Fix checks in thrdscan that broke tests

atcuno · atcuno · commit e52aea886ee4 · 2025-03-26T00:41:26.000Z
diff --git a/volatility3/framework/plugins/windows/thrdscan.py b/volatility3/framework/plugins/windows/thrdscan.py
@@ -110,18 +110,19 @@ def gather_thread_info(
             vollog.debug(f"Thread invalid address {ethread.vol.offset:#x}")
             return None
 
+        if owner_proc_pid == 4 or owner_proc.InheritedFromUniqueProcessId == 4:
+            vollog.debug(
+                f"Skipping kernel process with pid {owner_proc.InheritedFromUniqueProcessId}"
+            )
+            return None
+
         if vads_cache is not None:
             vads = pe_symbols.PESymbols.get_vads_for_process_cache(
                 vads_cache, owner_proc
             )
-            # no vads = terminated/smeared, pid 4 = kernel = don't check VADs
-            if (
-                owner_proc_pid != 4
-                and owner_proc.InheritedFromUniqueProcessId != 4
-                and (not vads or len(vads) < 5)
-            ):
+            if not vads or len(vads) < 5:
                 vollog.debug(
-                    f"No vads for process at {owner_proc.vol.offset:#x}. Skipping thread at {ethread.vol.offset:#x}"
+                    f"Not enough vads for process at {owner_proc.vol.offset:#x}. Skipping thread at {ethread.vol.offset:#x}"
                 )
                 return None
 
