Hi all,
Doing some work with the windows plugin for VistaSP1x86.
I have the following two fragments from the output:
Window Handle: #20130 at 0xfe817078, Name:
ClassAtom: 0xc052, Class: ConsoleProgmanHandle
SuperClassAtom: 0xc018, SuperClass: Edit
pti: 0xfde11e90, Tid: 3432 at 0x839714e0
ppi: 0xff54be50, Process: explorer.exe, Pid: 2528
Visible: Yes
Left: 82, Top: 456, Bottom: 379, Right: 473
Style Flags: WS_CHILD,WS_OVERLAPPED,WS_VISIBLE
ExStyle Flags: WS_EX_LTRREADING,WS_EX_RIGHTSCROLLBAR,WS_EX_LEFT
Window procedure: 0x7520d0d4
Window Handle: #100bc at 0xfe807390, Name:
ClassAtom: 0xc052, Class: ConsoleProgmanHandle
SuperClassAtom: 0xc018, SuperClass: Edit
pti: 0xfe44d660, Tid: 2552 at 0x837c8778
ppi: 0xff54be50, Process: explorer.exe, Pid: 2528
Visible: No
Left: 11, Top: 542, Bottom: 229, Right: 559
Style Flags: WS_CHILD,WS_OVERLAPPED
ExStyle Flags: WS_EX_CLIENTEDGE,WS_EX_LTRREADING,WS_EX_RIGHTSCROLLBAR,WS_EX_LEFT
Window procedure: 0x751f01c6
Both are from the same instance of explorer.exe.
Viewing windows.py, it shows that the "Window Handle" is simply the value of: wnd.head.h
Now consider this from volshell:
>>> o1 = obj.Object('tagWND', offset=0xfe817078, vm=proc().get_process_address_space())
>>> dd(o1.head.h, length=4)
fe8172a0 00020130
This seems logical: head.h is a void pointer. If we follow the pointer we get the handle: 20130.
If I do the same with the other one:
>>> o2 = obj.Object('tagWND', offset=0xfe807390, vm=proc().get_process_address_space())
>>> dd(o2.head.h, length=4)
000100bc 00000000
In this example, the handle is the VALUE of head.h, that is, you shouldn't follow the pointer.
Volatility seems to know this because it displays the handles as 100bc rather than 0.
I searched the Volatility code to see if I could find how this is being done, but I couldn't.
So, how?? What rule don't I know??
Thanks!