Merge pull request #1871 from blitztide/develop

Feature: vadyarascan enrichment

Author: ikelos

volatility3/framework/plugins/windows/vadyarascan.py

@@ -4,6 +4,7 @@
 
 import logging
 from typing import Iterable, List, Tuple
+import datetime
 
 from volatility3.framework import interfaces, renderers
 from volatility3.framework.configuration import requirements
@@ -18,7 +19,7 @@ class VadYaraScan(interfaces.plugins.PluginInterface):
     """Scans all the Virtual Address Descriptor memory maps using yara."""
 
     _required_framework_version = (2, 22, 0)
-    _version = (1, 1, 3)
+    _version = (1, 1, 4)
 
     @classmethod
     def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]:
@@ -102,6 +103,15 @@ def _generator(self):
                     yield 0, (
                         format_hints.Hex(offset),
                         task.UniqueProcessId,
+                        task.get_create_time(),
+                        task.InheritedFromUniqueProcessId,
+                        task.ImageFileName.cast(
+                            "string",
+                            max_length=task.ImageFileName.vol.count,
+                            errors="replace",
+                        ),
+                        task.get_session_id(),
+                        task.ActiveThreads,
                         rule_name,
                         name,
                         layer_data,
@@ -130,6 +140,11 @@ def run(self):
             [
                 ("Offset", format_hints.Hex),
                 ("PID", int),
+                ("CreateTime", datetime.datetime),
+                ("PPID", int),
+                ("ImageFileName", str),
+                ("SessionId", int),
+                ("Threads", int),
                 ("Rule", str),
                 ("Component", str),
                 ("Value", renderers.LayerData),