Closed RuBublik closed 8 months ago
Thanks very much, I'll tag @iMHLv2 who wrote the pool scanner and is our windows chap. 5:) Feel free to submit a pull request and we'll try to get it reviewed. I can help with coding, but I don't know the intricacies of the structures or anything like that. Please feel free to ask questions here or on #vol3-dev on our slack server (you can join at https://www.volatilityfoundation.org/slack ). 5:)
Thank you very much for your response. I will submit a pull request shortly.
This issue is stale because it has been open for 200 days with no activity.
This issue was closed because it has been inactive for 60 days since being marked as stale.
while I was writing a plugin for volatility3 for detection of hidden processes (equivalent to volatlity2's psxview), I encountered the same problem like was described in the issue: "Custom pool scanner not working #874", but have not found more info, or that the issue has been addressed in the newer releases of volatlity - so opened an issue.
Is your feature request related to a problem? Please describe.
I discovered that volatility3's pool tag scanning implementation does not quite replicate volatility2's (with the extensive options modscan offered). Specifically - that there is no support of pool tag scanning for thread (_EThread) structures in the windows.poolscanner.builtin_constraints. (like in volatility2 which implemented PoolScanThread and ThrdScan classes in modscan.py) _Ethread are important structures, and might be used to bounce to other structures, like the owning _EProcess (which might have been hidden in an attempt of defense evasion).
Describe the solution you'd like
I would be happy to if support for scanning more kinds of pool allocated memory structures was added, especially support for scanning for _EThreads via "Thre" / "Thr\xE5" pool tags by adding a definition of _EThreads structure to builtin_constraints.
Describe alternatives you've considered
I have tried to add to the builtin_constraints the definition of _EThread structures locally in my environment, like described in issue: "Custom pool scanner not working #874", but with varied success, and it's not portable in this form. I'm ready to make a pool request to your repository and collaborate with the project maintainers to implement the solution.
Additional information Would be happy to know if someone has some info / experience with this issue (: