volatility3 icon indicating copy to clipboard operation
volatility3 copied to clipboard

Published 20 hours ago verified publisher icon volatilityfoundation

Wrong member to get _EPROCESS from _ETHREAD in newer versions

Open paulkermann opened this issue 3 years ago • 4 comments

https://github.com/volatilityfoundation/volatility3/blob/db20ccf8901b60edd3b817c41227410631b2ab99/volatility3/framework/symbols/windows/extensions/init.py#L453

In newer windows versions the _KPROCESS is at Tcb.Process. One would also need to cast that into a _EPROCESS structure as that's ThreadsProcess type.

paulkermann avatar Apr 27 '22 07:04 paulkermann

Thank you for the good issue. 🙂

I checked as you said and it seems that the new version does not support the ThreadProcess structure of _ETHREAD. Maybe it's right to change.

However, the purpose of "owning_process" method is to return the _EPROCESS structure that matches Thread, but returning the _KPROCESS structure of Tcb.Process seems a little different. Is there a pointer or structure that references _EPROCESS in _KPROCESS or is there any knowledge I'm missing?

(This question may be a educational question.)

++ Come to think of it, I think we can get an EPROCESS structure if we go back to the offset by the size of the Pcb and then cast it.. 🤔

digitalisx avatar Apr 27 '22 12:04 digitalisx

@digitalisx The _KPROCESS is the first member of the _EPROCESS structure so you can cast it as needed.

paulkermann avatar Apr 27 '22 13:04 paulkermann

@paulkermann Thank you for your answer! I think it was a very easy question..😅 Additional, I've explored and the owning_process method is being used here. https://github.com/volatilityfoundation/volatility3/blob/c40e088370baa8318c5912d1eec7cb98e587045f/volatility3/framework/plugins/windows/psscan.py#L119 There is no separate error when using psscan. However, there is a high probability that the current method will not be able to get the data you want from the latest version of Windows. 🧐

digitalisx avatar Apr 27 '22 13:04 digitalisx

@digitalisx according to https://github.com/volatilityfoundation/volatility3/blob/c40e088370baa8318c5912d1eec7cb98e587045f/volatility3/framework/plugins/windows/psscan.py#L166 it should work on newer windows versions (10+) but yeah kinda sus.

paulkermann avatar Apr 27 '22 14:04 paulkermann

Hello, @paulkermann This issue we were discussing has been merged well this time. If you have any good issues in the future, please leave them. It's fun to discuss and learn together! :)

digitalisx avatar Aug 24 '22 16:08 digitalisx