Comments (13)
Ok, this was another instance of an array being instantiated directly rather
than through the Object factory function. This should be fixed in r386,
however, it will still not produce any output for windows 7, because these
plugins rely on fixed offsets within the tcpip.sys modules which need updating
to windows 7 (and moving into the profile).
Original comment by [email protected]
on 18 Aug 2010 at 10:34
- Changed title: win32/network functions rely on hardcoded offsets into tcpip.sys - need updating and moving to profiles
- Changed state: Accepted
from volatility.
Issue 7 has been merged into this issue.
Original comment by [email protected]
on 18 Aug 2010 at 10:35
from volatility.
Original comment by [email protected]
on 18 Aug 2010 at 10:46
from volatility.
Ok, the fix I checked in didn't help. It looks like arrays really shouldn't
instaniate their first object in case it's invalid, but the array itself isn't.
I've asked for scudette's advice on how best to handle this...
Original comment by [email protected]
on 18 Aug 2010 at 11:34
from volatility.
Issue 16 has been merged into this issue.
Original comment by [email protected]
on 26 Aug 2010 at 11:18
from volatility.
Right, not sure what comment 4 was about, but just to make it clear, this need
someone to track down the offsets in all the different versions of tcpip.sys.
Once that's done, I can help turn it into a VolatilityMagic object that'll be
called for the specific profiles...
Original comment by [email protected]
on 26 Aug 2010 at 11:19
from volatility.
I think Michael said he had some plugins as a work in progress for these, so
I'm assigning it to him. Feel free to unassign if you think someone else
should be handling it... 5:)
Original comment by [email protected]
on 24 Nov 2010 at 10:53
from volatility.
Yep, I'm working on this, and it will take a little while longer. Just
something to think about in the meantime though, the networking architecture
has changed significantly starting with Vista, so its not just a matter of
adding new offsets in tcpip.sys to the connections/sockets commands. We'll need
to perform an entirely new sequence of actions on Vista and Windows 7, because
they use hash tables and bitmaps. Here is a preview though (sockets only...I am
yet to have a preview for connections):
$ python volatility.py netstat -f Windows7.vmem --profile=Win7SP0x86
Volatile Systems Volatility Framework 1.4_rc1
Proto Local Address Foreign Address State Pid
Owner
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 712
svchost.exe
TCP 169.254.53.234:139 0.0.0.0:0 LISTENING 4
System
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
System
TCP 0.0.0.0:5357 0.0.0.0:0 LISTENING 4
System
TCP 0.0.0.0:49152 0.0.0.0:0 LISTENING 408
wininit.exe
TCP 0.0.0.0:49153 0.0.0.0:0 LISTENING 764
svchost.exe
TCP 0.0.0.0:49154 0.0.0.0:0 LISTENING 948
svchost.exe
TCP 0.0.0.0:49155 0.0.0.0:0 LISTENING 524
services.exe
TCP 0.0.0.0:49156 0.0.0.0:0 LISTENING 532
lsass.exe
TCP 0.0.0.0:49160 0.0.0.0:0 LISTENING 0
w+? w+? w+?(w+?
TCP 0.0.0.0:49184 0.0.0.0:0 LISTENING 0
??脸?脸?????
UDP 172.16.237.155:68 *:* 764
svchost.exe
UDP 0.0.0.0:123 *:* 1088
svchost.exe
UDP 169.254.53.234:137 *:* 4
System
UDP 169.254.53.234:138 *:* 4
System
UDP 254.128.0.0:1900 *:* 2192
svchost.exe
UDP 0.0.0.0:3702 *:* 1088
svchost.exe
UDP 254.128.0.0:50046 *:* 2192
svchost.exe
UDP 0.0.0.0:50047 *:* 2192
svchost.exe
UDP 169.254.53.234:50048 *:* 2192
svchost.exe
UDP 127.0.0.1:50049 *:* 2192
svchost.exe
UDP 0.0.0.0:51971 *:* 1088
svchost.exe
UDP 0.0.0.0:51972 *:* 1088
svchost.exe
UDP 0.0.0.0:54170 *:* 2192
svchost.exe
UDP 0.0.0.0:54171 *:* 2192
svchost.exe
UDP 0.0.0.0:59787 *:* 1088
svchost.exe
UDP 0.0.0.0:59788 *:* 1088
svchost.exe
Original comment by [email protected]
on 29 Nov 2010 at 6:24
from volatility.
Original comment by [email protected]
on 21 Jan 2011 at 9:04
- Added labels: Milestone-Release1.4
from volatility.
Made some good breakthroughs today, should be done by week's end.
Original comment by [email protected]
on 25 Jan 2011 at 4:39
from volatility.
This issue was closed by revision r647.
Original comment by [email protected]
on 31 Jan 2011 at 11:16
- Changed state: Fixed
from volatility.
Ok, I just checked these in. Netscan seems to work fine, although netstat
didn't return me any results for a win7 dump on the Win7SP0x86 profile, so it
might be worth people checking what I added in case there's an issue?
Also, we should try to either produce similar output for older profiles, or
clearly indicate which plugins work with which profiles. This will become even
more important when linux profiles hit, so I'm going to create a new bug (and
critically *not* blocking on 1.4, although this particular instance should
probably be solved before we release).
Original comment by [email protected]
on 31 Jan 2011 at 11:20
from volatility.
Sorry for the bugspam, but better to get this right now than later once it's
more in use.
Original comment by [email protected]
on 4 Feb 2011 at 9:34
- Added labels: Milestone-1.4.x
- Removed labels: Milestone-Release1.4
from volatility.
Related Issues (20)
- python tools/mac/convert.py converted-10.9.4.64bit.dwarfdump > 10.9.4.64bit.vtypes results in KeyError: 'AT_data_member_location' HOT 3
- Volatility 2.4 fails to decompress win8 hiberfil.sys HOT 2
- Cannot run the 'make' command HOT 19
- Unable to obtain password hashes HOT 1
- KiFastSystemCall I want to know where is next step? HOT 2
- Error when I make profile in Window 8 Pro (64 bits) HOT 1
- Except psscan no other cmds are working HOT 1
- Getting several "no such option" errors HOT 1
- Volatility was functioning, now errors out HOT 1
- Running VF from Jython HOT 2
- Failed to import volatility.plugins.overlays.linux.linux (ValueError: too many values to unpack) HOT 2
- File new issues on github: https://github.com/volatilityfoundation/volatility/issues HOT 17
- yarascan fails to ececute grep expression (attached) HOT 4
- imageinfo takes forever HOT 1
- How to know the device is using by how many processes in the computer system ? HOT 1
- Error adding new plugin in 2.3.1 HOT 2
- Cant run volatility command Pslist from Eclipse(python IDE) HOT 1
- "This command does not support the profile" Error HOT 1
- Volatility Standalone for Windows incorrectly states profile is invalid HOT 2
- Volatility /tools/linux 'make' not working
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from volatility.