def check_desktop_thread(self, addr_space):
"""Enumerate processes from desktop threads"""
ret = dict()
for windowstation in windowstations.WndScan(self._config).calculate():
for desktop in windowstation.desktops():
for thread in desktop.threads():
process = thread.ppi.Process.dereference()
if process == None:
continue
ret[process.obj_vm.vtop(process.obj_offset)] = process
return ret
def calculate(self):
seen = []
# Find the atom tables that belong to each window station
for wndsta in windowstations.WndScan(self._config).calculate():
offset = wndsta.obj_native_vm.vtop(wndsta.pGlobalAtomTable)
if offset in seen:
continue
seen.append(offset)
# The atom table is dereferenced in the proper
# session space
atom_table = wndsta.AtomTable
if atom_table.is_valid():
yield atom_table, wndsta
# Find atom tables not linked to specific window stations.
# This finds win32k!UserAtomHandleTable.
for table in AtomScan(self._config).calculate():
if table.PhysicalAddress not in seen:
yield table, obj.NoneObject("No windowstation")
def calculate(self):
kernel_space = utils.load_as(self._config)
# Dictionary of MM_SESSION_SPACEs by ID
sesses = dict((int(session.SessionId), session)
for session in self.session_spaces(kernel_space))
# Dictionary of session USER objects by handle
session_handles = {}
# If various objects cannot be found or associated,
# we'll return none objects
e0 = obj.NoneObject("Unknown tagCLIPDATA")
e1 = obj.NoneObject("Unknown tagWINDOWSTATION")
e2 = obj.NoneObject("Unknown tagCLIP")
# Handle type filter
filters = [lambda x: str(x.bType) == "TYPE_CLIPDATA"]
# Load tagCLIPDATA handles from all sessions
for sid, session in sesses.items():
handles = {}
shared_info = session.find_shared_info()
if not shared_info:
debug.debug("No shared info for session {0}".format(sid))
continue
for handle in shared_info.handles(filters):
handles[int(handle.phead.h)] = handle
session_handles[sid] = handles
# Each WindowStation
for wndsta in windowstations.WndScan(self._config).calculate():
session = sesses.get(int(wndsta.dwSessionId), None)
# The session is unknown
if not session:
continue
handles = session_handles.get(int(session.SessionId), None)
# No handles in the session
if not handles:
continue
clip_array = wndsta.pClipBase.dereference()
# The tagCLIP array is empty or the pointer is invalid
if not clip_array:
continue
# Resolve tagCLIPDATA from tagCLIP.hData
for clip in clip_array:
handle = handles.get(int(clip.hData), e0)
# Remove this handle from the list
if handle:
handles.pop(int(clip.hData))
yield session, wndsta, clip, handle
# Any remaining tagCLIPDATA not matched. This allows us
# to still find clipboard data if a window station is not
# found or if pClipData or cNumClipFormats were corrupt
for sid in sesses.keys():
handles = session_handles.get(sid, None)
# No handles in the session
if not handles:
continue
for handle in handles.values():
yield sesses[sid], e1, e2, handle
