|
| 1 | +# This file is Copyright 2024 Volatility Foundation and licensed under the Volatility Software License 1.0 |
| 2 | +# which is available at https://www.volatilityfoundation.org/license/vsl-v1.0 |
| 3 | +# |
| 4 | + |
| 5 | +import logging |
| 6 | +from typing import List, Generator |
| 7 | + |
| 8 | +from volatility3.framework import interfaces, symbols |
| 9 | +from volatility3.framework.configuration import requirements |
| 10 | +from volatility3.plugins.windows import thrdscan, ssdt |
| 11 | + |
| 12 | +vollog = logging.getLogger(__name__) |
| 13 | + |
| 14 | + |
| 15 | +class Threads(thrdscan.ThrdScan): |
| 16 | + """Lists process threads""" |
| 17 | + |
| 18 | + _required_framework_version = (2, 4, 0) |
| 19 | + _version = (1, 0, 0) |
| 20 | + |
| 21 | + def __init__(self, *args, **kwargs): |
| 22 | + super().__init__(*args, **kwargs) |
| 23 | + self.implementation = self.list_orphan_kernel_threads |
| 24 | + |
| 25 | + @classmethod |
| 26 | + def get_requirements(cls) -> List[interfaces.configuration.RequirementInterface]: |
| 27 | + # Since we're calling the plugin, make sure we have the plugin's requirements |
| 28 | + return [ |
| 29 | + requirements.ModuleRequirement( |
| 30 | + name="kernel", |
| 31 | + description="Windows kernel", |
| 32 | + architectures=["Intel32", "Intel64"], |
| 33 | + ), |
| 34 | + requirements.PluginRequirement( |
| 35 | + name="thrdscan", plugin=thrdscan.ThrdScan, version=(1, 1, 0) |
| 36 | + ), |
| 37 | + requirements.PluginRequirement( |
| 38 | + name="ssdt", plugin=ssdt.SSDT, version=(1, 0, 0) |
| 39 | + ), |
| 40 | + ] |
| 41 | + |
| 42 | + @classmethod |
| 43 | + def list_orphan_kernel_threads( |
| 44 | + cls, |
| 45 | + context: interfaces.context.ContextInterface, |
| 46 | + module_name: str, |
| 47 | + ) -> Generator[interfaces.objects.ObjectInterface, None, None]: |
| 48 | + """Yields thread objects of kernel threads that do not map to a module |
| 49 | +
|
| 50 | + Args: |
| 51 | + cls |
| 52 | + context: the context to operate upon |
| 53 | + module_name: name of the module to use for scanning |
| 54 | + Returns: |
| 55 | + A generator of thread objects of orphaned threads |
| 56 | + """ |
| 57 | + module = context.modules[module_name] |
| 58 | + layer_name = module.layer_name |
| 59 | + symbol_table = module.symbol_table_name |
| 60 | + |
| 61 | + collection = ssdt.SSDT.build_module_collection( |
| 62 | + context, layer_name, symbol_table |
| 63 | + ) |
| 64 | + |
| 65 | + # FIXME - use a proper constant once established |
| 66 | + # used to filter out smeared pointers |
| 67 | + if symbols.symbol_table_is_64bit(context, symbol_table): |
| 68 | + kernel_start = 0xFFFFF80000000000 |
| 69 | + else: |
| 70 | + kernel_start = 0x80000000 |
| 71 | + |
| 72 | + for thread in thrdscan.ThrdScan.scan_threads(context, module_name): |
| 73 | + # we don't want smeared or terminated threads |
| 74 | + try: |
| 75 | + proc = thread.owning_process() |
| 76 | + except AttributeError: |
| 77 | + continue |
| 78 | + |
| 79 | + # we only care about kernel threads, 4 = System |
| 80 | + # previous methods for determining if a thread was a kernel thread |
| 81 | + # such as bit fields and flags are not stable in Win10+ |
| 82 | + # so we check if the thread is from the kernel itself or one its child |
| 83 | + # kernel processes (MemCompression, Regsitry, ...) |
| 84 | + if proc.UniqueProcessId != 4 and proc.InheritedFromUniqueProcessId != 4: |
| 85 | + continue |
| 86 | + |
| 87 | + if thread.StartAddress < kernel_start: |
| 88 | + continue |
| 89 | + |
| 90 | + module_symbols = list( |
| 91 | + collection.get_module_symbols_by_absolute_location(thread.StartAddress) |
| 92 | + ) |
| 93 | + |
| 94 | + # alert on threads that do not map to a module |
| 95 | + if not module_symbols: |
| 96 | + yield thread |
0 commit comments