Process Tree from Volatility

antmar904 · May 29, 2021, 8:16pm

Hi.
I am currently using Volatility3 and exported the process tree from a memory dump into a .dot file however I am not having any luck with using Graphviz on converting it into a png or jpg. The following error I am getting is:

Tone@Computer1:~/volatility3$ dot -Tpng pstree.dot -o psscan.png
Error: pstree.dot: syntax error in line 1 near 'Volatility'
Warning: syntax ambiguity - badly delimited number '1.0.' in line 1 of pstree.dot splits into two tokens
Warning: syntax ambiguity - badly delimited number '0x' in line 5 of pstree.dot splits into two tokens
Warning: syntax ambiguity - badly delimited number '0x' in line 6 of pstree.dot splits into two tokens
Warning: syntax ambiguity - badly delimited number '0x' in line 7 of pstree.dot splits into two tokens
Warning: syntax ambiguity - badly delimited number '0x' in line 8 of pstree.dot splits into two tokens
Warning: syntax ambiguity - badly delimited number '0x' in line 9 of pstree.dot splits into two tokens
Warning: syntax ambiguity - badly delimited number '0x' in line 10 of pstree.dot splits into two tokens
Warning: syntax ambiguity - badly delimited number '0x' in line 11 of pstree.dot splits into two tokens
Warning: syntax ambiguity - badly delimited number '0x' in line 12 of pstree.dot splits into two tokens
Warning: syntax ambiguity - badly delimited number '0x' in line 13 of pstree.dot splits into two tokens
Warning: syntax ambiguity - badly delimited number '0x' in line 14 of pstree.dot splits into two tokens
Warning: syntax ambiguity - badly delimited number '0x' in line 15 of pstree.dot splits into two tokens
Warning: syntax ambiguity - badly delimited number '0x' in line 16 of pstree.dot splits into two tokens
Warning: syntax ambiguity - badly delimited number '0x' in line 17 of pstree.dot splits into two tokens
Warning: syntax ambiguity - badly delimited number '0x' in line 18 of pstree.dot splits into two tokens
Warning: syntax ambiguity - badly delimited number '0x' in line 19 of pstree.dot splits into two tokens
Warning: syntax ambiguity - badly delimited number '0x' in line 20 of pstree.dot splits into two tokens
Warning: syntax ambiguity - badly delimited number '0x' in line 21 of pstree.dot splits into two tokens
Warning: syntax ambiguity - badly delimited number '0x' in line 22 of pstree.dot splits into two tokens
Warning: syntax ambiguity - badly delimited number '0x' in line 23 of pstree.dot splits into two tokens
Warning: syntax ambiguity - badly delimited number '0x' in line 24 of pstree.dot splits into two tokens
Warning: syntax ambiguity - badly delimited number '0x' in line 25 of pstree.dot splits into two tokens
Warning: syntax ambiguity - badly delimited number '0x' in line 26 of pstree.dot splits into two tokens
Warning: syntax ambiguity - badly delimited number '0x' in line 27 of pstree.dot splits into two tokens
Warning: syntax ambiguity - badly delimited number '0x' in line 28 of pstree.dot splits into two tokens
Warning: syntax ambiguity - badly delimited number '0x' in line 29 of pstree.dot splits into two tokens
Warning: syntax ambiguity - badly delimited number '0x' in line 30 of pstree.dot splits into two tokens
Warning: syntax ambiguity - badly delimited number '0x' in line 31 of pstree.dot splits into two tokens
Warning: syntax ambiguity - badly delimited number '0x' in line 32 of pstree.dot splits into two tokens
Warning: syntax ambiguity - badly delimited number '0x' in line 33 of pstree.dot splits into two tokens
Warning: syntax ambiguity - badly delimited number '0x' in line 34 of pstree.dot splits into two tokens
Warning: syntax ambiguity - badly delimited number '0x' in line 35 of pstree.dot splits into two tokens
Warning: syntax ambiguity - badly delimited number '0x' in line 36 of pstree.dot splits into two tokens
Warning: syntax ambiguity - badly delimited number '0x' in line 37 of pstree.dot splits into two tokens
Warning: syntax ambiguity - badly delimited number '0x' in line 38 of pstree.dot splits into two tokens
Warning: syntax ambiguity - badly delimited number '0x' in line 39 of pstree.dot splits into two tokens
Warning: syntax ambiguity - badly delimited number '0x' in line 40 of pstree.dot splits into two tokens
Warning: syntax ambiguity - badly delimited number '0x' in line 41 of pstree.dot splits into two tokens
Warning: syntax ambiguity - badly delimited number '0x' in line 42 of pstree.dot splits into two tokens
Warning: syntax ambiguity - badly delimited number '0x' in line 43 of pstree.dot splits into two tokens
Warning: syntax ambiguity - badly delimited number '0x' in line 44 of pstree.dot splits into two tokens

