Skip to main content

Process Analysis


Process analysis is typically the first step in memory forensics β€” establishing what was running, what spawned it, and whether the process tree looks legitimate before drilling into specific processes of interest.


Process Listing​

pslist β€” Active Process List​

Lists processes by walking the doubly-linked EPROCESS list in the kernel. Fast and clean, but rootkits can hide processes by unlinking them from this list.

vol.py -f <image> --profile=<profile> pslist
Vol3 Equivalent
vol3 -f <image> windows.pslist

Key fields: PID, PPID, Name, Offset, Start time, Exit time (if terminated).


psscan β€” EPROCESS Structure Scan​

Scans raw memory for EPROCESS pool tags rather than walking the linked list. Finds processes hidden by rootkits and terminated processes still resident in memory.

vol.py -f <image> --profile=<profile> psscan
Vol3 Equivalent
vol3 -f <image> windows.psscan
Compare pslist vs psscan for Rootkit Detection

Processes appearing in psscan but not in pslist are unlinked from the active process list β€” a strong rootkit/process hiding indicator.

# Vol2 β€” find PIDs in psscan but not pslist
comm -23 \
<(vol.py -f <image> --profile=<profile> psscan | awk '{print $3}' | sort) \
<(vol.py -f <image> --profile=<profile> pslist | awk '{print $3}' | sort)

pstree β€” Process Tree​

Displays the process list as a parent-child tree. Useful for quickly spotting abnormal parent-child relationships (e.g., Word.exe spawning cmd.exe, or svchost.exe with an unexpected parent).

vol.py -f <image> --profile=<profile> pstree
Vol3 Equivalent
vol3 -f <image> windows.pstree
Suspicious Parent-Child Relationships
Suspicious PatternWhy
winword.exe β†’ cmd.exe / powershell.exeMacro-based code execution
explorer.exe β†’ svchost.exeLegitimate svchost should be parented by services.exe
lsass.exe spawning anythinglsass should never spawn child processes
Double lsass.exe or csrss.exeMasquerading β€” legitimate ones are singletons
svchost.exe not parented by services.exeSuspicious svchost injection/masquerading

Process Details​

cmdline β€” Command Line Arguments​

Displays the full command-line string used to launch each process. Critical for identifying suspicious arguments, unusual paths, LOLBin abuse, or encoded PowerShell.

# All processes
vol.py -f <image> --profile=<profile> cmdline

# Specific PID
vol.py -f <image> --profile=<profile> cmdline -p <PID>
Vol3 Equivalent
vol3 -f <image> windows.cmdline
vol3 -f <image> windows.cmdline --pid <PID>
What to Look For
  • Long Base64-encoded strings in PowerShell command lines (-enc / -EncodedCommand)
  • Executables running from %TEMP%, %APPDATA%, or other unusual paths
  • Renamed system binaries (e.g., svchost.exe running from C:\Users\...)
  • Tools launched directly from memory (process has no on-disk path)

dlllist β€” Loaded DLLs per Process​

Lists all DLLs loaded by a process. Useful for spotting injected DLLs, unsigned DLLs in unexpected locations, or DLL search order hijacking.

# All processes
vol.py -f <image> --profile=<profile> dlllist

# Specific PID
vol.py -f <image> --profile=<profile> dlllist -p <PID>
Vol3 Equivalent
vol3 -f <image> windows.dlllist
vol3 -f <image> windows.dlllist --pid <PID>

handles β€” Open Handles​

Lists all open handles (files, registry keys, mutexes, events, threads, processes) for a process. Useful for identifying what files/keys a suspicious process is accessing, and for finding malware mutexes used as infection markers.

vol.py -f <image> --profile=<profile> handles -p <PID>

# Filter by handle type
vol.py -f <image> --profile=<profile> handles -p <PID> -t File
vol.py -f <image> --profile=<profile> handles -p <PID> -t Mutant
vol.py -f <image> --profile=<profile> handles -p <PID> -t Key
Vol3 Equivalent
vol3 -f <image> windows.handles --pid <PID>

Handle types: File, Key, Process, Thread, Token, Mutant, Event, Section, Directory.


envars β€” Environment Variables​

Displays the environment variables of each process. Useful for identifying processes with unusual or manipulated environments (e.g., modified PATH, COMSPEC, or TEMP pointing to attacker-controlled directories).

vol.py -f <image> --profile=<profile> envars -p <PID>
Vol3 Equivalent
vol3 -f <image> windows.envars --pid <PID>

getsids β€” Security Identifiers​

Lists the SIDs (Security Identifiers) associated with a process β€” what user and group context it is running under. Useful for identifying SYSTEM-level processes that should not be, or processes running under unexpected service accounts.

vol.py -f <image> --profile=<profile> getsids -p <PID>
Vol3 Equivalent
vol3 -f <image> windows.getsids --pid <PID>

privs β€” Process Privileges​

Lists the privileges held by each process and whether they are enabled. Useful for identifying privilege abuse β€” processes with SeDebugPrivilege or SeImpersonatePrivilege enabled are commonly associated with credential theft and lateral movement.

vol.py -f <image> --profile=<profile> privs -p <PID>
Vol3 Equivalent
vol3 -f <image> windows.privileges --pid <PID>
High-Risk Privileges to Watch
PrivilegeAbuse Potential
SeDebugPrivilegeRead/write any process memory β€” used by credential dumpers (Mimikatz)
SeImpersonatePrivilegeImpersonate any logged-on user β€” used by token impersonation attacks
SeLoadDriverPrivilegeLoad kernel drivers β€” used by rootkits
SeTcbPrivilegeAct as part of the OS β€” extremely high risk
SeBackupPrivilegeRead any file regardless of ACL β€” used for SAM/SYSTEM hive theft

Virtual Address Descriptor (VAD) Analysis​

vadinfo β€” Virtual Address Descriptor Tree​

Displays the VAD tree for a process β€” the kernel's record of all virtual memory regions allocated to the process, including their protection flags, mapped file names, and type. Essential for finding injected shellcode or PE files mapped into unexpected memory regions.

vol.py -f <image> --profile=<profile> vadinfo -p <PID>
Vol3 Equivalent
vol3 -f <image> windows.vadinfo --pid <PID>
VAD Protection Flags

Memory regions with PAGE_EXECUTE_READWRITE (RWX) protection that are not backed by a file on disk are a strong indicator of injected shellcode or an unpacked payload. Legitimate code pages are typically PAGE_EXECUTE_READ.

vaddump β€” Dump VAD Region to File​

Dumps the contents of a specific virtual memory region to a file. Useful for extracting shellcode or unpacked payloads from RWX regions identified by vadinfo.

vol.py -f <image> --profile=<profile> vaddump -p <PID> -b <vad_start_address> -D <output_dir>
Vol3 Approach

Vol3 does not have a direct vaddump equivalent. Use windows.vadyarascan to scan VAD regions with YARA rules, or dump the full process memory with windows.memmap --dump and carve the region manually.