6:37 p.m.
Hi all,
I feel like I'm missing something obvious. Consider the following from
volshell.
Profile is Win10x64 in case it matters; I'd already imported messagehooks
(mh).
>> sc()
Current context: System @
0xffffe00012a61840, pid=4, ppid=0 DTB=0x1aa000
>> for winsta, atom_tables in mh.calculate():
... for desktop in winsta.desktops():
... for wnd, _level in desktop.windows(desktop.DeskInfo.spwnd):
... if wnd.cbwndExtra == 8:
... break
>> wnd
[tagWND spwndNext] @
0xFFFFF90140A04AD0
>> dt(wnd)
[tagWND spwndNext] @
0xFFFFF90140A04AD0
0x0 : head 18446736382507371216
0x28 : bActiveFrame 0
0x28 : bAnsiCreator 0
--SNIP--
0x120 : bLinked 1
0x120 : bRedirectedForPrint 0
0x120 : bVerticallyMaximizedLeft 0
0x120 : bVerticallyMaximizedRight 0
>> dt('tagWND', wnd.v())
ERROR:
could not instantiate object
Reason: Invalid Address 0xFFFFF90140A04AD0, instantiating tagWND
>> hex(wnd.v())
'0xfffff90140a04ad0L'
>> db(wnd.v())
Memory unreadable at
fffff90140a04ad0
Why is the memory address unreadable? Is my error in assuming that object
'wnd' is made up of bytes located at 0xFFFFF90140A04AD0?
Given the address is in Kernel space, I should be able to access it right?
Any pointers appreciated! (Pardon the pun.)
Adam
9:14 a.m.
Hey Adam,
Addresses of GUI objects are only valid in their "session space" which
is part of kernel memory. Try passing winsta.obj_vm or desktop.obj_vm as
the "space" parameter to dt() or db() instead of using the address space
of the System process.
MHL
On 2/14/17 5:37 PM, Bridgey theGeek wrote:
Hi all,
I feel like I'm missing something obvious. Consider the following from
volshell.
Profile is Win10x64 in case it matters; I'd already imported
messagehooks (mh).
>> sc()
Current context: System @
0xffffe00012a61840, pid=4, ppid=0 DTB=0x1aa000
>> for winsta, atom_tables in
mh.calculate():
... for desktop in winsta.desktops():
... for wnd, _level in desktop.windows(desktop.DeskInfo.spwnd):
... if wnd.cbwndExtra == 8:
... break
>> wnd
[tagWND spwndNext] @
0xFFFFF90140A04AD0
>> dt(wnd)
[tagWND spwndNext] @
0xFFFFF90140A04AD0
0x0 : head 18446736382507371216
0x28 : bActiveFrame 0
0x28 : bAnsiCreator 0
--SNIP--
0x120 : bLinked 1
0x120 : bRedirectedForPrint 0
0x120 : bVerticallyMaximizedLeft 0
0x120 : bVerticallyMaximizedRight 0
>> dt('tagWND', wnd.v())
ERROR: could not instantiate object
Reason: Invalid Address 0xFFFFF90140A04AD0, instantiating tagWND
>> hex(wnd.v())
'0xfffff90140a04ad0L'
>> db(wnd.v())
Memory unreadable at
fffff90140a04ad0
Why is the memory address unreadable? Is my error in assuming that
object 'wnd' is made up of bytes located at 0xFFFFF90140A04AD0?
Given the address is in Kernel space, I should be able to access it right?
Any pointers appreciated! (Pardon the pun.)
Adam
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
5:56 p.m.
Thanks MHL!
I didn't appreciate that fact about GUI objects. I'll have to do some more
reading on that.
But for those that are interested...
>> import volatility.plugins.gui.messagehooks as
messagehooks
>> mh = messagehooks.MessageHooks(self._config)
>> for winsta, atom_tables in mh.calculate():
... for desktop in
winsta.desktops():
... for wnd, _level in desktop.windows(desktop.DeskInfo.spwnd):
... if wnd.cbwndExtra == 8:
... got = True
... break
... if got:
... break
... if got:
... break
...
>> wnd
[tagWND spwndNext] @
0xFFFFF90140A04AD0
>> wnd2 = obj.Object("tagWND", wnd.v(),
desktop.obj_vm)
>> wnd == wnd2
True
On 15 February 2017 at 14:14, Michael Ligh <michael.ligh(a)mnin.org> wrote:
> Hey Adam,
>
> Addresses of GUI objects are only valid in their "session space" which
> is part of kernel memory. Try passing winsta.obj_vm or desktop.obj_vm as
> the "space" parameter to dt() or db() instead of using the address space
> of the System process.
>
> MHL
>
> On 2/14/17 5:37 PM, Bridgey theGeek wrote:
> > Hi all,
> >
> > I feel like I'm missing something obvious. Consider the following from
> > volshell.
> > Profile is Win10x64 in case it matters; I'd already imported
> > messagehooks (mh).
> >
> >>>> sc()
> > Current context: System @ 0xffffe00012a61840, pid=4, ppid=0 DTB=0x1aa000
> >>>> for winsta, atom_tables in mh.calculate():
> > ... for desktop in winsta.desktops():
> > ... for wnd, _level in desktop.windows(desktop.DeskInfo.spwnd):
> > ... if wnd.cbwndExtra == 8:
> > ... break
> > >> wnd
> >
[tagWND spwndNext] @ 0xFFFFF90140A04AD0
> >>>> dt(wnd)
> > [tagWND spwndNext] @ 0xFFFFF90140A04AD0
> > 0x0 : head 18446736382507371216
> > 0x28 : bActiveFrame 0
> > 0x28 : bAnsiCreator 0
> > --SNIP--
> > 0x120 : bLinked 1
> > 0x120 : bRedirectedForPrint 0
> > 0x120 : bVerticallyMaximizedLeft 0
> > 0x120 : bVerticallyMaximizedRight 0
> >>>> dt('tagWND', wnd.v())
> > ERROR: could not instantiate object
> >
> > Reason: Invalid Address 0xFFFFF90140A04AD0, instantiating tagWND
> >>>> hex(wnd.v())
> > '0xfffff90140a04ad0L'
> >>>> db(wnd.v())
> > Memory unreadable at fffff90140a04ad0
> >
> > Why is the memory address unreadable? Is my error in assuming that
> > object 'wnd' is made up of bytes located at 0xFFFFF90140A04AD0?
> >
> > Given the address is in Kernel space, I should be able to access it
> right?
> >
> > Any pointers appreciated! (Pardon the pun.)
> >
> > Adam
> >
> >
> > _______________________________________________
> > Vol-users mailing list
> > Vol-users(a)volatilityfoundation.org
> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
> >
>
>
2829
days inactive
2830
days old
vol-users@lists.volatilityfoundation.org
2 comments
2 participants
participants (2)
-
Bridgey theGeek -
Michael Ligh