tagTHREADINFO seems wrong in Win10x64 - Vol-users

20 Feb 2017

      Hi all,

I know in an ideal world I'd submit this as a pull request to the github
project, but you'll see why I haven't.

With the Win81U1x64 profile, the `windows` plugin is able to correctly
report the associated PID:
Window Handle: #20074 at 0xfffff90140819cf0, Name: Untitled - Notepad
ClassAtom: 0xc12c, Class: -
SuperClassAtom: 0xc12c, SuperClass: -
pti: 0xfffff9014225b9b0, Tid: 2532 at 0xffffe00001dbe600
ppi: 0xfffff90140747010, Process: notepad.exe, Pid: 2528

However, using the Win10x64 profile it cannot, because tagWND.head.pti.ppi
is 0x0.
Window Handle: #10222 at 0xfffff90140a26ae0, Name: Untitled - Notepad
ClassAtom: 0xc16d, Class: -
SuperClassAtom: 0xc16d, SuperClass: -
pti: 0xfffff90141fa3b20, Tid: 4652 at 0xffffe00014b9e380
ppi: 0x0, Process: -, Pid: -

I'm pretty sure I've traced this to being that in tagWND.head.pti the
offset to ppi is wrong.

$ python vol.py -f Win10x64.vmem --profile Win10x64 volshell
--SNIP--
...
 >> dt('tagTHREADINFO') 
'tagTHREADINFO' (936 bytes)
0x0   : pEThread                       ['pointer64', ['_ETHREAD']]
0x8   : RefCount                       ['unsigned long']
--SNIP--
0x168 : spklActive                     ['pointer64', ['tagKL']]
0x170 : pcti                           ['pointer64',
['tagCLIENTTHREADINFO']]
0x170 : ppi                            ['pointer', ['tagPROCESSINFO']]
0x178 : rpdesk                         ['pointer64', ['tagDESKTOP']]
--SNIP--

You can see that `ppi`, the pointer to `tagPROCESSINFO`, is at 0x170 - the
same as `pcti`.
The pointer to the tagPROCESSINFO structure is actually at 0x178 -
currently shown as `rpdesk`.

If I modify `volatility/plugins/gui/vtypes/win8.py`, at line 197 from:
'ppi': [0x170, ['pointer', ['tagPROCESSINFO']]],
to:
'ppi': [0x178, ['pointer', ['tagPROCESSINFO']]],

the `windows` plugin now behaves itself:
Window Handle: #10222 at 0xfffff90140a26ae0, Name: Untitled - Notepad
ClassAtom: 0xc16d, Class: -
SuperClassAtom: 0xc16d, SuperClass: -
pti: 0xfffff90141fa3b20, Tid: 4652 at 0xffffe00014b9e380
ppi: 0xfffff90141fa5c10, Process: notepad.exe, Pid: 3692

And it's at this point where my understanding of the Volatility code breaks
down and why I'm not comfortable submitting a pull request. I don't know
how to implement an overlay for Win10 and what knock-on effect it might
have.

My *guess* would be that Microsoft has added an extra value to the
tagTHREADINFO structure between Windows 8 and Windows 10 meaning the offset
(within the tagTHREADINFO structure) has moved along 8 bytes (0x170 ->
0x178), but I don't know the rest of the structure well enough to
confidently validate this theory.

Perhaps one of the Volatility core developers does?

Thanks,
Adam