Volatility Plugins — Plugin windows.handles Let’s Talk About it

13 hours ago
3 min read

So yeah… I know I already wrote a bunch of blogs on memory forensics — Volatility step‑by‑step, code injection, rootkits, all of that. And you might be wondering:

“Bro, why are we still talking about memory forensics?”

Well… because some Volatility plugins are actually important, a bit tricky, and very underrated. Everyone knows the basics like psscan, pslist, dlllist, etc. If not — go check my earlier guide, I won’t repeat the boring stuff here.

https://www.cyberengage.org/courses-1/mastering-memory-forensics%3A-in-depth-analysis-with-volatility-and-advanced-tools

In this series, we’re going deeper — focusing on the plugins that help you confirm attacks, pivot to real artifacts, and catch sneaky malware behavior.

And today’s topic?

Process Handles — A Small Thing That Reveals BIG Clues

Handles are basically pointers to objects that a process is using — files, registry keys, named pipes, mutants, events, threads, sections… everything.

Sounds cool, right? But here’s the problem:

There are SO MANY handles. And 90% of them are boring: unnamed internal things that tell you nothing.

But the remaining 10%?

That’s where investigations become fun.

Most of the time, handles won’t start your investigation. You usually look at handles after you’ve already identified a suspicious process.But once you’re there, handles can help you:

Confirm your suspicion
Find related malware components
Discover persistence
Spot communication channels (e.g., C2 pipes)
Catch rare artifacts like injected DLLs

Volatility Plugin: windows.handles.Handles

By default, this plugin prints every handle from every process.

python3 vol.py -f /mnt/c/Users/Akash/Downloads/laptop.raw  windows.handles

So yeah, it’s a mess.

That's why:

✔ If you know the suspicious PID → always use --pid

Example:

python3 vol.py -f /mnt/c/Users/Akash/Downloads/laptop.raw windows.handles --pid < >

Example 1 — DLL Handle That Should Not Be There

So imagine you’re investigating a Shell . You trace it back to its parent process — Example w3wp.exe

You start checking its file/registry handles. Most are normal… until one jumps out:

A DLL referenced in the handles table

That's weird because:

DLLs are usually listed in the PEB
And appear in dlllist, not in handles
So seeing a DLL via handles is suspicious by itself

One little handle uncovered the entire Shell chain.

This is why handles matter.

Example 2 — Infostealer Investigation

This is a fun one.

During the investigation, Suspicious processes:

powershell.exe

This is classic LOLBins used heavily by modern malware.

PowerShell

PowerShell had large number of handles… yeah, typical PowerShell behaviour.

After filtering unnamed handles, and keeping only File + Registry ones, you brought it down to 100 handles:

Still many, but manageable.

Inside all this noise was:

A randomly named registry key

Sitting somewhere under HKCM\CLASSES\...

At first look it blends in, but it was actually the persistence:

Random registry names
Storing fileless scripts
Classic modern persistence trick

A lot of people miss this because it looks normal. But handles will pick it up easily.

Handles help you rewind the malware timeline.

That’s why they’re gold.

Named Pipes — The Secret Communication Channels

Okay, named pipes are literally everywhere in attack frameworks.

Tools like:

PsExec
Metasploit
Trickbot
HyperStack
Empire
Covenant
Cobalt Strike

… all use named pipes to communicate quietly.

Because unlike sockets, pipes:

Don’t show up in netstat
Blend into normal system behaviour
Work over SMB
Carry less operational noise

And attackers can name them anything.

Some pipes look normal
Some pipes embed IPs or PIDs
Some pipes follow known patterns

For example, PsExec uses names like:

\Device\NamedPipe\psexecsvc-<hostname>-<PID>-stdout

Cobalt Strike uses:

MSSE-****-server
\\.\pipe\******

If the operator doesn't change defaults → instant IOC.

And yeah, handles can catch them. Just filter for File handles containing “pipe”.

python3 vol.py -f /mnt/c/Users/Akash/Downloads/laptop.raw  windows.handles | grep -i pipe

Mutants (Mutexes) — Malware’s Way of Saying “I Was Here First”

Mutants (mutexes) are used by malware to avoid reinfecting a system.

Malware sets a mutex →Before infecting again, it checks if that mutex exists.

That makes mutexes:

✔ Perfect indicators of compromise

✔ Unique to specific malware families

✔ Easy to scan in memory

python3 vol.py -f /mnt/c/Users/Akash/Downloads/laptop.raw  windows.handles | egrep "PID|Mutant"

Final Thoughts (and why this plugin matters so much)

Handles might look boring at first, but they give you:

Persistence clues
Malware DLL loading artefacts
Malicious named pipes (C2 comms)
Mutexes that identify malware families
File paths and registry entries to pivot on

90% of the time you find nothing .That 10%? You find GOLD.

----------------------------------------------Dean------------------------------------------------------

Please access this website using a laptop / desktop or tablet for the best experience