Re: [Vol-users] windows plugin - handles - what don't I know?

Hi Michael, Full transcript below (including a couple of dec to hex translations of seemingly pertinent values). As you can see, I'm in the context of explorer.exe (pid 2528) - the process owning the window objects. $ python vol.py --profile VistaSP1x86 -f VistaSP1x86*.vmem volshell Volatility Foundation Volatility Framework 2.5 Current context: System @ 0x831528a0, pid=4, ppid=0 DTB=0x122000 Welcome to volshell! Current memory image is: file:///slw/VMware%20VMs/VistaSP1x86/VistaSP1x86-09beecd1.vmem To get help, type 'hh()' Current context: explorer.exe @ 0x8384e1a0, pid=2528, ppid=2404 DTB=0x3db8b3e0 vm=proc().get_process_address_space()) [tagWND tagWND] @ 0xFE817078 [CType head] @ 0xFE817078 <Void pointer to [0xFE8172A0]> [CType head] @ 0xFE817078 0x0 : h 4269896352 0x4 : cLockObj 0 0x8 : pti 79 0xc : rpdesk 453 0x10 : pSelf 399 '0xfe8172a0' vm=proc().get_process_address_space()) [tagWND tagWND] @ 0xFE807390 [CType head] @ 0xFE807390 <Void pointer to [0x000100BC]> [CType head] @ 0xFE807390 0x0 : h 65724 0x4 : cLockObj 2 0x8 : pti 4265924192 0xc : rpdesk 2345598544 0x10 : pSelf 4269831056 '0xfe807390' Appreciate your help! Adam On 7 May 2016 at 16:49, Michael Ligh &lt;michael.ligh(a)mnin.org&gt; wrote: > Hey Adam, > > For each of the objects (o1 and o2) can you paste the output from the > following commands (ignore the addresses in my examples): > > > [tagWND tagWND] @ 0xBCA30658 > > [CType head] @ 0xBCA30658 > > <Void pointer to [0xBCA306E8]> > > [CType head] @ 0xBCA30658 > 0x0 : h 3164800744 > 0x4 : cLockObj 0 > 0x8 : pti 0 > 0xc : rpdesk 0 > 0x10 : pSelf 0 > >>> dd(o1.head.h, length = 4) > bca306e8 0002002e > > Also, what context are you in when running the commands? By that I mean, > what is the value of proc() when you're doing > proc().get_process_address_space()? > > MHL > > On 5/7/16 9:02 AM, Bridgey theGeek wrote: > > Hi all, > > > > Doing some work with the windows plugin for VistaSP1x86. > > I have the following two fragments from the output: > > > > Window Handle: #20130 at 0xfe817078, Name: > > ClassAtom: 0xc052, Class: ConsoleProgmanHandle > > SuperClassAtom: 0xc018, SuperClass: Edit > > pti: 0xfde11e90, Tid: 3432 at 0x839714e0 > > ppi: 0xff54be50, Process: explorer.exe, Pid: 2528 > > Visible: Yes > > Left: 82, Top: 456, Bottom: 379, Right: 473 > > Style Flags: WS_CHILD,WS_OVERLAPPED,WS_VISIBLE > > ExStyle Flags: WS_EX_LTRREADING,WS_EX_RIGHTSCROLLBAR,WS_EX_LEFT > > Window procedure: 0x7520d0d4 > > > > Window Handle: #100bc at 0xfe807390, Name: > > ClassAtom: 0xc052, Class: ConsoleProgmanHandle > > SuperClassAtom: 0xc018, SuperClass: Edit > > pti: 0xfe44d660, Tid: 2552 at 0x837c8778 > > ppi: 0xff54be50, Process: explorer.exe, Pid: 2528 > > Visible: No > > Left: 11, Top: 542, Bottom: 229, Right: 559 > > Style Flags: WS_CHILD,WS_OVERLAPPED > > ExStyle Flags: > > WS_EX_CLIENTEDGE,WS_EX_LTRREADING,WS_EX_RIGHTSCROLLBAR,WS_EX_LEFT > > Window procedure: 0x751f01c6 > > > > Both are from the same instance of explorer.exe. > > > > Viewing windows.py, it shows that the "Window Handle" is simply the > > value of: wnd.head.h > > > > Now consider this from volshell: > >> > vm=proc().get_process_address_space()) > >>>> dd(o1.head.h, length=4) > > fe8172a0 00020130 > > > > This seems logical: head.h is a void pointer. If we follow the pointer > > we get the handle: 20130. > > > > If I do the same with the other one: > >> > vm=proc().get_process_address_space()) > >>>> dd(o2.head.h, length=4) > > 000100bc 00000000 > > > > In this example, the handle is the VALUE of head.h, that is, you > > shouldn't follow the pointer. > > > > Volatility seems to know this because it displays the handles as 100bc > > rather than 0. > > > > I searched the Volatility code to see if I could find how this is being > > done, but I couldn't. > > So, how?? What rule don't I know?? > > > > Thanks! > > > > > > _______________________________________________ > > Vol-users mailing list > > Vol-users(a)volatilityfoundation.org > > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users > > > >