Hey Adam, For each of the objects (o1 and o2) can you paste the output from the following commands (ignore the addresses in my examples):
>>> o1
[tagWND tagWND] @ 0xBCA30658
>>> o1.head
[CType head] @ 0xBCA30658
>>> o1.head.h
<Void pointer to [0xBCA306E8]>
>>> dt(o1.head)
[CType head] @ 0xBCA30658
0x0 : h 3164800744
0x4 : cLockObj 0
0x8 : pti 0
0xc : rpdesk 0
0x10 : pSelf 0
>>> dd(o1.head.h, length = 4)
bca306e8 0002002e
Also, what context are you in when running the commands? By that I mean,
what is the value of proc() when you're doing
proc().get_process_address_space()?
MHL
On 5/7/16 9:02 AM, Bridgey theGeek wrote:
> Hi all,
>
> Doing some work with the windows plugin for VistaSP1x86.
> I have the following two fragments from the output:
>
> Window Handle: #20130 at 0xfe817078, Name:
> ClassAtom: 0xc052, Class: ConsoleProgmanHandle
> SuperClassAtom: 0xc018, SuperClass: Edit
> pti: 0xfde11e90, Tid: 3432 at 0x839714e0
> ppi: 0xff54be50, Process: explorer.exe, Pid: 2528
> Visible: Yes
> Left: 82, Top: 456, Bottom: 379, Right: 473
> Style Flags: WS_CHILD,WS_OVERLAPPED,WS_VISIBLE
> ExStyle Flags: WS_EX_LTRREADING,WS_EX_RIGHTSCROLLBAR,WS_EX_LEFT
> Window procedure: 0x7520d0d4
>
> Window Handle: #100bc at 0xfe807390, Name:
> ClassAtom: 0xc052, Class: ConsoleProgmanHandle
> SuperClassAtom: 0xc018, SuperClass: Edit
> pti: 0xfe44d660, Tid: 2552 at 0x837c8778
> ppi: 0xff54be50, Process: explorer.exe, Pid: 2528
> Visible: No
> Left: 11, Top: 542, Bottom: 229, Right: 559
> Style Flags: WS_CHILD,WS_OVERLAPPED
> ExStyle Flags:
> WS_EX_CLIENTEDGE,WS_EX_LTRREADING,WS_EX_RIGHTSCROLLBAR,WS_EX_LEFT
> Window procedure: 0x751f01c6
>
> Both are from the same instance of explorer.exe.
>
> Viewing windows.py, it shows that the "Window Handle" is simply the
> value of: wnd.head.h
>
> Now consider this from volshell:
>>>> o1 = obj.Object('tagWND', offset=0xfe817078,
> vm=proc().get_process_address_space())
>>>> dd(o1.head.h, length=4)
> fe8172a0 00020130
>
> This seems logical: head.h is a void pointer. If we follow the pointer
> we get the handle: 20130.
>
> If I do the same with the other one:
>>>> o2 = obj.Object('tagWND', offset=0xfe807390,
> vm=proc().get_process_address_space())
>>>> dd(o2.head.h, length=4)
> 000100bc 00000000
>
> In this example, the handle is the VALUE of head.h, that is, you
> shouldn't follow the pointer.
>
> Volatility seems to know this because it displays the handles as 100bc
> rather than 0.
>
> I searched the Volatility code to see if I could find how this is being
> done, but I couldn't.
> So, how?? What rule don't I know??
>
> Thanks!
>
>
> _______________________________________________
> Vol-users mailing list
> [email protected]
> http://lists.volatilesystems.com/mailman/listinfo/vol-users
>
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Vol-users mailing list [email protected] http://lists.volatilesystems.com/mailman/listinfo/vol-users
