[Vol-users] Why is the address of this tagWND unreadable?

Bridgey theGeek bridgeythegeek at gmail.com
Tue Feb 14 17:37:48 CST 2017

Hi all,

I feel like I'm missing something obvious. Consider the following from
Profile is Win10x64 in case it matters; I'd already imported messagehooks

>>> sc()
Current context: System @ 0xffffe00012a61840, pid=4, ppid=0 DTB=0x1aa000
>>> for winsta, atom_tables in mh.calculate():
... for desktop in winsta.desktops():
...     for wnd, _level in desktop.windows(desktop.DeskInfo.spwnd):
...         if wnd.cbwndExtra == 8:
...             break
>>> wnd
[tagWND spwndNext] @ 0xFFFFF90140A04AD0
>>> dt(wnd)
[tagWND spwndNext] @ 0xFFFFF90140A04AD0
0x0   : head                           18446736382507371216
0x28  : bActiveFrame                   0
0x28  : bAnsiCreator                   0
0x120 : bLinked                        1
0x120 : bRedirectedForPrint            0
0x120 : bVerticallyMaximizedLeft       0
0x120 : bVerticallyMaximizedRight      0
>>> dt('tagWND', wnd.v())
ERROR: could not instantiate object

Reason:  Invalid Address 0xFFFFF90140A04AD0, instantiating tagWND
>>> hex(wnd.v())
>>> db(wnd.v())
Memory unreadable at fffff90140a04ad0

Why is the memory address unreadable? Is my error in assuming that object
'wnd' is made up of bytes located at 0xFFFFF90140A04AD0?

Given the address is in Kernel space, I should be able to access it right?

Any pointers appreciated! (Pardon the pun.)

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20170214/f92ec888/attachment.html

More information about the Vol-users mailing list