Re: [Vol-users] windows plugin - handles - what don't I know?

>> o1

>> o1.head

>> o1.head.h

>> dt(o1.head)

>> dd(o1.head.h, length = 4)

Hi all, Doing some work with the windows plugin for VistaSP1x86. I have the following two fragments from the output: Window Handle: #20130 at 0xfe817078, Name: ClassAtom: 0xc052, Class: ConsoleProgmanHandle SuperClassAtom: 0xc018, SuperClass: Edit pti: 0xfde11e90, Tid: 3432 at 0x839714e0 ppi: 0xff54be50, Process: explorer.exe, Pid: 2528 Visible: Yes Left: 82, Top: 456, Bottom: 379, Right: 473 Style Flags: WS_CHILD,WS_OVERLAPPED,WS_VISIBLE ExStyle Flags: WS_EX_LTRREADING,WS_EX_RIGHTSCROLLBAR,WS_EX_LEFT Window procedure: 0x7520d0d4 Window Handle: #100bc at 0xfe807390, Name: ClassAtom: 0xc052, Class: ConsoleProgmanHandle SuperClassAtom: 0xc018, SuperClass: Edit pti: 0xfe44d660, Tid: 2552 at 0x837c8778 ppi: 0xff54be50, Process: explorer.exe, Pid: 2528 Visible: No Left: 11, Top: 542, Bottom: 229, Right: 559 Style Flags: WS_CHILD,WS_OVERLAPPED ExStyle Flags: WS_EX_CLIENTEDGE,WS_EX_LTRREADING,WS_EX_RIGHTSCROLLBAR,WS_EX_LEFT Window procedure: 0x751f01c6 Both are from the same instance of explorer.exe. Viewing windows.py, it shows that the "Window Handle" is simply the value of: wnd.head.h Now consider this from volshell: vm=proc().get_process_address_space()) fe8172a0 00020130 This seems logical: head.h is a void pointer. If we follow the pointer we get the handle: 20130. If I do the same with the other one: vm=proc().get_process_address_space()) 000100bc 00000000 In this example, the handle is the VALUE of head.h, that is, you shouldn't follow the pointer. Volatility seems to know this because it displays the handles as 100bc rather than 0. I searched the Volatility code to see if I could find how this is being done, but I couldn't. So, how?? What rule don't I know?? Thanks! _______________________________________________ Vol-users mailing list Vol-users(a)volatilityfoundation.org http://lists.volatilityfoundation.org/mailman/listinfo/vol-users