Merge pull request #1675 from volatilityfoundation/fix_list_threads_api

ikelos · web-flow · commit 5a71511577f4 · 2025-03-08T00:38:06.000Z
Update the list_threads API to current standards and update current c…
diff --git a/volatility3/framework/plugins/windows/debugregisters.py b/volatility3/framework/plugins/windows/debugregisters.py
@@ -38,7 +38,7 @@ def get_requirements(cls) -> List:
                 name="pslist", component=pslist.PsList, version=(3, 0, 0)
             ),
             requirements.VersionRequirement(
-                name="threads", component=threads.Threads, version=(2, 0, 0)
+                name="threads", component=threads.Threads, version=(3, 0, 0)
             ),
             requirements.VersionRequirement(
                 name="pe_symbols", component=pe_symbols.PESymbols, version=(2, 0, 0)
@@ -111,8 +111,6 @@ def _generator(
         None,
         None,
     ]:
-        kernel = self.context.modules[self.config["kernel"]]
-
         vads_cache: Dict[int, pe_symbols.ranges_type] = {}
 
         proc_modules = None
@@ -122,7 +120,9 @@ def _generator(
         )
 
         for proc in procs:
-            for thread in threads.Threads.list_threads(kernel, proc):
+            for thread in threads.Threads.list_threads(
+                self.context, self.config["kernel"], proc
+            ):
                 debug_info = self._get_debug_info(thread)
                 if not debug_info:
                     continue
diff --git a/volatility3/framework/plugins/windows/suspended_threads.py b/volatility3/framework/plugins/windows/suspended_threads.py
@@ -36,7 +36,7 @@ def get_requirements(cls):
                 name="pe_symbols", component=pe_symbols.PESymbols, version=(2, 0, 0)
             ),
             requirements.VersionRequirement(
-                name="threads", component=threads.Threads, version=(2, 0, 0)
+                name="threads", component=threads.Threads, version=(3, 0, 0)
             ),
         ]
 
@@ -54,8 +54,6 @@ def _generator(self):
 
         https://www.volexity.com/wp-content/uploads/2024/08/Defcon24_EDR_Evasion_Detection_White-Paper_Andrew-Case.pdf
         """
-        kernel = self.context.modules[self.config["kernel"]]
-
         vads_cache: Dict[int, pe_symbols.PESymbols.ranges_type] = {}
 
         proc_modules = None
@@ -64,7 +62,9 @@ def _generator(self):
         for proc in pslist.PsList.list_processes(
             context=self.context, kernel_module_name=self.config["kernel"]
         ):
-            for thread in threads.Threads.list_threads(kernel, proc):
+            for thread in threads.Threads.list_threads(
+                self.context, self.config["kernel"], proc
+            ):
                 try:
                     # we only care if the thread is suspended
                     if thread.Tcb.SuspendCount == 0:
diff --git a/volatility3/framework/plugins/windows/suspicious_threads.py b/volatility3/framework/plugins/windows/suspicious_threads.py
@@ -41,7 +41,7 @@ def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]
                 name="pslist", component=pslist.PsList, version=(3, 0, 0)
             ),
             requirements.VersionRequirement(
-                name="threads", component=threads.Threads, version=(2, 0, 0)
+                name="threads", component=threads.Threads, version=(3, 0, 0)
             ),
             requirements.VersionRequirement(
                 name="vadinfo", component=vadinfo.VadInfo, version=(2, 0, 0)
@@ -169,7 +169,9 @@ def _generator(self):
             # there is no benefit to checking the same address more than once per process
             checked = set()
 
-            for thread in threads.Threads.list_threads(kernel, proc):
+            for thread in threads.Threads.list_threads(
+                self.context, self.config["kernel"], proc
+            ):
                 # do not process if a thread is exited or terminated (4 = Terminated)
                 if thread.ExitTime.QuadPart > 0 or thread.Tcb.State == 4:
                     continue
diff --git a/volatility3/framework/plugins/windows/threads.py b/volatility3/framework/plugins/windows/threads.py
@@ -16,7 +16,7 @@ class Threads(thrdscan.ThrdScan):
     """Lists process threads"""
 
     _required_framework_version = (2, 4, 0)
-    _version = (2, 0, 0)
+    _version = (3, 0, 0)
 
     def __init__(self, *args, **kwargs):
         super().__init__(*args, **kwargs)
@@ -38,7 +38,10 @@ def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]
 
     @classmethod
     def list_threads(
-        cls, kernel, proc: interfaces.objects.ObjectInterface
+        cls,
+        context: interfaces.context.ContextInterface,
+        kernel_module_name: str,
+        proc: interfaces.objects.ObjectInterface,
     ) -> Generator[interfaces.objects.ObjectInterface, None, None]:
         """Lists the Threads of a specific process.
 
@@ -48,6 +51,8 @@ def list_threads(
         Returns:
             A list of threads based on the process and filtered based on the filter function
         """
+        kernel = context.modules[kernel_module_name]
+
         seen = set()
         for thread in proc.ThreadListHead.to_list(
             f"{kernel.symbol_table_name}{constants.BANG}_ETHREAD", "ThreadListEntry"
@@ -64,13 +69,11 @@ def list_process_threads(
         kernel_module_name: str,
     ) -> Iterable[interfaces.objects.ObjectInterface]:
         """Runs through all processes and lists threads for each process"""
-        module = context.modules[kernel_module_name]
-
         filter_func = pslist.PsList.create_pid_filter(context.config.get("pid", None))
 
         for proc in pslist.PsList.list_processes(
             context=context,
             kernel_module_name=kernel_module_name,
             filter_func=filter_func,
         ):
-            yield from cls.list_threads(module, proc)
+            yield from cls.list_threads(context, kernel_module_name, proc)
