11:14 p.m.
Hey all,
Does the netscan plugin work against Windows 7 64-bit memory samples?
When I'm running it with the latest build (1574), I get the following:
Computer:volatility-read-only $ python vol.py -f
../Documents/Cases/Testing/memory.raw --profile=Win7SP1x64 netscan
Volatile Systems Volatility Framework 2.1_alpha
*** Failed to import volatility.plugins.evtlogs (AttributeError:
'module' object has no attribute 'LdrModules')
*** Failed to import volatility.plugins.timeliner (AttributeError:
'module' object has no attribute 'LdrModules')
Offset(P) Proto Local Address Foreign Address
State Pid Owner Created
0x11747cef0 TCPv4 0.0.0.0:62887 0.0.0.0:0
LISTENING 3212 svchost.exe
0x11785da10 TCPv4 0.0.0.0:3389 0.0.0.0:0
LISTENING 1260 svchost.exe
0x117894ef0 TCPv4 0.0.0.0:3389 0.0.0.0:0
LISTENING 1260 svchost.exe
0x117894ef0 TCPv6 :::3389 :::0
LISTENING 1260 svchost.exe
0x117a00670 TCPv4 0.0.0.0:49601 0.0.0.0:0
LISTENING 2412 vmware-convert
0x117a1ee00 TCPv4 0.0.0.0:62870 0.0.0.0:0
LISTENING 568 services.exe
0x117a1ee00 TCPv6 :::62870 :::0
LISTENING 568 services.exe
WARNING : volatility.obj : Cant find object _IN_ADDR in profile
<volatility.plugins.overlays.windows.win7.Win7SP1x64 object at
0x10b5be390>?
Traceback (most recent call last):
File "vol.py", line 173, in <module>
main()
File "vol.py", line 164, in main
command.execute()
File "/Users/e18529/volatility-read-only/volatility/commands.py",
line 101, in execute
func(outfd, data)
File "/Users/e18529/volatility-read-only/volatility/plugins/netscan.py",
line 266, in render_text
for offset, proto, laddr, lport, raddr, rport, state, p, ctime in data:
File "/Users/e18529/volatility-read-only/volatility/plugins/netscan.py",
line 212, in calculate
for ver, laddr, raddr, owner in self.enumerate_listeners(tcpentry):
File "/Users/e18529/volatility-read-only/volatility/plugins/netscan.py",
line 183, in enumerate_listeners
inaddr = LocalAddr.pData.dereference().dereference().v()
AttributeError: 'NoneType' object has no attribute 'v'
All the other plugins are working, this is the only one I'm having
issues with....I know about the first two "Failed to import" lines...
And I did remember to do a "make clean" after updating this time.... :)
Thanks,
Tom
9:08 a.m.
Hey Tom,
Thanks for the report. While I wasn't aware of the particular problem
(missing _IN_ADDR), we do plan on spending some time with the
networking plugins on x64 before 2.1 is released. If you track issue
194 (http://code.google.com/p/volatility/issues/detail?id=194) you'll
see exactly when changes are made and when its "safe" to re-test ;-)
By the way, LdrModules, Malfind, YaraScan, and SvcScan for x86/x64 are
attached to issues 234 and 235, respectively, in case you wanted to
test them (though you'll have to remove malware.py first or plugin
names will conflict).
MHL
On Sun, Mar 25, 2012 at 11:14 PM, Tom Yarrish <tom(a)yarrish.com> wrote:
Hey all,
Does the netscan plugin work against Windows 7 64-bit memory samples?
When I'm running it with the latest build (1574), I get the following:
Computer:volatility-read-only $ python vol.py -f
../Documents/Cases/Testing/memory.raw --profile=Win7SP1x64 netscan
Volatile Systems Volatility Framework 2.1_alpha
*** Failed to import volatility.plugins.evtlogs (AttributeError:
'module' object has no attribute 'LdrModules')
*** Failed to import volatility.plugins.timeliner (AttributeError:
'module' object has no attribute 'LdrModules')
Offset(P) Proto Local Address Foreign Address
State Pid Owner Created
0x11747cef0 TCPv4 0.0.0.0:62887 0.0.0.0:0
LISTENING 3212 svchost.exe
0x11785da10 TCPv4 0.0.0.0:3389 0.0.0.0:0
LISTENING 1260 svchost.exe
0x117894ef0 TCPv4 0.0.0.0:3389 0.0.0.0:0
LISTENING 1260 svchost.exe
0x117894ef0 TCPv6 :::3389 :::0
LISTENING 1260 svchost.exe
0x117a00670 TCPv4 0.0.0.0:49601 0.0.0.0:0
LISTENING 2412 vmware-convert
0x117a1ee00 TCPv4 0.0.0.0:62870 0.0.0.0:0
LISTENING 568 services.exe
0x117a1ee00 TCPv6 :::62870 :::0
LISTENING 568 services.exe
WARNING : volatility.obj : Cant find object _IN_ADDR in profile
<volatility.plugins.overlays.windows.win7.Win7SP1x64 object at
0x10b5be390>?
