[Vol-users] Netscan and Win 7 64-bit memory?

Michael Hale Ligh michael.hale at gmail.com
Sun May 20 16:15:45 CDT 2012


Hi Tom,

Could you try netscan in revision 1735 or later, please? It should be
working for x64 profiles now.

Thanks,
MHL

On Mon, Mar 26, 2012 at 9:08 AM, Michael Hale Ligh
<michael.hale at gmail.com> wrote:
> Hey Tom,
>
> Thanks for the report. While I wasn't aware of the particular problem
> (missing _IN_ADDR), we do plan on spending some time with the
> networking plugins on x64 before 2.1 is released. If you track issue
> 194 (http://code.google.com/p/volatility/issues/detail?id=194) you'll
> see exactly when changes are made and when its "safe" to re-test ;-)
>
> By the way, LdrModules, Malfind, YaraScan, and SvcScan for x86/x64 are
> attached to issues 234 and 235, respectively, in case you wanted to
> test them (though you'll have to remove malware.py first or plugin
> names will conflict).
>
> MHL
>
> On Sun, Mar 25, 2012 at 11:14 PM, Tom Yarrish <tom at yarrish.com> wrote:
>> Hey all,
>> Does the netscan plugin work against Windows 7 64-bit memory samples?
>> When I'm running it with the latest build (1574), I get the following:
>>
>>
>> Computer:volatility-read-only $ python vol.py -f
>> ../Documents/Cases/Testing/memory.raw --profile=Win7SP1x64 netscan
>> Volatile Systems Volatility Framework 2.1_alpha
>> *** Failed to import volatility.plugins.evtlogs (AttributeError:
>> 'module' object has no attribute 'LdrModules')
>> *** Failed to import volatility.plugins.timeliner (AttributeError:
>> 'module' object has no attribute 'LdrModules')
>> Offset(P)  Proto    Local Address                  Foreign Address
>>  State            Pid      Owner          Created
>> 0x11747cef0 TCPv4    0.0.0.0:62887                  0.0.0.0:0
>>  LISTENING        3212     svchost.exe
>> 0x11785da10 TCPv4    0.0.0.0:3389                   0.0.0.0:0
>>  LISTENING        1260     svchost.exe
>> 0x117894ef0 TCPv4    0.0.0.0:3389                   0.0.0.0:0
>>  LISTENING        1260     svchost.exe
>> 0x117894ef0 TCPv6    :::3389                        :::0
>>  LISTENING        1260     svchost.exe
>> 0x117a00670 TCPv4    0.0.0.0:49601                  0.0.0.0:0
>>  LISTENING        2412     vmware-convert
>> 0x117a1ee00 TCPv4    0.0.0.0:62870                  0.0.0.0:0
>>  LISTENING        568      services.exe
>> 0x117a1ee00 TCPv6    :::62870                       :::0
>>  LISTENING        568      services.exe
>> WARNING : volatility.obj      : Cant find object _IN_ADDR in profile
>> <volatility.plugins.overlays.windows.win7.Win7SP1x64 object at
>> 0x10b5be390>?
>> Traceback (most recent call last):
>>  File "vol.py", line 173, in <module>
>>    main()
>>  File "vol.py", line 164, in main
>>    command.execute()
>>  File "/Users/e18529/volatility-read-only/volatility/commands.py",
>> line 101, in execute
>>    func(outfd, data)
>>  File "/Users/e18529/volatility-read-only/volatility/plugins/netscan.py",
>> line 266, in render_text
>>    for offset, proto, laddr, lport, raddr, rport, state, p, ctime in data:
>>  File "/Users/e18529/volatility-read-only/volatility/plugins/netscan.py",
>> line 212, in calculate
>>    for ver, laddr, raddr, owner in self.enumerate_listeners(tcpentry):
>>  File "/Users/e18529/volatility-read-only/volatility/plugins/netscan.py",
>> line 183, in enumerate_listeners
>>    inaddr = LocalAddr.pData.dereference().dereference().v()
>> AttributeError: 'NoneType' object has no attribute 'v'
>>
>> All the other plugins are working, this is the only one I'm having
>> issues with....I know about the first two "Failed to import" lines...
>>
>> And I did remember to do a "make clean" after updating this time.... :)
>>
>> Thanks,
>> Tom
>> _______________________________________________
>> Vol-users mailing list
>> Vol-users at volatilityfoundation.org
>> http://lists.volatilityfoundation.org/mailman/listinfo/vol-users


More information about the Vol-users mailing list