Re: [Vol-users] Why is the address of this tagWND unreadable?
15 Feb
2017
15 Feb
'17
9:14 a.m.
Hey Adam,
Addresses of GUI objects are only valid in their "session space" which
is part of kernel memory. Try passing winsta.obj_vm or desktop.obj_vm as
the "space" parameter to dt() or db() instead of using the address space
of the System process.
MHL
On 2/14/17 5:37 PM, Bridgey theGeek wrote:
Hi all,
I feel like I'm missing something obvious. Consider the following from
volshell.
Profile is Win10x64 in case it matters; I'd already imported
messagehooks (mh).
>> sc()
Current context: System @
0xffffe00012a61840, pid=4, ppid=0 DTB=0x1aa000
>> for winsta, atom_tables in
mh.calculate():
... for desktop in winsta.desktops():
... for wnd, _level in desktop.windows(desktop.DeskInfo.spwnd):
... if wnd.cbwndExtra == 8:
... break
>> wnd
[tagWND spwndNext] @
0xFFFFF90140A04AD0
>> dt(wnd)
[tagWND spwndNext] @
0xFFFFF90140A04AD0
0x0 : head 18446736382507371216
0x28 : bActiveFrame 0
0x28 : bAnsiCreator 0
--SNIP--
0x120 : bLinked 1
0x120 : bRedirectedForPrint 0
0x120 : bVerticallyMaximizedLeft 0
0x120 : bVerticallyMaximizedRight 0
>> dt('tagWND', wnd.v())
ERROR: could not instantiate object
Reason: Invalid Address 0xFFFFF90140A04AD0, instantiating tagWND
>> hex(wnd.v())
'0xfffff90140a04ad0L'
>> db(wnd.v())
Memory unreadable at
fffff90140a04ad0
Why is the memory address unreadable? Is my error in assuming that
object 'wnd' is made up of bytes located at 0xFFFFF90140A04AD0?
Given the address is in Kernel space, I should be able to access it right?
Any pointers appreciated! (Pardon the pun.)
Adam
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Attachments:
- signature.asc (application/pgp-signature — 236 bytes)