Récupérer le processus Parent de notre processus PID 1800.
Nous avions déjà l’info du PPID (Parent Process ID) dans la première partie
vol -f /mnt/c/Users/cyrha/Desktop/demo/hackropole/memoire.dmp windows.pslist 2>/dev/null | awk '$1 == "PID" || $1 == 1800'
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output
1800 936 rundll32.exe 0xa50a270b9200 4 - 0 False 2025-04-01 22:10:45.000000 UTC N/A Disabled
On va donc Récupérer les informations du processus Parent
vol -f /mnt/c/Users/cyrha/Desktop/demo/hackropole/memoire.dmp windows.pslist 2>/dev/null | awk '$1 == "PID" || $1 == 936'
PID PPID ImageFileName Offset(V) Threads Handles SessionId Wow64 CreateTime ExitTime File output
936 800 svchost.exe 0xa50a26148240 10 - 0 False 2025-04-01 22:10:44.000000 UTC N/A Disabled
process_name=svchost.exe
process_id=936
FCSC{<process_name>:<process_id>}