Traceback (most recent call last):
File "vol.py", line 173, in <module>
main()
File "vol.py", line 164, in main
command.execute()
File "/Users/e18529/volatility-read-only/volatility/commands.py",
line 101, in execute
func(outfd, data)
File "/Users/e18529/volatility-read-only/volatility/plugins/netscan.py",
line 266, in render_text
for offset, proto, laddr, lport, raddr, rport, state, p, ctime in data:
File "/Users/e18529/volatility-read-only/volatility/plugins/netscan.py",
line 212, in calculate
for ver, laddr, raddr, owner in self.enumerate_listeners(tcpentry):
File "/Users/e18529/volatility-read-only/volatility/plugins/netscan.py",
line 183, in enumerate_listeners
inaddr = LocalAddr.pData.dereference().dereference().v()
AttributeError: 'NoneType' object has no attribute 'v'
All the other plugins are working, this is the only one I'm having
issues with....I know about the first two "Failed to import" lines...
And I did remember to do a "make clean" after updating this time.... :)
Thanks,
Tom
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
5:15 p.m.
Hi Tom,
Could you try netscan in revision 1735 or later, please? It should be
working for x64 profiles now.
Thanks,
MHL
On Mon, Mar 26, 2012 at 9:08 AM, Michael Hale Ligh
<michael.hale(a)gmail.com> wrote:
Hey Tom,
Thanks for the report. While I wasn't aware of the particular problem
(missing _IN_ADDR), we do plan on spending some time with the
networking plugins on x64 before 2.1 is released. If you track issue
194 (http://code.google.com/p/volatility/issues/detail?id=194) you'll
see exactly when changes are made and when its "safe" to re-test ;-)
By the way, LdrModules, Malfind, YaraScan, and SvcScan for x86/x64 are
attached to issues 234 and 235, respectively, in case you wanted to
test them (though you'll have to remove malware.py first or plugin
names will conflict).
MHL
On Sun, Mar 25, 2012 at 11:14 PM, Tom Yarrish <tom(a)yarrish.com> wrote:
> Hey all,
> Does the netscan plugin work against Windows 7 64-bit memory samples?
> When I'm running it with the latest build (1574), I get the following:
>
>
> Computer:volatility-read-only $ python vol.py -f
> ../Documents/Cases/Testing/memory.raw --profile=Win7SP1x64 netscan
> Volatile Systems Volatility Framework 2.1_alpha
> *** Failed to import volatility.plugins.evtlogs (AttributeError:
> 'module' object has no attribute 'LdrModules')
> *** Failed to import volatility.plugins.timeliner (AttributeError:
> 'module' object has no attribute 'LdrModules')
> Offset(P) Proto Local Address Foreign Address
> State Pid Owner Created
> 0x11747cef0 TCPv4 0.0.0.0:62887 0.0.0.0:0
> LISTENING 3212 svchost.exe
> 0x11785da10 TCPv4 0.0.0.0:3389 0.0.0.0:0
> LISTENING 1260 svchost.exe
> 0x117894ef0 TCPv4 0.0.0.0:3389 0.0.0.0:0
> LISTENING 1260 svchost.exe
> 0x117894ef0 TCPv6 :::3389 :::0
> LISTENING 1260 svchost.exe
> 0x117a00670 TCPv4 0.0.0.0:49601 0.0.0.0:0
> LISTENING 2412 vmware-convert
> 0x117a1ee00 TCPv4 0.0.0.0:62870 0.0.0.0:0
> LISTENING 568 services.exe
> 0x117a1ee00 TCPv6 :::62870 :::0
> LISTENING 568 services.exe
> WARNING : volatility.obj : Cant find object _IN_ADDR in profile
> <volatility.plugins.overlays.windows.win7.Win7SP1x64 object at
> 0x10b5be390>?
> Traceback (most recent call last):
> File "vol.py", line 173, in <module>
> main()
> File "vol.py", line 164, in main
> command.execute()
> File "/Users/e18529/volatility-read-only/volatility/commands.py",
> line 101, in execute
> func(outfd, data)
> File "/Users/e18529/volatility-read-only/volatility/plugins/netscan.py",
> line 266, in render_text
> for offset, proto, laddr, lport, raddr, rport, state, p, ctime in data:
> File "/Users/e18529/volatility-read-only/volatility/plugins/netscan.py",
> line 212, in calculate
> for ver, laddr, raddr, owner in self.enumerate_listeners(tcpentry):
> File "/Users/e18529/volatility-read-only/volatility/plugins/netscan.py",
> line 183, in enumerate_listeners
> inaddr = LocalAddr.pData.dereference().dereference().v()
> AttributeError: 'NoneType' object has no attribute 'v'
>
> All the other plugins are working, this is the only one I'm having
> issues with....I know about the first two "Failed to import" lines...
>
> And I did remember to do a "make clean" after updating this time.... :)
>
> Thanks,
> Tom
> _______________________________________________
> Vol-users mailing list
> Vol-users(a)volatilityfoundation.org
> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
4561
days inactive
4616
days old
vol-users@lists.volatilityfoundation.org
2 comments
2 participants
participants (2)
-
Michael Hale Ligh -
Tom Yarrish