volatility3
volatility3 copied to clipboard
volatilityfoundation
Fix: get `owning_process` method from `_ETHREAD`.
Description
Hello, everyone in the community. 🙂
We could access _EPROCESS objects from Thread through a structure called ThreadProcess in an older version of Windows.
https://github.com/volatilityfoundation/volatility3/blob/c40e088370baa8318c5912d1eec7cb98e587045f/volatility3/framework/plugins/windows/psscan.py#L119
Currently in Volatility3, a method called owning_process provides functionality to users who want to use the _ETHREAD object in this way. Of course, PSScan, which is the only one using this method, is branching the operating system, so it is not likely to be used in a new version, and it is somewhat unlikely that an error will occur.
However, a method called the _ETHREAD object's owning_process must fulfill its role in the latest operating system and be made available to developers and users.
The newly proposed method is a version that can work with any operating system version. I think it will be helpful for plugins or work related to threads in the future.
classDiagram
_EPROCESS <-- _KTHREAD
_KTHREAD <-- _ETHREAD
class _ETHREAD {
_KTHREAD: Tcb
}
class _KTHREAD{
_KPROCESS*: Process
}
class _EPROCESS{
_KPROCESS: Pcb
}
Result
I verified that the proposed method to verify our method can correctly return the _EPROCESS object.
We will be able to access the correct _EPROCESS structure through the owning_process method.
Fixes #717
vollog.log(constants.LOGLEVEL_VVV, f"PSLIST PID: {proc.UniqueProcessId}")
vollog.log(constants.LOGLEVEL_VVV, f"_ETHREAD Data: {thread_data}")
vollog.log(constants.LOGLEVEL_VVV, f"_ETHREAD OwningProccess PID: {ethread.owning_process().UniqueProcessId}")
vollog.log(constants.LOGLEVEL_VVV, f"_ETHREAD CID PID: {ethread.Cid.UniqueProcess}")
Level 7 volatility3.plugins.windows.threads: PSLIST PID: 4
Level 7 volatility3.plugins.windows.threads: _ETHREAD Data: {'pid': 4, 'tid': 2636, 'tpid': 4, 'thread_state': 'Waiting', 'thread_wait_reason': 'Executive', 'thread_create_time': datetime.datetime(2021, 7, 14, 17, 2, 32), 'thread_end_time': datetime.datetime(1600, 8, 20, 9, 51, 5), 'thread_win32startaddress': '0xf804835dd010'}
Level 7 volatility3.plugins.windows.threads: _ETHREAD OwningProccess PID: 4
Level 7 volatility3.plugins.windows.threads: _ETHREAD CID PID: 4
Definitely one for @iMHLv2 to look over 5:)
@ikelos All right, I'm glad to be checked by a professional!
Hello @iMHLv2, Thank you for taking the time to review. 🙂 I added logic to support various versions of Windows. A good example helped!
@iMHLv2 Branches are periodically fetching to maintain a mergeable state. 😃 If time permits, could you review request change? :)
There was a version bump (#777) before this branch was merged, so I resolved the conflict.
While checking the existing submitted PRs, I checked that the version to be bumped and the version of the plugin did not match and corrected it. And I confirmed that the test that was conducted based on the memory dump of the newly added XP operating system passed. This will be a good basis for the submitted PR to work normally.
@iMHLv2 Thank you for your interest in this PR despite your busy schedule. 😀
@digitalisx I apologize for the delay and thanks for your patience. @ikelos I'm less familiar with the code base changes (VERSION_PATCH from 0 to 1 and _required_framework_version from 2.0.0 to 2.3.1) but the changes to owning_process() look great and passed my tests.
