Merge pull request #1739 from volatilityfoundation/fix_thrdscan_checks

Fix checks in thrdscan that broke tests

Author: ikelos

test/plugins/windows/windows.py

@@ -189,9 +189,9 @@ def test_windows_generic_thrdscan(self, volatility, python, image):
             "windows.thrdscan.ThrdScan", image, volatility, python
         )
         assert rc == 0
-        assert out.find(b"\t4\t8") != -1
-        assert out.find(b"\t4\t12") != -1
-        assert out.find(b"\t4\t16") != -1
+        assert out.find(b"\t1812\t2768\t0x7c810856") != -1
+        assert out.find(b"\t840\t2964\t0x7c810856") != -1
+        assert out.find(b"\t2536\t2552\t0x7c810856") != -1
 
 
 class TestWindowsPrivileges:

volatility3/framework/plugins/windows/thrdscan.py

@@ -110,18 +110,18 @@ def gather_thread_info(
             vollog.debug(f"Thread invalid address {ethread.vol.offset:#x}")
             return None
 
-        if vads_cache is not None:
+        # don't look for VADs in kernel threads, just let them get reported with empty paths
+        if (
+            owner_proc_pid != 4
+            and owner_proc.InheritedFromUniqueProcessId != 4
+            and vads_cache is not None
+        ):
             vads = pe_symbols.PESymbols.get_vads_for_process_cache(
                 vads_cache, owner_proc
             )
-            # no vads = terminated/smeared, pid 4 = kernel = don't check VADs
-            if (
-                owner_proc_pid != 4
-                and owner_proc.InheritedFromUniqueProcessId != 4
-                and (not vads or len(vads) < 5)
-            ):
+            if not vads or len(vads) < 5:
                 vollog.debug(
-                    f"No vads for process at {owner_proc.vol.offset:#x}. Skipping thread at {ethread.vol.offset:#x}"
+                    f"Not enough vads for process at {owner_proc.vol.offset:#x}. Skipping thread at {ethread.vol.offset:#x}"
                 )
                 return None