[go: up one dir, main page]

Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Windows psscan issue 591 - Fix offsets when --physical is used #1215

Open
wants to merge 5 commits into
base: develop
Choose a base branch
from

Conversation

eve-mem
Copy link
Contributor
@eve-mem eve-mem commented Jul 25, 2024

Hello 👋

This PR aims to resolve issue where @garanews found an issue with windows psscan when using the --physical flag.

The main issue is covered in my comment here: #591 (comment)

It looks like that the windows poolscanner will in some cases (I think modern windows version) scan a 'virtual' layer rather than a 'physical' one. That means when that the objects that get made are created on this virtual layer. However when the scanning happens on a 'physical' the object is built on that physical layer, with it's native layer being correctly set to the virtual one.

It means if we read out pointers etc from the object the native layer being set correct means we get the right answer.

However it means that object.vol.offset is a reference to the physical layer - and that's why @garanews was having this issue.

I would recommend reading the comments on the issue (#591) as @ikelos raised some other good points on other ways to resolve this problem. It may be that this approach is not the best.

Thanks!
🦊

if self.config["physical"]:
# the display should be physical addresses, so proc cannot be used. The
# mappings are needed to find where it would be physically.
offset = (_, _, offset, _, _) = list(

Check warning

Code scanning / CodeQL

Variable defined multiple times Warning

This assignment to 'offset' is unnecessary as it is
redefined
before this value is used.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants