Feature: vadyarascan enrichment

This add contextual data to each hit with vadyarascan, saves running pslist after processing.
Original didn't have imagename or PPID

Author: blitztide

volatility3/framework/plugins/windows/vadyarascan.py

@@ -4,6 +4,7 @@
 
 import logging
 from typing import Iterable, List, Tuple
+import datetime
 
 from volatility3.framework import interfaces, renderers
 from volatility3.framework.configuration import requirements
@@ -102,6 +103,15 @@ def _generator(self):
                     yield 0, (
                         format_hints.Hex(offset),
                         task.UniqueProcessId,
+                        task.get_create_time(),
+                        task.InheritedFromUniqueProcessId,
+                        task.ImageFileName.cast(
+                            "string",
+                            max_length=task.ImageFileName.vol.count,
+                            errors="replace",
+                        ),
+                        task.get_session_id(),
+                        task.ActiveThreads,
                         rule_name,
                         name,
                         layer_data,
@@ -130,6 +140,11 @@ def run(self):
             [
                 ("Offset", format_hints.Hex),
                 ("PID", int),
+                ("CreateTime", datetime.datetime),
+                ("PPID", int),
+                ("ImageFileName", str),
+                ("SessionId", int),
+                ("Threads", int),
                 ("Rule", str),
                 ("Component", str),
                 ("Value", renderers.LayerData),