[prev in list] [next in list] [prev in thread] [next in thread]
List: vol-users
Subject: [Vol-users] Netscan and Win 7 64-bit memory?
From: michael.hale () gmail ! com (Michael Hale Ligh)
Date: 2012-05-20 9:56:54
Message-ID: CAFM6LVA0=nYFpj0jS1oeo28c=RKjo86PUexKP37n=0s6Au559w () mail ! gmail ! com
[Download RAW message or body]
Hi Tom,
Could you try netscan in revision 1735 or later, please? It should be
working for x64 profiles now.
Thanks,
MHL
On Mon, Mar 26, 2012 at 9:08 AM, Michael Hale Ligh
<michael.hale@gmail.com> wrote:
> Hey Tom,
>
> Thanks for the report. While I wasn't aware of the particular problem
> (missing _IN_ADDR), we do plan on spending some time with the
> networking plugins on x64 before 2.1 is released. If you track issue
> 194 (http://code.google.com/p/volatility/issues/detail?id=194) you'll
> see exactly when changes are made and when its "safe" to re-test ;-)
>
> By the way, LdrModules, Malfind, YaraScan, and SvcScan for x86/x64 are
> attached to issues 234 and 235, respectively, in case you wanted to
> test them (though you'll have to remove malware.py first or plugin
> names will conflict).
>
> MHL
>
> On Sun, Mar 25, 2012 at 11:14 PM, Tom Yarrish <tom@yarrish.com> wrote:
>> Hey all,
>> Does the netscan plugin work against Windows 7 64-bit memory samples?
>> When I'm running it with the latest build (1574), I get the following:
>>
>>
>> Computer:volatility-read-only $ python vol.py -f
>> ../Documents/Cases/Testing/memory.raw --profile=Win7SP1x64 netscan
>> Volatile Systems Volatility Framework 2.1_alpha
>> *** Failed to import volatility.plugins.evtlogs (AttributeError:
>> 'module' object has no attribute 'LdrModules')
>> *** Failed to import volatility.plugins.timeliner (AttributeError:
>> 'module' object has no attribute 'LdrModules')
>> Offset(P) ?Proto ? ?Local Address ? ? ? ? ? ? ? ? ?Foreign Address
>> ?State ? ? ? ? ? ?Pid ? ? ?Owner ? ? ? ? ?Created
>> 0x11747cef0 TCPv4 ? ?0.0.0.0:62887 ? ? ? ? ? ? ? ? ?0.0.0.0:0
>> ?LISTENING ? ? ? ?3212 ? ? svchost.exe
>> 0x11785da10 TCPv4 ? ?0.0.0.0:3389 ? ? ? ? ? ? ? ? ? 0.0.0.0:0
>> ?LISTENING ? ? ? ?1260 ? ? svchost.exe
>> 0x117894ef0 TCPv4 ? ?0.0.0.0:3389 ? ? ? ? ? ? ? ? ? 0.0.0.0:0
>> ?LISTENING ? ? ? ?1260 ? ? svchost.exe
>> 0x117894ef0 TCPv6 ? ?:::3389 ? ? ? ? ? ? ? ? ? ? ? ?:::0
>> ?LISTENING ? ? ? ?1260 ? ? svchost.exe
>> 0x117a00670 TCPv4 ? ?0.0.0.0:49601 ? ? ? ? ? ? ? ? ?0.0.0.0:0
>> ?LISTENING ? ? ? ?2412 ? ? vmware-convert
>> 0x117a1ee00 TCPv4 ? ?0.0.0.0:62870 ? ? ? ? ? ? ? ? ?0.0.0.0:0
>> ?LISTENING ? ? ? ?568 ? ? ?services.exe
>> 0x117a1ee00 TCPv6 ? ?:::62870 ? ? ? ? ? ? ? ? ? ? ? :::0
>> ?LISTENING ? ? ? ?568 ? ? ?services.exe
>> WARNING : volatility.obj ? ? ?: Cant find object _IN_ADDR in profile
>> <volatility.plugins.overlays.windows.win7.Win7SP1x64 object at
>> 0x10b5be390>?
>> Traceback (most recent call last):
>> ?File "vol.py", line 173, in <module>
>> ? ?main()
>> ?File "vol.py", line 164, in main
>> ? ?command.execute()
>> ?File "/Users/e18529/volatility-read-only/volatility/commands.py",
>> line 101, in execute
>> ? ?func(outfd, data)
>> ?File "/Users/e18529/volatility-read-only/volatility/plugins/netscan.py",
>> line 266, in render_text
>> ? ?for offset, proto, laddr, lport, raddr, rport, state, p, ctime in data:
>> ?File "/Users/e18529/volatility-read-only/volatility/plugins/netscan.py",
>> line 212, in calculate
>> ? ?for ver, laddr, raddr, owner in self.enumerate_listeners(tcpentry):
>> ?File "/Users/e18529/volatility-read-only/volatility/plugins/netscan.py",
>> line 183, in enumerate_listeners
>> ? ?inaddr = LocalAddr.pData.dereference().dereference().v()
>> AttributeError: 'NoneType' object has no attribute 'v'
>>
>> All the other plugins are working, this is the only one I'm having
>> issues with....I know about the first two "Failed to import" lines...
>>
>> And I did remember to do a "make clean" after updating this time.... :)
>>
>> Thanks,
>> Tom
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users@volatilesystems.com
>> http://lists.volatilesystems.com/mailman/listinfo/vol-users
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic