From d934d4421b94c3d7285cc1594830bf84c4846373 Mon Sep 17 00:00:00 2001
From: Gustavo Moreira <gmoreira@gmail.com>
Date: Wed, 18 Dec 2024 12:02:14 +1100
Subject: [PATCH] linux: get_parent_pid: Fix parent ID to correctly mimic
 getppid() syscall behavior by using TGID instead of PID

---
 volatility3/framework/symbols/linux/extensions/__init__.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/volatility3/framework/symbols/linux/extensions/__init__.py b/volatility3/framework/symbols/linux/extensions/__init__.py
index 7b025450c..3c26805b7 100644
--- a/volatility3/framework/symbols/linux/extensions/__init__.py
+++ b/volatility3/framework/symbols/linux/extensions/__init__.py
@@ -641,7 +641,7 @@ def get_parent_pid(self) -> int:
         """
 
         if self.real_parent and self.real_parent.is_readable():
-            ppid = self.real_parent.pid
+            ppid = self.real_parent.tgid
         else:
             ppid = 0