Re: [Vol-users] windows plugin - handles - what don't I know?

Hi Michael, Full transcript below (including a couple of dec to hex translations of seemingly pertinent values). As you can see, I'm in the context of explorer.exe (pid 2528) - the process owning the window objects. $ python vol.py --profile VistaSP1x86 -f VistaSP1x86*.vmem volshell Volatility Foundation Volatility Framework 2.5 Current context: System @ 0x831528a0, pid=4, ppid=0 DTB=0x122000 Welcome to volshell! Current memory image is: file:///slw/VMware%20VMs/VistaSP1x86/VistaSP1x86-09beecd1.vmem To get help, type 'hh()' Current context: explorer.exe @ 0x8384e1a0, pid=2528, ppid=2404 DTB=0x3db8b3e0 vm=proc().get_process_address_space()) [tagWND tagWND] @ 0xFE817078 [CType head] @ 0xFE817078 <Void pointer to [0xFE8172A0]> [CType head] @ 0xFE817078 0x0 : h 4269896352 0x4 : cLockObj 0 0x8 : pti 79 0xc : rpdesk 453 0x10 : pSelf 399 '0xfe8172a0' vm=proc().get_process_address_space()) [tagWND tagWND] @ 0xFE807390 [CType head] @ 0xFE807390 <Void pointer to [0x000100BC]> [CType head] @ 0xFE807390 0x0 : h 65724 0x4 : cLockObj 2 0x8 : pti 4265924192 0xc : rpdesk 2345598544 0x10 : pSelf 4269831056 '0xfe807390' Appreciate your help! Adam On 7 May 2016 at 16:49, Michael Ligh &lt;michael.ligh(a)mnin.org <mailto:michael.ligh@mnin.org>> wrote: Hey Adam, For each of the objects (o1 and o2) can you paste the output from the following commands (ignore the addresses in my examples): [tagWND tagWND] @ 0xBCA30658 [CType head] @ 0xBCA30658 <Void pointer to [0xBCA306E8]> [CType head] @ 0xBCA30658 0x0 : h 3164800744 0x4 : cLockObj 0 0x8 : pti 0 0xc : rpdesk 0 0x10 : pSelf 0 bca306e8 0002002e Also, what context are you in when running the commands? By that I

what is the value of proc() when you're doing proc().get_process_address_space()? MHL On 5/7/16 9:02 AM, Bridgey theGeek wrote: > Hi all, > > Doing some work with the windows plugin for VistaSP1x86. > I have the following two fragments from the output: > > Window Handle: #20130 at 0xfe817078, Name: > ClassAtom: 0xc052, Class: ConsoleProgmanHandle > SuperClassAtom: 0xc018, SuperClass: Edit > pti: 0xfde11e90, Tid: 3432 at 0x839714e0 > ppi: 0xff54be50, Process: explorer.exe, Pid: 2528 > Visible: Yes > Left: 82, Top: 456, Bottom: 379, Right: 473 > Style Flags: WS_CHILD,WS_OVERLAPPED,WS_VISIBLE > ExStyle Flags: WS_EX_LTRREADING,WS_EX_RIGHTSCROLLBAR,WS_EX_LEFT > Window procedure: 0x7520d0d4 > > Window Handle: #100bc at 0xfe807390, Name: > ClassAtom: 0xc052, Class: ConsoleProgmanHandle > SuperClassAtom: 0xc018, SuperClass: Edit > pti: 0xfe44d660, Tid: 2552 at 0x837c8778 > ppi: 0xff54be50, Process: explorer.exe, Pid: 2528 > Visible: No > Left: 11, Top: 542, Bottom: 229, Right: 559 > Style Flags: WS_CHILD,WS_OVERLAPPED > ExStyle Flags: > WS_EX_CLIENTEDGE,WS_EX_LTRREADING,WS_EX_RIGHTSCROLLBAR,WS_EX_LEFT > Window procedure: 0x751f01c6 > > Both are from the same instance of explorer.exe. > > Viewing windows.py, it shows that the "Window Handle" is simply the > value of: wnd.head.h > > Now consider this from volshell: >>>> o1 = obj.Object('tagWND', offset=0xfe817078, > vm=proc().get_process_address_space()) >>>> dd(o1.head.h, length=4) > fe8172a0 00020130 > > This seems logical: head.h is a void pointer. If we follow the

> we get the handle: 20130. > > If I do the same with the other one: >>>> o2 = obj.Object('tagWND', offset=0xfe807390, > vm=proc().get_process_address_space()) >>>> dd(o2.head.h, length=4) > 000100bc 00000000 > > In this example, the handle is the VALUE of head.h, that is, you > shouldn't follow the pointer. > > Volatility seems to know this because it displays the handles as

being > done, but I couldn't. > So, how?? What rule don't I know?? > > Thanks! > > > _______________________________________________ > Vol-users mailing list > Vol-users(a)volatilityfoundation.org <mailto: