Windows GUI Plugins

atoms

View Source

Print session and window station atom tables.

From: http://msdn.microsoft.com/en-us/library/windows/desktop/ms649053.aspx

An atom table is a system-defined table that stores strings and corresponding identifiers. An application places a string in an atom table and receives a 16-bit integer, called an atom, that can be used to access the string. A string that has been placed in an atom table is called an atom name.

The global atom table is available to all applications. When an application places a string in the global atom table, the system generates an atom that is unique throughout the system. Any application that has the atom can obtain the string it identifies by querying the global atom table.

(The global atom tables are only global within each session).

Plugin Arguments

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

win32k_profile

Force this profile to be used for Win32k.

Using this plugin you can find registered window messages, rogue injected DLL paths, window class names, etc.

Sample output:

  Offset(P)    Session    WindowStation           Atom      RefCount   HIndex     Pinned     Name
-------------- ---------- ------------------ -------------- ---------- ---------- ---------- ----
0xf8a002871020 0          WinSta0                    0xc001 1          1          True       StdExit
0xf8a002871020 0          WinSta0                    0xc002 1          2          True       StdNewDocument
0xf8a002871020 0          WinSta0                    0xc003 1          3          True       StdOpenDocument
0xf8a002871020 0          WinSta0                    0xc004 1          4          True       StdEditDocument
0xf8a002871020 0          WinSta0                    0xc005 1          5          True       StdNewfromTemplate
0xf8a002871020 0          WinSta0                    0xc006 1          6          True       StdCloseDocument
0xf8a002871020 0          WinSta0                    0xc007 1          7          True       StdShowItem
0xf8a002871020 0          WinSta0                    0xc008 1          8          True       StdDoVerbItem
0xf8a002871020 0          WinSta0                    0xc009 1          9          True       System
0xf8a002871020 0          WinSta0                    0xc00a 1          10         True       OLEsystem
0xf8a002871020 0          WinSta0                    0xc00b 1          11         True       StdDocumentName
0xf8a002871020 0          WinSta0                    0xc00c 1          12         True       Protocols
0xf8a002871020 0          WinSta0                    0xc00d 1          13         True       Topics
0xf8a002871020 0          WinSta0                    0xc00e 1          14         True       Formats
0xf8a002871020 0          WinSta0                    0xc00f 1          15         True       Status
0xf8a002871020 0          WinSta0                    0xc010 1          16         True       EditEnvItems
0xf8a002811020 0          ------------------         0xc045 2          69         False      MSUIM.Msg.LBUpdate
0xf8a002811020 0          ------------------         0xc046 2          70         False      MSUIM.Msg.MuiMgrDirtyUpdate
0xf8a002811020 0          ------------------         0xc047 1          71         False      C:\Windows\system32\wls0wndh.dll
0xf8a002811020 0          ------------------         0xc048 27         72         False      {FB8F0821-0164-101B-84ED-08002B2EC713}
0xf8a002811020 0          ------------------         0xc049 2          73         False      MMDEVAPI

atomscan

View Source

Pool scanner for _RTL_ATOM_TABLE

Plugin Arguments

eprocess

Kernel addresses of eprocess structs. (type: ArrayIntParser)

  • Default:

limit

The length of data to search in each selected region. (type: IntParser)

  • Default: 18446744073709551616

method

Method to list processes. (type: ChoiceArray)

  • Valid Choices:

    • PsActiveProcessHead
    • CSRSS
    • PspCidTable
    • Sessions
    • Handles

  • Default: PsActiveProcessHead, CSRSS, PspCidTable, Sessions, Handles

pids

One or more pids of processes to select. (type: ArrayIntParser)

  • Default:

proc_regex

A regex to select a process by name. (type: RegEx)

scan_kernel

Scan the entire kernel address space. (type: Boolean)

  • Default: False

scan_kernel_code

Scan the kernel image and loaded drivers. (type: Boolean)

  • Default: False

scan_kernel_nonpaged_pool

Scan the kernel non-paged pool. (type: Boolean)

  • Default: False

scan_kernel_paged_pool

Scan the kernel paged pool. (type: Boolean)

  • Default: False

scan_kernel_session_pools

Scan session pools for all processes. (type: Boolean)

  • Default: False

scan_physical

Scan the physical address space only. (type: Boolean)

  • Default: False

scan_process_memory

Scan all of process memory. Uses process selectors to narrow down selections. (type: Boolean)

  • Default: False

sort_by

Sort by [offset | atom | refcount] (type: String)

  • Valid Choices:

    • atom
    • refcount
    • offset

  • Default: offset

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

win32k_profile

Force this profile to be used for Win32k.

desktops

View Source

Print information on each desktop.

Plugin Arguments

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

win32k_profile

Force this profile to be used for Win32k.

eventhooks

View Source

Print details on windows event hooks

Plugin Arguments

eprocess

Kernel addresses of eprocess structs. (type: ArrayIntParser)

  • Default:

method

Method to list processes. (type: ChoiceArray)

  • Valid Choices:

    • PsActiveProcessHead
    • CSRSS
    • PspCidTable
    • Sessions
    • Handles

  • Default: PsActiveProcessHead, CSRSS, PspCidTable, Sessions, Handles

pids

One or more pids of processes to select. (type: ArrayIntParser)

  • Default:

proc_regex

A regex to select a process by name. (type: RegEx)

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

win32k_profile

Force this profile to be used for Win32k.

gahti

View Source

Dump the USER handle type information.

Plugin Arguments

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

win32k_profile

Force this profile to be used for Win32k.

messagehooks

View Source

List desktop and thread window message hooks.

Plugin Arguments

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

win32k_profile

Force this profile to be used for Win32k.

sessions

View Source

List details on _MM_SESSION_SPACE (user logon sessions).

Windows uses sessions in order to separate processes. Sessions are used to separate the address spaces of windows processes.

Note that this plugin traverses the ProcessList member of the session object to list the processes - yet another list _EPROCESS objects are on.

Plugin Arguments

eprocess

Kernel addresses of eprocess structs. (type: ArrayIntParser)

  • Default:

method

Method to list processes. (type: ChoiceArray)

  • Valid Choices:

    • PsActiveProcessHead
    • CSRSS
    • PspCidTable
    • Sessions
    • Handles

  • Default: PsActiveProcessHead, CSRSS, PspCidTable, Sessions, Handles

pids

One or more pids of processes to select. (type: ArrayIntParser)

  • Default:

proc_regex

A regex to select a process by name. (type: RegEx)

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

userhandles

View Source

Dump the USER handle tables

Plugin Arguments

eprocess

Kernel addresses of eprocess structs. (type: ArrayIntParser)

  • Default:

free

Also include free handles. (type: Boolean)

method

Method to list processes. (type: ChoiceArray)

  • Valid Choices:

    • PsActiveProcessHead
    • CSRSS
    • PspCidTable
    • Sessions
    • Handles

  • Default: PsActiveProcessHead, CSRSS, PspCidTable, Sessions, Handles

pids

One or more pids of processes to select. (type: ArrayIntParser)

  • Default:

proc_regex

A regex to select a process by name. (type: RegEx)

type

Filter handle type by this Regular Expression. (type: RegEx)

  • Default: .

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

win32k_profile

Force this profile to be used for Win32k.

windows_stations

View Source

Displays all the windows stations by following lists.

Plugin Arguments

verbosity

An integer reflecting the amount of desired output: 0 = quiet, 10 = noisy. (type: IntParser)

  • Default: 1

win32k_profile

Force this profile to be used for Win32k.