Has anyone been able to successfully create a process tree map from a memory dump?

smattr · May 31, 2021, 4:10pm

I don’t know what Volatility3 is, but it sounds like it’s generating an invalid dot file.

erg · May 31, 2021, 7:44pm

Can you post the first few lines of the dot file? That way, we could at least determine why there is a syntax error. Thanks.

antmar904 · May 31, 2021, 11:32pm

I don’t think Volatility is outputting the dot file correctly. It’s looks to show the processes listed in a “dot or start” type delimiter if that makes sense.

Here is a snippet of the output dot file:

Volatility 3 Framework 1.0.1

PID	PPID	ImageFileName	Offset(V)	Threads	Handles	SessionId	Wow64	CreateTime	ExitTime

4	0	System	0x848d9beaa740	458	-	N/A	False	2021-03-18 05:53:53.000000 	N/A
* 144	4	Registry	0x848d9beaa740	4	-	N/A	False	2021-03-18 05:53:08.000000 	N/A
* 1064	4	smss.exe	0x848d9beaa740	2	-	N/A	False	2021-03-18 05:53:53.000000 	N/A
1224	1216	csrss.exe	0x848d9beaa740	12	-	0	False	2021-03-18 05:58:27.000000 	N/A
1300	1292	csrss.exe	0x848d9beaa740	10	-	1	False	2021-03-18 05:58:28.000000 	N/A
1320	1216	wininit.exe	0x848d9beaa740	1	-	0	False	2021-03-18 05:58:28.000000 	N/A
* 1464	1320	lsass.exe	0x848d9beaa740	10	-	0	False	2021-03-18 05:58:29.000000 	N/A
* 1444	1320	services.exe	0x848d9beaa740	5	-	0	False	2021-03-18 05:58:29.000000 	N/A
** 4100	1444	svchost.exe	0x848d9beaa740	7	-	0	False	2021-03-18 05:58:34.000000 	N/A
** 4112	1444	svchost.exe	0x848d9beaa740	2	-	0	False	2021-03-18 05:58:34.000000 	N/A
** 5652	1444	dfssvc.exe	0x848d9beaa740	12	-	0	False	2021-03-18 05:58:36.000000 	N/A
** 2040	1444	svchost.exe	0x848d9beaa740	4	-	0	False	2021-03-18 05:58:32.000000 	N/A
** 4120	1444	svchost.exe	0x848d9beaa740	6	-	0	False	2021-03-18 05:58:34.000000 	N/A
** 7196	1444	svchost.exe	0x848d9beaa740	2	-	0	False

antmar904 · May 31, 2021, 11:33pm

Yes that is exactly what I was thinking. Volatility is used for Computer memory (RAM) forensics. Volatility version 2 had a easy built in function for this but I think somethings changed in version 3. Documentation is limited.

mark · June 1, 2021, 12:01am

That looks like a table, nothing like a dot file at all? Dot files have arrows -> and usually start with something like digraph {

erg · June 1, 2021, 5:09pm

On the other hand, the output is sufficiently regular that it wouldn’t be very hard to write a simple script to convert it into a dot file.