather than walking the linked list. Finds processes hidden by rootkits and terminated processes still resident in memory.
vol.py -f <image> --profile=<profile> psscan
vol3 -f <image> windows.psscan
pslist vs psscan for Rootkit DetectionProcesses appearing in psscan but not in pslist are unlinked from the active process list β a strong rootkit/process hiding indicator.
# Vol2 β find PIDs in psscan but not pslist
comm -23 \
<(vol.py -f <image> --profile=<profile> psscan | awk '{print $3}' | sort) \
<(vol.py -f <image> --profile=<profile> pslist | awk '{print $3}' | sort)
pstree β Process Treeβ
Displays the process list as a parent-child tree. Useful for quickly spotting abnormal parent-child relationships (e.g., Word.exe spawning cmd.exe, or svchost.exe with an unexpected parent).
vol.py -f <image> --profile=<profile> pstree
vol3 -f <image> windows.pstree
| Suspicious Pattern | Why |
|---|---|
winword.exe β cmd.exe / powershell.exe | Macro-based code execution |
explorer.exe β svchost.exe | Legitimate svchost should be parented by services.exe |
lsass.exe spawning anything | lsass should never spawn child processes |
Double lsass.exe or csrss.exe | Masquerading β legitimate ones are singletons |
svchost.exe not parented by services.exe | Suspicious svchost injection/masquerading |
Process Detailsβ
cmdline β Command Line Argumentsβ
Displays the full command-line string used to launch each process. Critical for identifying suspicious arguments, unusual paths, LOLBin abuse, or encoded PowerShell.
# All processes
vol.py -f <image> --profile=<profile> cmdline
# Specific PID
vol.py -f <image> --profile=<profile> cmdline -p <PID>
vol3 -f <image> windows.cmdline
vol3 -f <image> windows.cmdline --pid <PID>
- Long Base64-encoded strings in PowerShell command lines (
-enc/-EncodedCommand) - Executables running from
%TEMP%,%APPDATA%, or other unusual paths - Renamed system binaries (e.g.,
svchost.exerunning fromC:\Users\...) - Tools launched directly from memory (process has no on-disk path)
dlllist β Loaded DLLs per Processβ
Lists all DLLs loaded by a process. Useful for spotting injected DLLs, unsigned DLLs in unexpected locations, or DLL search order hijacking.
# All processes
vol.py -f <image> --profile=<profile> dlllist
# Specific PID
vol.py -f <image> --profile=<profile> dlllist -p <PID>
vol3 -f <image> windows.dlllist
vol3 -f <image> windows.dlllist --pid <PID>
handles β Open Handlesβ
Lists all open handles (files, registry keys, mutexes, events, threads, processes) for a process. Useful for identifying what files/keys a suspicious process is accessing, and for finding malware mutexes used as infection markers.
vol.py -f <image> --profile=<profile> handles -p <PID>
# Filter by handle type
vol.py -f <image> --profile=<profile> handles -p <PID> -t File
vol.py -f <image> --profile=<profile> handles -p <PID> -t Mutant
vol.py -f <image> --profile=<profile> handles -p <PID> -t Key
vol3 -f <image> windows.handles --pid <PID>
Handle types: File, Key, Process, Thread, Token, Mutant, Event, Section, Directory.
envars β Environment Variablesβ
Displays the environment variables of each process. Useful for identifying processes with unusual or manipulated environments (e.g., modified PATH, COMSPEC, or TEMP pointing to attacker-controlled directories).
vol.py -f <image> --profile=<profile> envars -p <PID>
vol3 -f <image> windows.envars --pid <PID>
getsids β Security Identifiersβ
Lists the SIDs (Security Identifiers) associated with a process β what user and group context it is running under. Useful for identifying SYSTEM-level processes that should not be, or processes running under unexpected service accounts.
vol.py -f <image> --profile=<profile> getsids -p <PID>
vol3 -f <image> windows.getsids --pid <PID>
privs β Process Privilegesβ
Lists the privileges held by each process and whether they are enabled. Useful for identifying privilege abuse β processes with SeDebugPrivilege or SeImpersonatePrivilege enabled are commonly associated with credential theft and lateral movement.
vol.py -f <image> --profile=<profile> privs -p <PID>
vol3 -f <image> windows.privileges --pid <PID>
| Privilege | Abuse Potential |
|---|---|
SeDebugPrivilege | Read/write any process memory β used by credential dumpers (Mimikatz) |
SeImpersonatePrivilege | Impersonate any logged-on user β used by token impersonation attacks |
SeLoadDriverPrivilege | Load kernel drivers β used by rootkits |
SeTcbPrivilege | Act as part of the OS β extremely high risk |
SeBackupPrivilege | Read any file regardless of ACL β used for SAM/SYSTEM hive theft |
Virtual Address Descriptor (VAD) Analysisβ
vadinfo β Virtual Address Descriptor Treeβ
Displays the VAD tree for a process β the kernel's record of all virtual memory regions allocated to the process, including their protection flags, mapped file names, and type. Essential for finding injected shellcode or PE files mapped into unexpected memory regions.
vol.py -f <image> --profile=<profile> vadinfo -p <PID>
vol3 -f <image> windows.vadinfo --pid <PID>
Memory regions with PAGE_EXECUTE_READWRITE (RWX) protection that are not backed by a file on disk are a strong indicator of injected shellcode or an unpacked payload. Legitimate code pages are typically PAGE_EXECUTE_READ.
vaddump β Dump VAD Region to Fileβ
Dumps the contents of a specific virtual memory region to a file. Useful for extracting shellcode or unpacked payloads from RWX regions identified by vadinfo.
vol.py -f <image> --profile=<profile> vaddump -p <PID> -b <vad_start_address> -D <output_dir>
Vol3 does not have a direct vaddump equivalent. Use windows.vadyarascan to scan VAD regions with YARA rules, or dump the full process memory with windows.memmap --dump and carve the region manually.