Closed RuBublik closed 8 months ago
ikelos
commented
1 year ago Thanks very much, I'll tag @iMHLv2 who wrote the pool scanner and is our windows chap. 5:) Feel free to submit a pull request and we'll try to get it reviewed. I can help with coding, but I don't know the intricacies of the structures or anything like that. Please feel free to ask questions here or on #vol3-dev on our slack server (you can join at https://www.volatilityfoundation.org/slack ). 5:)
RuBublik
commented
1 year ago Thank you very much for your response. I will submit a pull request shortly.
github-actions[bot]
commented
10 months ago This issue is stale because it has been open for 200 days with no activity.
github-actions[bot]
commented
8 months ago This issue was closed because it has been inactive for 60 days since being marked as stale.
while I was writing a plugin for volatility3 for detection of hidden processes (equivalent to volatlity2's psxview), I encountered the same problem like was described in the issue: "Custom pool scanner not working #874", but have not found more info, or that the issue has been addressed in the newer releases of volatlity - so opened an issue.
Is your feature request related to a problem? Please describe.
I discovered that volatility3's pool tag scanning implementation does not quite replicate volatility2's (with the extensive options modscan offered). Specifically - that there is no support of pool tag scanning for thread (_EThread) structures in the windows.poolscanner.builtin_constraints. (like in volatility2 which implemented PoolScanThread and ThrdScan classes in modscan.py) _Ethread are important structures, and might be used to bounce to other structures, like the owning _EProcess (which might have been hidden in an attempt of defense evasion).
Describe the solution you'd like
I would be happy to if support for scanning more kinds of pool allocated memory structures was added, especially support for scanning for _EThreads via "Thre" / "Thr\xE5" pool tags by adding a definition of _EThreads structure to builtin_constraints.
Describe alternatives you've considered
I have tried to add to the builtin_constraints the definition of _EThread structures locally in my environment, like described in issue: "Custom pool scanner not working #874", but with varied success, and it's not portable in this form. I'm ready to make a pool request to your repository and collaborate with the project maintainers to implement the solution.
Additional information Would be happy to know if someone has some info / experience with this issue (: