Close Menu
    Memory Forensics 5 Mins ReadNo Comments

    Process and Thread Analysis in Volatility 3

    Lipson Thomas PhilipBy Updated:12 Views

    Volatility 3 is an essential memory forensics framework for analyzing memory dumps from Windows, Linux, and macOS systems. One of its main strengths is process and thread analysis, which can detect hidden, injected, or manipulated processes and threads used by malware. This article breaks down the core plugins and techniques used in Volatility 3 to analyze processes and threads and how they can be leveraged to detect malicious activity.

    What to Look for in Processes?

    Processes are among the most critical artifacts to examine when analyzing memory dumps. The malware hides by manipulating process structures, injecting code, or running under legitimate process names. Indicators to focus on include:

    • Unusual parent-child relationships
    • Inconsistent process creation times
    • Discrepancies in process lists
    • Presence of hollowed or injected processes
    • Suspicious threads or handles

    Understanding normal behavior is key to spotting anomalies. Comparing processes against known baselines, verifying the legitimacy of process paths, and correlating with thread and handle activity can expose hidden malware.

    Advertisement

    Using pslist, pstree, pidhashtable, psscan

    Volatility3 provides several plugins to enumerate and analyze processes. Each plugin uses different techniques to extract information, which helps detect process hiding.

    1. pslist

    `pslist` lists active processes by walking the EPROCESS linked list. This method is reliable for processes that are fully connected and running. It shows PID, name, parent PID (PPID), creation time, and exit time. However, it can miss unlinked or hidden processes.

    1. pstree

    `pstree` builds on `pslist` by displaying the parent-child hierarchy of processes. It’s advantageous to spot anomalies in process spawning. For example, a process like `svchost.exe` spawning a suspicious executable may indicate process injection or malicious behavior.

    1. pidhashtable

    `pidhashtable` traverses the PID to the EPROCESS hash table. This plugin helps find processes not in the linked list (pslist) but still exist in the kernel’s PID table. Discrepancies between `pslist` and `pidhashtable` can suggest stealth techniques.

    Advertisement
    1. psscan

    `psscan` scans memory for EPROCESS structures, regardless of linkage or activity. It can recover terminated or hidden processes. Since it doesn’t rely on active lists, it’s invaluable for detecting rootkits or terminated malware processes that left remnants in memory.

    Comparison Strategy:

    • If a process appears in `psscan` but not in `pslist` or `pidhashtable`, it may have been unlinked deliberately.
    • A missing process in `pstree` might suggest PPID spoofing or tampering.

    Detecting Process Injection and Hollowing

    Process injection and hollowing are techniques where malware hides inside legitimate processes. Volatility3 does not have a direct plugin named “hollow” or “inject,” but these techniques can be detected through:

    • malfind: Scans memory for injected code by looking at VAD (Virtual Address Descriptor) regions with suspicious permissions and content. Malicious code often resides in memory regions marked as executable but not backed by a file.
    • ldrmodules: Lists loaded DLLs for each process. It flags discrepancies where modules are not linked or mapped correctly, suggesting manual injection.
    • vadinfo: Provides detailed information about a process’s memory layout. Unusual or suspicious VAD regions (e.g., no file path, RWX permissions) can indicate code injection.
    • dlllist: Shows DLLs loaded in each process. Comparing its output with `ldrmodules` helps detect manually mapped or hidden modules.
    • handles: Lists object handles opened by each process. Malware often opens handles to other processes to inject code. Suspicious handle types and targets can be a red flag.

    Analyzing Suspicious Threads and Handles

    Beyond processes, analyzing threads and handles can expose hidden malware activity.

    threads

    The `threads` plugin shows detailed information about active threads, including start addresses, owning process, and thread state. Key indicators of suspicious threads include:

    • Threads starting in non-module memory regions
    • Threads with unknown or unbacked start addresses
    • High number of threads in unusual processes

    handles

    The `handles` plugin lists all kernel objects a process has open. Malware often uses handles to access other processes, files, or registry keys. Look for:

    • Processes holding handles to many other processes
    • Suspicious access flags (e.g., PROCESS\_ALL\_ACCESS)
    • Unusual file or registry handles in unrelated processes

    Case Study: Detecting a Hidden Malware Process

    Let’s walk through a real-world scenario of identifying a hidden malware process using Volatility3 plugins.

    Step 1: Initial Process Listing

    Start with `pslist` and `pstree` to observe the active process list and hierarchy.

    volality3 -f xp-laptop-2005-07-04-1430.png windows.pslist
    process-and-thread-analysis-pslist
    volality3 -f xp-laptop-2005-07-04-1430.png windows.pstree
    process-thread-analysis-pstree

    Step 2: Cross-Verification

    Run `psscan` to look for inconsistencies.

    volality3 -f xp-laptop-2005-07-04-1430.png windows.psscan
    process-thread-psscan

    Step 3: Analyze Memory Regions

    Use `malfind` to identify injected code:

    volality3 -f xp-laptop-2005-07-04-1430.png windows.malfind
    process-thread-malfind

    Step 4: Examine Handles

    volality3 -f xp-laptop-2005-07-04-1430.png windows.handles
    process-thread-handles

    Mapping Threads to Malicious Activity

    To link suspicious threads to actual malicious activity:

    1. Identify unusual start addresses from the `threads` plugin.
    2. Map these addresses to VAD regions using `vadinfo`.
    3. Correlate VAD regions with results from `malfind` to confirm injection.
    4. Use `dlllist` and `ldrmodules` to verify whether these threads are tied to legitimate or injected modules.
    5. Check API calls or strings in memory regions tied to the threads, using plugins like `strings`, to infer behavior.

    Final Thoughts

    Volatility3’s modular and extensible design makes it a critical tool for malware hunters and forensic analysts. By cross-referencing plugin outputs — especially `pslist`, `pstree`, `pidhashtable`, `psscan`, `malfind`, `threads`, and `handles` — investigators can uncover sophisticated stealth techniques. Mastery of these tools helps analysts detect malware and understand its methods, persistence, and scope.

    Use them in combination, and always trust your instincts when something doesn’t line up — the devil is usually in the distinctions.

    Resources

    Memory Forensics – Practical Example, Detect Classic Remote Process Injection

    Investigating Windows Threads with Volatility

    Using Volatility for advanced memory forensics

    0 0 votes
    Article Rating
    Share.

    Lipson Thomas Philip is a student of Masters in Network and Information Security at Griffith College, Limerick. He has done an internship in Cyber Cell, Gurugram 2021. His motive is to learn on a daily basis. As somebody said "Never stop learning". You learn new things knowing or unknowingly and as your life changes day by day.

    Related Posts

    Subscribe
    Notify of
    guest

    This site uses Akismet to reduce spam. Learn how your comment data is processed.

    0 Comments
    Oldest
    Newest Most Voted
    Inline Feedbacks
    View all comments
    0
    Would love your thoughts, please comment.x
    ()
    x