Hey Adam,

Addresses of GUI objects are only valid in their "session space" which
is part of kernel memory. Try passing winsta.obj_vm or desktop.obj_vm as
the "space" parameter to dt() or db() instead of using the address space
of the System process.

MHL

On 2/14/17 5:37 PM, Bridgey theGeek wrote:
> Hi all,
>
> I feel like I'm missing something obvious. Consider the following from
> volshell.
> Profile is Win10x64 in case it matters; I'd already imported
> messagehooks (mh).
>
>>>> sc()
> Current context: System @ 0xffffe00012a61840, pid=4, ppid=0 DTB=0x1aa000
>>>> for winsta, atom_tables in mh.calculate():
> ... for desktop in winsta.desktops():
> ...     for wnd, _level in desktop.windows(desktop.DeskInfo.spwnd):
> ...         if wnd.cbwndExtra == 8:
> ...             break
>>>> wnd
> [tagWND spwndNext] @ 0xFFFFF90140A04AD0
>>>> dt(wnd)
> [tagWND spwndNext] @ 0xFFFFF90140A04AD0
> 0x0   : head                           18446736382507371216
> 0x28  : bActiveFrame                   0
> 0x28  : bAnsiCreator                   0
> --SNIP--
> 0x120 : bLinked                        1
> 0x120 : bRedirectedForPrint            0
> 0x120 : bVerticallyMaximizedLeft       0
> 0x120 : bVerticallyMaximizedRight      0
>>>> dt('tagWND', wnd.v())
> ERROR: could not instantiate object
>
> Reason:  Invalid Address 0xFFFFF90140A04AD0, instantiating tagWND
>>>> hex(wnd.v())
> '0xfffff90140a04ad0L'
>>>> db(wnd.v())
> Memory unreadable at fffff90140a04ad0
>
> Why is the memory address unreadable? Is my error in assuming that
> object 'wnd' is made up of bytes located at 0xFFFFF90140A04AD0?
>
> Given the address is in Kernel space, I should be able to access it right?
>
> Any pointers appreciated! (Pardon the pun.)
>
> Adam
>
>

> _______________________________________________
> Vol-users mailing list
> Vol-users@volatilesystems.com
> http://lists.volatilesystems.com/mailman/listinfo/vol-users
>