Open gleeda opened 6 years ago
so here's an idea. We'll check the profile and use the appropriate structure, and we can also verify that the address of is valid in the case of a NoneObject with a valid pointer:
diff --git a/volatility/plugins/overlays/windows/windows.py b/volatility/plugins/overlays/windows/windows.py
index dd424776..a04f162a 100644
--- a/volatility/plugins/overlays/windows/windows.py
+++ b/volatility/plugins/overlays/windows/windows.py
@@ -408,22 +408,22 @@ class _EPROCESS(obj.CType, ExecutiveObjectMixin):
it. This method ensures this happens automatically.
"""
wow64process = self.Wow64Process
-
- if wow64process.is_valid():
- process_ad = self.get_process_address_space()
- if process_ad:
-
- # starting with windows 10 the Wow64Process member
- # points to an _EWOW64PROCESS with a Peb
+ process_ad = self.get_process_address_space()
+ if process_ad and (wow64process.is_valid() or process_ad.is_valid_address(wow64process.v())):
+ # starting with windows 10 the Wow64Process member
+ # points to an _EWOW64PROCESS with a Peb
+ if process_ad.profile.metadata.get('major', 0) == 6 and process_ad.profile.metadata.get('minor', 0) >= 4:
+ offset = wow64process.v()
+ else:
try:
offset = wow64process.Peb
except AttributeError:
- offset = wow64process
+ offset = wow64process.v()
- peb32 = obj.Object("_PEB32", offset = offset, vm = process_ad, name = "Peb32", parent = self)
+ peb32 = obj.Object("_PEB32", offset = offset, vm = process_ad, name = "Peb32", parent = self)
- if peb32.is_valid():
- return peb32
+ if peb32.is_valid():
+ return peb32
return obj.NoneObject("Peb32 not found")
Gleeda, thanks for reporting. We'll get it into the queue. It may take a couple of days, but we'll update shortly.
I can push the changes. I just wanted to make sure no one had any objections for my line of thinking :-)
Gleeda, I can reproduce and agree the Peb32
method needs refactoring. We're bulk testing a couple variations of your patch. Do you happen to have any Vista SP0-SP1 or 2003 SP1-SP2 systems with Wow64 processes? Those need special handling too, and I think one of these variations should cover it, but I'm not able to confirm ATM.
I should have machines or samples fitting those criteria. Let me check and let me know when you want me to test them
Try that branch out above. The semantics are definitely strange. If you create two objects of different types at the same address, is_valid()
will return False for one but True for the other (i.e. Pointer
vs address
).
You'll see the special handling for the Vista and 2003 profiles (_EWOW64PROCESS
) which is what I'm most curious about, because we've never referenced that struct in plugins before, but of course give a shout if it doesn't work properly on any other profiles as well.
@gleeda Were you able to test on any Vista SP0-SP1 or 2003 SP1-SP2 systems?
Thoroughly tested with exception of Vista SP0-SP1 and 2003 SP1-SP2 (but the old version wouldn't handle those at all, so this new patch is inevitably better, but I can't confirm if its perfect yet).
The reason for this is that the wow64process is a NoneObject pointer to a valid address. For example, I have a 32bit process:
Therefore, we'll have to figure out a better way to check for validity, or figure out why the wow64process is a NoneObject https://github.com/volatilityfoundation/volatility/blob/master/volatility/plugins/overlays/windows/windows.py#L412
Also, this class still has an error, even if we just put "True" in the if statement checking validity:
If i just manually set the offset to
wow64process.v()
for this process, I get what I expect fordlllist
: