Windows: Allow windows.dlllist to report back DLLs from wow64 processes #1572
Conversation
hsarkey
force-pushed
the
hsarkey/wow64-dlllist
branch
from
f332a9e to
be26247
Compare
… back DLLs from wow64 processes.
hsarkey
force-pushed
the
hsarkey/wow64-dlllist
branch
from
be26247 to
af9bd53
Compare
There was a problem hiding this comment.
Thanks, this is really nice! I like the way you've handled dealing with both type of pebs irrespective of which what it actually is and you've handled all the corner cases I can think of, good work! Also, awesome comments, just what was needed when it was needed! 5:D
Just a couple of little points, I think it's probably better to check if the pointer's right, than check if it's specifically an unsigned long and then cast it. Really good though, thanks!
| """Constructs a PEB32 object""" | ||
| if constants.BANG not in self.vol.type_name: | ||
| raise ValueError( | ||
| f"Invalid symbol table name syntax (no {constants.BANG} found)" |
There was a problem hiding this comment.
I can't recall if this is strictly true. I suspect it's true but I think it's possible you could ask the symbol table directly for this type, and it wouldn't necessarily include the table name. Were you running into errors or is this just defensive coding?
| if self.get_is_wow64(): | ||
| proc = self.get_wow_64_process() | ||
| else: | ||
| return None |
There was a problem hiding this comment.
This means the function signature needs to be Optional[interfaces.objects.ObjectInterface].
| for peb in pebs: | ||
| if peb: | ||
| sym_table = self.get_symbol_table_name() | ||
| if peb.Ldr.vol.type_name.endswith("unsigned long"): |
There was a problem hiding this comment.
Hard coding specific types in may be troublesome in the future. There was an instance in the linux world where the pointers when from unsigned long to long unsigned int because of a change in Clang. This also just verifies the end, rather than everything after the constants.BANG so you might catch unwanted/unexpected types. Probably better to do something like constants.BANG.split(...vol.type_name)[-1] == 'unsigned long' although that would need testing to make sure it works properly in all instances.
There was a problem hiding this comment.
Would there be a big problem in just always casting the value, regardless of whether it's already the right type, or just verify it's a point to the right subtype and otherwise cast it?
| f"{self.get_symbol_table_name()}{constants.BANG}_LDR_DATA_TABLE_ENTRY", | ||
| "InMemoryOrderLinks", | ||
| ) | ||
| pebs = [ |
There was a problem hiding this comment.
This feels like duplicating quite a big more code than the previous version. It might be worth pulling out the pointer check on these into a separate little private subfunction?
Updates to allow windows.dlllist to report back DLLs from wow64 processes. Created a new get_peb32() function and created a new symbol table (framework/symbols/windows/wow64.json).