Writing a simple Volatility plugin - Part 1

Abhiram Kumar


Categories: DFIR Tags: Volatility Python

This post covers the basics of writing a simple plugin for the Volatility framework using python.


It is not really necessary to have a very good experience with volatility to understand this blog post but I recommend it as it will be easier to “know what you’re doing”.

Volatility? what is it?

This section is primarily for people who have never used volatility before, so I will give a brief introduction of the tool. Volatility is an open source memory forensics framework helpful in analyzing memory/RAM dumps.

Volatility is a very robust and extremely popular tool when it comes to forensic investigation of memory images.

For more info, visit https://github.com/volatilityfoundation/volatility

Writing the plugin

In this post, we will go through a step by step procedure of writing a custom pslist (used to enumerate active/running processes) plugin.

To start we will create a skeleton of the plugin with a simple “Hello world!” before proceeding to the more complex parts.

Creating plugin folder

$ mkdir testplugin
$ cd testplugin
$ touch testplugin.py

Open the python file just created using any text editor you want. I prefer VS Code.

Getting the foundation right

Before proceeding to the complex coding part, we’ll approach this by writing a simple volatility plugin which just prints “Hello world!”.

So below is the code for the program,

import volatility.plugins.common as common

class TestPlugin(common.AbstractWindowsCommand):
    """Prints Hello world!"""
    def render_text(self, outfd, data):
        outfd.write("Hello world!\n")

Note: All the python code written in this blog is of python 2 {:.info}

Understanding the code

Having written the above code, let us try to understand what it is line by line.

Testing output

Now that we understood how the above code works, let us run it and check if it works. Before testing the plugin, let us see if volatility recognizes our plugin


Yes! it is successfully recognized. Now let us run it.


Building the pslist plugin

Now that we know how to write the basic skeleton of a plugin, we need it do something with the memory dump i.e extract some piece of evidence. So here we will try to write a plugin which enumerates all the active processes running in the system.

Normally, you can see the running processes using the Task Manager.

import volatility.plugins.common as common
import volatility.utils as utils
import volatility.win32 as win32

class TestPlugin(common.AbstractWindowsCommand):
    """ Works exactly like pslist """

    def calculate(self):

        addr_space = utils.load_as(self._config)
        tasks = win32.tasks.pslist(addr_space)
        return tasks
    def render_text(self, outfd, data):
        for tasks in data:
            PID = tasks.UniqueProcessId
            CreateTime = tasks.CreateTime
            Process_name = tasks.ImageFileName
            outfd.write("{0}\t {1}\t {2}\n".format(PID, CreateTime, Process_name))

Understanding the code

This completes the explanation for the calculate() function. Now we move to discuss the terms

These terms are associated and are fields inside the _EPROCESS structure in Windows. _EPROCESS is a data structure in windows which contains various details associated with a process.

What we are essentially doing using the above python code is that we are iterating over the doubly-linked list through which each _EPROCESS is connected and retrieving the necessary evidence we need.

Below is the screenshot showing various other fields in the _EPROCESS structure using livekd

CreateTime Field CreateTime

UniqueProcessId Field PID

ImageFileName Field ImageFileName

Other interesting and useful fields are

And many more…

Now that we’ve written our plugin and how it works, let us test it by running it.

Testing output

$ volatility --plugins=testplugin/ -f memorydump.vmem --profile=Win7SP1x86 testplugin


So our plugin works perfectly as expected.

Final thoughts

This blogpost was a very simple introduction to writing plugins in volatility. The real ones that volatility uses are a lot complex since they have lot of things to handle like

So, plugin developers at Volatility need to keep these things in mind before they release a plugin. However, now that you have understood the basics required, it will be a lot easier to read the original plugin code from volatility’s code base.


Feel free to contact me on Twitter: https://twitter.com/_abhiramkumar