def check_desktop_thread(self, addr_space): """Enumerate processes from desktop threads""" ret = dict() for windowstation in windowstations.WndScan(self._config).calculate(): for desktop in windowstation.desktops(): for thread in desktop.threads(): process = thread.ppi.Process.dereference() if process == None: continue ret[process.obj_vm.vtop(process.obj_offset)] = process return ret
def calculate(self): seen = [] # Find the atom tables that belong to each window station for wndsta in windowstations.WndScan(self._config).calculate(): offset = wndsta.obj_native_vm.vtop(wndsta.pGlobalAtomTable) if offset in seen: continue seen.append(offset) # The atom table is dereferenced in the proper # session space atom_table = wndsta.AtomTable if atom_table.is_valid(): yield atom_table, wndsta # Find atom tables not linked to specific window stations. # This finds win32k!UserAtomHandleTable. for table in AtomScan(self._config).calculate(): if table.PhysicalAddress not in seen: yield table, obj.NoneObject("No windowstation")
def calculate(self): kernel_space = utils.load_as(self._config) # Dictionary of MM_SESSION_SPACEs by ID sesses = dict((int(session.SessionId), session) for session in self.session_spaces(kernel_space)) # Dictionary of session USER objects by handle session_handles = {} # If various objects cannot be found or associated, # we'll return none objects e0 = obj.NoneObject("Unknown tagCLIPDATA") e1 = obj.NoneObject("Unknown tagWINDOWSTATION") e2 = obj.NoneObject("Unknown tagCLIP") # Handle type filter filters = [lambda x: str(x.bType) == "TYPE_CLIPDATA"] # Load tagCLIPDATA handles from all sessions for sid, session in sesses.items(): handles = {} shared_info = session.find_shared_info() if not shared_info: debug.debug("No shared info for session {0}".format(sid)) continue for handle in shared_info.handles(filters): handles[int(handle.phead.h)] = handle session_handles[sid] = handles # Each WindowStation for wndsta in windowstations.WndScan(self._config).calculate(): session = sesses.get(int(wndsta.dwSessionId), None) # The session is unknown if not session: continue handles = session_handles.get(int(session.SessionId), None) # No handles in the session if not handles: continue clip_array = wndsta.pClipBase.dereference() # The tagCLIP array is empty or the pointer is invalid if not clip_array: continue # Resolve tagCLIPDATA from tagCLIP.hData for clip in clip_array: handle = handles.get(int(clip.hData), e0) # Remove this handle from the list if handle: handles.pop(int(clip.hData)) yield session, wndsta, clip, handle # Any remaining tagCLIPDATA not matched. This allows us # to still find clipboard data if a window station is not # found or if pClipData or cNumClipFormats were corrupt for sid in sesses.keys(): handles = session_handles.get(sid, None) # No handles in the session if not handles: continue for handle in handles.values(): yield sesses[sid], e1, e2, handle