search

tking2 / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 1 forks source link

Add thread state to thrdscan plugin #357

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
I have found it helpful to display the thread's state in the output of the 
thrdscan plugin. The attached patch adds the thread's state value, as a string, 
to the output. 

Before:

Offset(P)     PID    TID Start Address Create Time               Exit Time      

---------- ------ ------ ------------- ------------------------- 
-------------------------
0x3d600030   2060   2644    0x776f64d8 2012-02-16 12:05:56                      

0x3d600d48   1512   1952    0x776f64d8 2012-02-16 12:05:30                      

0x3d63ca58   1304   1752    0x776f64d8 2012-02-16 12:05:33                      

0x3d663030   1512   1780    0x776f64d8 2012-02-16 12:05:33                      

0x3d69ea88   1532   1160    0x776f64d8 2012-02-16 12:05:37                      

0x3d6a0388    332   1788    0x776f64d8 2012-02-16 12:05:37       2012-02-16 
12:05:40      
0x3d6a2140      4   1856    0x82abf28d 2012-02-16 12:05:38                      

After:

Offset(P)     PID    TID State        Start Address Create Time               
Exit Time                
---------- ------ ------ ------------ ------------- ------------------------- 
-------------------------
0x3d600030   2060   2644 Waiting         0x776f64d8 2012-02-16 12:05:56         

0x3d600d48   1512   1952 Waiting         0x776f64d8 2012-02-16 12:05:30         

0x3d63ca58   1304   1752 Waiting         0x776f64d8 2012-02-16 12:05:33         

0x3d663030   1512   1780 Waiting         0x776f64d8 2012-02-16 12:05:33         

0x3d69ea88   1532   1160 Waiting         0x776f64d8 2012-02-16 12:05:37         

0x3d6a0388    332   1788 Terminated      0x776f64d8 2012-02-16 12:05:37       
2012-02-16 12:05:40      
0x3d6a2140      4   1856 Ready           0x82abf28d 2012-02-16 12:05:38

Original issue reported on code.google.com by jessekornblum on 6 Nov 2012 at 7:57

Attachments:

GoogleCodeExporter commented 9 years ago 
Jesse, 

* The MSDN link you referred to in the patch is from Windows 2000
* Your list of thread states is incomplete 
* Even if you had all the valid states, adding a self.states member to the 
plugin class is the wrong way to do it, as any other plugins wanting to print 
thread state would need to inherit from ThrdScan just to access your lookup 
table
* Lastly, the threads plugin already prints thread state, so you are once again 
re-implementing (incorrectly I might add) something that already exists in the 
framework. 

Sorry....we encourage and appreciate contributions, but they need to be 
technically accurate, robustly designed, and most of all we ask that the 
functionality contributed doesn't already exist else its a waste of everyone's 
time.

Original comment by michael.hale@gmail.com on 6 Nov 2012 at 8:30