Plugins: make get_executable_path more accurate in process_spoofing

SolitudePy · SolitudePy · commit 91ff5eb2cadf · 2025-10-01T10:40:21.000+03:00
diff --git a/volatility3/framework/plugins/linux/malware/process_spoofing.py b/volatility3/framework/plugins/linux/malware/process_spoofing.py
@@ -59,7 +59,7 @@ def get_executable_path(
             task: task_struct object of the process
 
         Returns:
-            Tuple of (basename, is_deleted) or (None, False) if not available
+            Tuple of (full_path, is_deleted) or (None, False) if not available
         """
         is_deleted = False
 
@@ -105,8 +105,7 @@ def get_executable_path(
             )
             # Continue without deletion info - we still have the path
 
-        basename = PurePosixPath(exe_path).name
-        return basename, is_deleted
+        return exe_path, is_deleted
 
     @classmethod
     def get_cmdline_basename(
@@ -185,7 +184,8 @@ def _extract_process_names(
         Returns:
             Tuple of (exe_basename, cmdline_basename, comm, is_deleted)
         """
-        exe_basename, is_deleted = self.get_executable_path(self.context, task)
+        exe_path, is_deleted = self.get_executable_path(self.context, task)
+        exe_basename = PurePosixPath(exe_path).name if exe_path else None
         cmdline_basename = self.get_cmdline_basename(self.context, task)
         comm = self.get_comm(task)
 
