[Vol-users] Why is the address of this tagWND unreadable?

Bridgey theGeek bridgeythegeek at gmail.com
Wed Feb 15 16:56:16 CST 2017


Thanks MHL!

I didn't appreciate that fact about GUI objects. I'll have to do some more
reading on that.
But for those that are interested...
>>> import volatility.plugins.gui.messagehooks as messagehooks
>>> mh = messagehooks.MessageHooks(self._config)
>>> for winsta, atom_tables in mh.calculate():
...  for desktop in winsta.desktops():
...   for wnd, _level in desktop.windows(desktop.DeskInfo.spwnd):
...    if wnd.cbwndExtra == 8:
...     got = True
...     break
...   if got:
...    break
...  if got:
...   break
...
>>> wnd
[tagWND spwndNext] @ 0xFFFFF90140A04AD0
>>> wnd2 = obj.Object("tagWND", wnd.v(), desktop.obj_vm)
>>> wnd == wnd2
True

On 15 February 2017 at 14:14, Michael Ligh <michael.ligh at mnin.org> wrote:

> Hey Adam,
>
> Addresses of GUI objects are only valid in their "session space" which
> is part of kernel memory. Try passing winsta.obj_vm or desktop.obj_vm as
> the "space" parameter to dt() or db() instead of using the address space
> of the System process.
>
> MHL
>
> On 2/14/17 5:37 PM, Bridgey theGeek wrote:
> > Hi all,
> >
> > I feel like I'm missing something obvious. Consider the following from
> > volshell.
> > Profile is Win10x64 in case it matters; I'd already imported
> > messagehooks (mh).
> >
> >>>> sc()
> > Current context: System @ 0xffffe00012a61840, pid=4, ppid=0 DTB=0x1aa000
> >>>> for winsta, atom_tables in mh.calculate():
> > ... for desktop in winsta.desktops():
> > ...     for wnd, _level in desktop.windows(desktop.DeskInfo.spwnd):
> > ...         if wnd.cbwndExtra == 8:
> > ...             break
> >>>> wnd
> > [tagWND spwndNext] @ 0xFFFFF90140A04AD0
> >>>> dt(wnd)
> > [tagWND spwndNext] @ 0xFFFFF90140A04AD0
> > 0x0   : head                           18446736382507371216
> > 0x28  : bActiveFrame                   0
> > 0x28  : bAnsiCreator                   0
> > --SNIP--
> > 0x120 : bLinked                        1
> > 0x120 : bRedirectedForPrint            0
> > 0x120 : bVerticallyMaximizedLeft       0
> > 0x120 : bVerticallyMaximizedRight      0
> >>>> dt('tagWND', wnd.v())
> > ERROR: could not instantiate object
> >
> > Reason:  Invalid Address 0xFFFFF90140A04AD0, instantiating tagWND
> >>>> hex(wnd.v())
> > '0xfffff90140a04ad0L'
> >>>> db(wnd.v())
> > Memory unreadable at fffff90140a04ad0
> >
> > Why is the memory address unreadable? Is my error in assuming that
> > object 'wnd' is made up of bytes located at 0xFFFFF90140A04AD0?
> >
> > Given the address is in Kernel space, I should be able to access it
> right?
> >
> > Any pointers appreciated! (Pardon the pun.)
> >
> > Adam
> >
> >
> > _______________________________________________
> > Vol-users mailing list
> > Vol-users at volatilityfoundation.org
> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> >
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20170215/3985d308/attachment.html


More information about the Vol-users mailing list