volatility3 icon indicating copy to clipboard operation
volatility3 copied to clipboard

Published 20 hours ago verified publisher icon volatilityfoundation

Add Stack Plugin

Open the-rectifier opened this issue 6 months ago • 2 comments

A plugin that dumps the stack for each (running) thread.

It grabs the current RSP from the TrapFrame _ETHREAD->_KTHREAD->_KTRAP_FRAME.Rsp, and the Stack base from _ETHREAD->_KTHREAD->_TEB.NT_TIB.StackBase

This could (and probably should) be part of another plugin like memmap, but I figured I would submit it for review and then change it.

Edit: No issues with the _NT_TIB object, see referenced 'issue'

the-rectifier avatar May 23 '25 02:05 the-rectifier

It might be worth making an issue for the dt() problem. Perhaps i broke something with https://github.com/volatilityfoundation/volatility3/pull/1748

eve-mem avatar May 23 '25 15:05 eve-mem

maybe this plugin can be enhanced to list the actual callstack?

SolitudePy avatar Jun 25 '25 20:06 SolitudePy

Hello @ikelos, thank you for all the pointers (and apologies for the tears). I will make the code more modular and also create the NT_TIB object rather than reading an address of it directly from the layer.

Would migrating (a part of) this over to extensions.ETHREAD make sense? I was thinking of a get_stack() method that this plugin will call on each constructed _ETHREAD object:

for thread in active_thread_list:
	stack = thread.get_stack()

the-rectifier avatar Jul 07 '25 22:07 the-rectifier

@SolitudePy, I think this is a nice addition, but I'm afraid I don't have the time to debug a process and find a way to follow the call stack, at least not right now. Maybe I will revisit it when my program is a bit lighter, but feel free to contribute if you want!

the-rectifier avatar Jul 07 '25 23:07 the-rectifier