[Vol-users] Volatility 2.1/2.2 connscan/sockets/sockscan not supported for profile Win7SP1x86

Jamie Levy jamie.levy at gmail.com
Fri Jan 4 18:00:42 CST 2013


Ah, right.  I forgot to mention, in we recently added a mechanism to
restrict plugins based on profiles.  The default profile is
WinXPSP2x86, so that is why you see the connscan plugin with the -h
option.  If you specify the profile when you use `vol.py -h` you
should see the netscan plugin:

http://code.google.com/p/volatility/wiki/VolatilityUsage22#Displaying_Help



On Fri, Jan 4, 2013 at 6:51 PM, Mike Lambert <dragonforen at hotmail.com> wrote:
> I see, thanks Jamie.
>
> I was relying too much on vol.py -h listing for what commands/plugins were
> available.
>
> connections is labeled XP only but connscan and sockets did not say the
> same.
>
> 2.1 and 2.2 -h do not list netscan (2.0 does)
>
> Have a good day!
>
> Mike
>
>> Date: Fri, 4 Jan 2013 17:06:02 -0500
>> Subject: Re: [Vol-users] Volatility 2.1/2.2 connscan/sockets/sockscan not
>> supported for profile Win7SP1x86
>> From: jamie.levy at gmail.com
>> To: dragonforen at hotmail.com
>> CC: vol-users at volatilityfoundation.org
>
>>
>> Connections/conscan/sockets/sockscan are for Windows XP/2003 only.
>> Use the netscan plugin for anything Vista/2008/Win7:
>>
>> http://code.google.com/p/volatility/wiki/CommandReference20#Networking
>>
>>
>>
>> On Fri, Jan 4, 2013 at 4:58 PM, Mike Lambert <dragonforen at hotmail.com>
>> wrote:
>> > I have found that in Volatility 2.1 and 2.2 connscan is not supported
>> > for
>> > profile Win7SP1x86. Volatility 2.0 does not produce any results. (??)
>> > I see that sockets and sockscan are also not supported in Volatility
>> > 2.2.
>> > See below.
>> >
>> > pslist does work, so some commands are supported.
>> >
>> > Is this a known issue?
>> >
>> >
>> > ----------------cut-here-------------------
>> > C:\Python27\volatility-2.2>vol.py imageinfo -f g:\victim1.w32
>> > Volatile Systems Volatility Framework 2.2
>> > Determining profile based on KDBG search...
>> > Suggested Profile(s) : Win7SP0x86, Win7SP1x86
>> > AS Layer1 : JKIA32PagedMemoryPae (Kernel AS)
>> > AS Layer2 : FileAddressSpace (G:\victim1.w32)
>> > PAE type : PAE
>> > DTB : 0x185000L
>> > KDBG : 0x82761be8L
>> > Number of Processors : 2
>> > Image Type (Service Pack) : 0
>> > KPCR for CPU 0 : 0x82762c00L
>> > KPCR for CPU 1 : 0x807c0000L
>> > KUSER_SHARED_DATA : 0xffdf0000L
>> > Image date and time : 2013-01-04 20:41:23 UTC+0000
>> > Image local date and time : 2013-01-04 14:41:23 -0600
>> >
>> >
>> > C:\Python27\volatility-2.0>vol.py connscan -f h:\victim1.img
>> > --profile=Win7SP1x86
>> > Volatile Systems Volatility Framework 2.0
>> > Offset Local Address Remote Address Pid
>> > ---------- ------------------------- ------------------------- ------
>> >
>> > C:\Python27\volatility-2.1>vol.py connscan -f h:\victim1.img
>> > --profile=Win7SP1x86
>> > Volatile Systems Volatility Framework 2.1
>> > Offset(P) Local Address Remote Address Pid
>> > ---------- ------------------------- ------------------------- ---
>> > ERROR : volatility.plugins.connscan: This command does not support the
>> > selected profile.
>> >
>> >
>> > C:\Python27\volatility-2.2>vol.py connscan -f g:\victim1.w32
>> > --profile=Win7SP1x86
>> > Volatile Systems Volatility Framework 2.2
>> > Offset(P) Local Address Remote Address Pid
>> > ---------- ------------------------- ------------------------- ---
>> > ERROR : volatility.plugins.connscan: This command does not support the
>> > selected profile.
>> >
>> > C:\Python27\volatility-2.2>vol.py sockets -f g:\victim1.w32
>> > --profile=Win7SP1x86
>> > Volatile Systems Volatility Framework 2.2
>> > ERROR : volatility.plugins.sockets: This command does not support the
>> > selected profile.
>> >
>> > C:\Python27\volatility-2.2>vol.py sockscan -f g:\victim1.w32
>> > --profile=Win7SP1x86
>> > Volatile Systems Volatility Framework 2.2
>> > Offset(P) PID Port Proto Protocol Address Create Time
>> > ---------- ------ ------ ------ --------------- ---------------
>> > -----------
>> > ERROR : volatility.plugins.sockscan: This command does not support the
>> > selected profile.
>> >
>> > _______________________________________________
>> > Vol-users mailing list
>> > Vol-users at volatilityfoundation.org
>> > http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
>> >
>>
>>
>>
>> --
>> PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3 64C2 196B 2AB5 27A4 AC92



-- 
PGP Fingerprint: 2E87 17A1 EC10 1E3E 11D3  64C2 196B 2AB5 27A4 AC92


More information about the Vol-users mailing list