Windows Thrdscan: Fix thread filtering + tracebacks

dgmcdona · dgmcdona · commit aba3b04e8da6 · 2025-04-08T17:17:40.000-05:00
Tracebacks were occurring across a number of samples when running the
threads/threadscan plugins due to uncaught `InvalidAddressExceptions`.
Further investigations led to the discovery of some incorrect thread
filtering that was missing valid threads.
diff --git a/volatility3/framework/constants/windows/__init__.py b/volatility3/framework/constants/windows/__init__.py
@@ -28,3 +28,5 @@
 
 # CR3 register within structures describing initial processor state to be started
 PROCESSOR_START_BLOCK_CR3_OFFSET = 0xA0  # PROCESSOR_START_BLOCK->ProcessorState->SpecialRegisters->Cr3, ULONG64 8 bytes
+
+MAX_PID = 0xFFFFFFFC
diff --git a/volatility3/framework/plugins/windows/thrdscan.py b/volatility3/framework/plugins/windows/thrdscan.py
@@ -7,6 +7,7 @@
 
 from volatility3.framework import exceptions, interfaces, objects, renderers
 from volatility3.framework.configuration import requirements
+from volatility3.framework.constants import windows as windows_constants
 from volatility3.framework.renderers import format_hints
 from volatility3.framework.symbols.windows import extensions as win_extensions
 from volatility3.plugins import timeliner
@@ -112,10 +113,19 @@ def gather_thread_info(
             vollog.debug(f"Thread invalid address {ethread.vol.offset:#x}")
             return None
 
-        # don't look for VADs in kernel threads, just let them get reported with empty paths
+        # Filter junk PIDs
         if (
-            owner_proc_pid != 4
-            and owner_proc.InheritedFromUniqueProcessId != 4
+            ethread.Cid.UniqueProcess > windows_constants.MAX_PID
+            or ethread.Cid.UniqueProcess == 0
+            or ethread.Cid.UniqueProcess % 4 != 0
+        ):
+            return None
+
+        # Get VAD mappings for valid non-system (PID 4) processes
+        if (
+            owner_proc
+            and owner_proc.is_valid()
+            and owner_proc.UniqueProcessId != 4
             and vads_cache is not None
         ):
             vads = pe_symbols.PESymbols.get_vads_for_process_cache(
diff --git a/volatility3/framework/symbols/windows/extensions/__init__.py b/volatility3/framework/symbols/windows/extensions/__init__.py
@@ -709,7 +709,11 @@ def is_valid(self) -> bool:
                         return False
 
             # NT pids are divisible by 4
-            if self.UniqueProcessId % 4 != 0:
+            if (
+                self.UniqueProcessId % 4 != 0
+                or self.UniqueProcessId == 0
+                or self.UniqueProcessId > constants.windows.MAX_PID
+            ):
                 return False
 
             # check for all 0s besides the PCID entries
