The PipisPipe plugin is a custom plugin for the Volatility3 framework that targets Windows systems. It allows you to enumerate the named pipes for specified processes and displays their creation dates.
-
Make sure you have Volatility3 framework installed. Refer to the official Volatility3 documentation for installation instructions.
-
Clone this repository or download the
pipispipe.pyfile.
To run the PipisPipe plugin, follow these steps:
-
Open a terminal or command prompt.
-
Navigate to the directory where Volatility3 is installed.
-
Run the PipisPipe plugin using the
vol.pycommand:vol.py -f <path_to_memory_dump> pipispipe --pid_list <list_of_process_ids>
Replace <path_to_memory_dump> with the path to your memory dump file, and <list_of_process_ids> with the space-separated list of process IDs for which you want to enumerate named pipes.
vol.py -f memory.dmp pipispipe --pid_list 1234 5678 9012- The plugin will output the process name, process ID, named pipes, and their creation dates sorted by creation date using the TreeGrid format.
- Volatility3 framework (compatible with Python 3.x)
- Memory dump of a Windows system (obviously)
This project is licensed under the MIT License.