volatility3 icon indicating copy to clipboard operation
volatility3 copied to clipboard
verified publisher icon volatilityfoundation

Where are the handles for the StandardInput, StandardOutput and StandardError in the windows.handles output?

Open vincentroberge opened this issue 3 years ago • 2 comments

Describe the bug The windows.handles plugin does not print the handles for the StandardInput, StandardOutput and StandardError.

Context Volatility Version: 2.0.0 Operating System: Ubuntu 20.04 Python Version: 3.8 Suspected Operating System: Windows 10 and 11 Command: vol -f win11.vmem windows.handles --pid 1234

To Reproduce Steps to reproduce the behavior:

On a Windows 10 or 11 computer, I start netcat to listen on port 4444 and start cmd.exe when a connection is made. nc.exe" -Ldp 4444 -e cmd.exe

From another computer, I connect to 4444, and I get a command prompt. If I use ProcessHacker on the first computer, I can see that the stdin, stdout and stderr of cmd.exe have the same handle which is a a connection to a socket. I can see the address in kernel memory of the handle. If I search for this address, I can see that nc.exe also has that handle.This is useful information in my investigation.

When I dump the RAM and analyze it in Volatility, I am able to get the index of the stdin, stdout and stderr handles using a plugin I wrote. I simply call proc.get_peb().ProcessParameters.StandardInput on all the processes obtained from windows.pslist. However, when I then list the handles for the cmd.exe process (pid 1234): $ vol -f win11.vmem windows.handles --pid 1234 I do not see any handles that have the same index as the one I got for stdin, stdout and stderr. In the past, I was able to do that on a Windows 7 memory dump and the handles would be included in the output of the handles plugin. On Win10 or 11, it seems like the stdin, stdout and stderr are not stored in the handle table???

Expected behavior When I list the handles for a process, I expect the see the handles pointed to by stdin, stdout and stderr. I don't know why they are missing from the list. On a live system, ProcessHacker is able to list these handles.

Screenshots If applicable, add screenshots to help explain your problem.

Additional information Add any other information about the problem here.

vincentroberge avatar Feb 02 '22 23:02 vincentroberge

Sounds like one for our windows expert @iMHLv2 ... 5:)

ikelos avatar Feb 02 '22 23:02 ikelos

I am very interested in knowing where the actual handles for stdin, stdout and stderr are in Windows 10 and newer (not just their index in Peb.ProcessParameters.StandardInput/Output/Error). If someone has that information, this could help me develop an initial solution to include those handles in the windows.handles plugin. I searched the web , but could not find anything. Any help is appreciated. Thx.

vincentroberge avatar Feb 06 '22 15:02 vincentroberge