Add delete on close detection to process ghosting. Update plugin to c… #1731
Conversation
…urrent coding flow
| ("DeletePending", str), | ||
| ("DeletePending", int), | ||
| ("DeleteOnClose", int), | ||
| ("Base", format_hints.Hex), |
There was a problem hiding this comment.
Is this the ordering we want? Feels like Base should be earlier (next to Process maybe?) Entirely your call, just looks weird after two small int values?
There was a problem hiding this comment.
I will change it to be more like the other plugins.
There was a problem hiding this comment.
Done in latest commit.
|
|
||
| if isinstance(delete_pending, int) and delete_pending not in [0, 1]: | ||
| if delete_pending and delete_pending == 1: |
There was a problem hiding this comment.
This seems like a different check and wouldn't it be accomplished be just delete_pending == 1 that's kind of a more specific version of delete_pending?
There was a problem hiding this comment.
Yes will just do the == check.
There was a problem hiding this comment.
addressed in latest commit.
| ) | ||
| if not has_imagefilepointer: | ||
| vollog.warning( | ||
| "ImageFilePointer checks are only supported on Windows 10 builds when the ImageFilePointer member of _EPROCESS is present" |
There was a problem hiding this comment.
Is this specific to windows 10, or does it apply to 7 or 11? Seems strange to be saying windows 10 specifically here? Can this error never happen on a different version of windows?
There was a problem hiding this comment.
Nice catch. Should be "10+" like other plugins.
There was a problem hiding this comment.
addressed in latest commit.
|
ok @ikelos check my new comments and commits |
…urrent coding flow
@ikelos This adds the Delete On Close detection plus updates all of the plugin to our current coding standards.