search

ClaudeZoo / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

Add plugin to dump DNS resolver cache #124

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
Enhancement submission; would love to see the capability to dump contents of 
the DNS resolver cache if possible. Something akin to "ipconfig /displaydns".

Would also be interesting to see representation of which DNS resolvers are 
configured on the system.

Perhaps also useful to view the IP address of the DHCP server (if any) that 
provided the lease to the host.

Thinking about hostname-based attribution of connection information provided by 
connections/connscan/netscan, DNS hijacking malware, rogue DHCP server 
detection, etc.

Original issue reported on code.google.com by phatbuck...@gmail.com on 24 Jul 2011 at 7:59

GoogleCodeExporter commented 8 years ago

Original comment by mike.auty@gmail.com on 24 Jul 2011 at 9:01

GoogleCodeExporter commented 8 years ago 
Thanks for the suggestion, I share the desire for a plugin of this sort. 
Actually I came close to finding the info when writing the netscan plugin. It 
may take a little bit, but we'll let you know when its done!

Original comment by michael.hale@gmail.com on 25 Jul 2011 at 2:55

GoogleCodeExporter commented 8 years ago 
Hello,here is dnscache plugin, please report all the bugs :) the code looks 
like crap :( To use this, you need a new version of my heap plugin which is 
available in another issue.

Original comment by marko.th...@gmail.com on 13 Nov 2011 at 9:32

GoogleCodeExporter commented 8 years ago 
Just CC'ing some others so they know the plugin exists and can check it out.

Original comment by michael.hale@gmail.com on 14 Nov 2011 at 1:37

GoogleCodeExporter commented 8 years ago 
Here is a fixed version of the dnscache plugin.

Original comment by marko.th...@gmail.com on 15 Nov 2011 at 6:44

Attachments:

GoogleCodeExporter commented 8 years ago 
So I just tried this recently, and ran into a problem with the plugin requiring 
volatility.plugins.heap, is that another private plugin?  If so, would you be 
willing to post that as well please?

Original comment by mike.auty@gmail.com on 23 Jan 2012 at 2:50

GoogleCodeExporter commented 8 years ago 
Found posted at least here:

http://code.google.com/p/volatility/issues/attachmentText?id=149&aid=1490011000&
name=heap.py&token=YQ42pDThBAxlcjnaQ9VjZ0tw2j0%3A1327342168317

Unsure if updates available anywhere since then.

Original comment by phatbuck...@gmail.com on 23 Jan 2012 at 6:43

GoogleCodeExporter commented 8 years ago 
Ok, seems to work on my XP image, but fails on Windows 7 with:

Traceback (most recent call last):
  File "vol.py", line 135, in <module>
    main()
  File "vol.py", line 126, in main
    command.execute()
  File "/home/mike/workspace/volatility/volatility/commands.py", line 101, in execute
    func(outfd, data)
  File "/home/mike/workspace/volatility/volatility/plugins/dnscache.py", line 267, in render_text
    for record_name,record_type,ttl,datalen,section,data in data:
  File "/home/mike/workspace/volatility/volatility/plugins/dnscache.py", line 191, in calculate
    for procname, pid, heap, heap_segments, heap_freelists, heap_virtual_blocks in heapscan.HeapScan(self._config).calculate(pid):
  File "/home/mike/workspace/volatility/volatility/plugins/heap.py", line 84, in calculate
    for offset in heap.Segments:
  File "/home/mike/workspace/volatility/volatility/obj.py", line 777, in __getattr__
    return self.m(attr)
  File "/home/mike/workspace/volatility/volatility/obj.py", line 762, in m
    raise AttributeError("Struct {0} has no member {1}".format(self.obj_name, attr))
AttributeError: Struct _HEAP has no member Segments

Original comment by mike.auty@gmail.com on 23 Jan 2012 at 8:43

GoogleCodeExporter commented 8 years ago 
Thanks for testing it. I try to fix it soon for Windows 7 :)

Original comment by marko.th...@gmail.com on 31 Jan 2012 at 6:00

GoogleCodeExporter commented 8 years ago 
Hey guys, I'm going to drop this down to low. Marko, if you happen to upgrade 
to support Windows 7 (and other hardware archs like x64) or need help doing so, 
we can bump back up and look into getting it into a future release.

Original comment by michael.hale@gmail.com on 1 Feb 2013 at 4:36

GoogleCodeExporter commented 8 years ago 
[deleted comment]
GoogleCodeExporter commented 8 years ago 
Updated dnscache.py to work in 2.3 beta.
Attached.

Original comment by kha...@gmail.com on 12 Jun 2013 at 3:30

Attachments:

GoogleCodeExporter commented 8 years ago 
I have updated the code to remove the dependency on heapscan - it now operates 
similar to a scanner going though the process memory (and could potentially be 
migrated to one.)

Unfortunately it still only produces results under a specific profile - 32 bit 
Windows XP. I suspect the format of the data structure in memory changed 
between XP and Vista.

Updated version attached, fully 2.3BetaSVN compatible. 

Note: I have changed the name of the command to "dnscachedump" to avoid 
conflicts against the older heapscan based version.

Original comment by bry...@gmail.com on 13 Aug 2013 at 1:01

Attachments:

GoogleCodeExporter commented 8 years ago

Original comment by mike.auty@gmail.com on 18 Feb 2015 at 6:52