Merge pull request #952 from cpuu/mac_pslist

ikelos · web-flow · commit 89b6c090b393 · 2023-07-12T22:16:55.000+01:00
Add more process information to mac.pslist plugin
diff --git a/volatility3/framework/plugins/mac/pslist.py b/volatility3/framework/plugins/mac/pslist.py
@@ -2,12 +2,14 @@
 # which is available at https://www.volatilityfoundation.org/license/vsl-v1.0
 #
 
+import datetime
 import logging
-from typing import Callable, Iterable, List, Dict
+from typing import Callable, Dict, Iterable, List
 
-from volatility3.framework import renderers, interfaces, exceptions
+from volatility3.framework import exceptions, interfaces, renderers
 from volatility3.framework.configuration import requirements
 from volatility3.framework.objects import utility
+from volatility3.framework.renderers import format_hints
 from volatility3.framework.symbols import mac
 
 vollog = logging.getLogger(__name__)
@@ -105,10 +107,20 @@ def _generator(self):
             self.config["kernel"],
             filter_func=self.create_pid_filter(self.config.get("pid", None)),
         ):
+            offset = format_hints.Hex(task.vol.offset)
+            name = utility.array_to_string(task.p_comm)
             pid = task.p_pid
+            uid = task.p_uid
+            gid = task.p_gid
+            start_time_seconds = task.p_start.tv_sec
+            start_time_microseconds = task.p_start.tv_usec
+            start_time = datetime.datetime.fromtimestamp(
+                start_time_seconds + start_time_microseconds / 1e6
+            )
+
             ppid = task.p_ppid
-            name = utility.array_to_string(task.p_comm)
-            yield (0, (pid, ppid, name))
+
+            yield (0, (offset, name, pid, uid, gid, start_time, ppid))
 
     @classmethod
     def list_tasks_allproc(
@@ -310,5 +322,14 @@ def list_tasks_pid_hash_table(
 
     def run(self):
         return renderers.TreeGrid(
-            [("PID", int), ("PPID", int), ("COMM", str)], self._generator()
+            [
+                ("OFFSET", format_hints.Hex),
+                ("NAME", str),
+                ("PID", int),
+                ("UID", int),
+                ("GID", int),
+                ("Start Time", datetime.datetime),
+                ("PPID", int),
+            ],
+            self._generator(),
         )
