netscan does not show process info for TCP_ENDPOINTS for Windows 7 x32 SP1 [Version 6.1.7601]

Joostvtz / volatility

Automatically exported from code.google.com/p/volatility

GNU General Public License v2.0

0 stars 0 forks source link

netscan does not show process info for TCP_ENDPOINTS for Windows 7 x32 SP1 [Version 6.1.7601] #484

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago

I think I have a fix for this issue and I am attaching the patch. I don't know 
how else to contribute to this project from which I have learned a lot. Thanks 
for the good work guys.

What steps will reproduce the problem?
1. Get memory dump from a Win 7 x32 sp1 machine 
2. volatility-2.3.1.standalone.exe --profile=Win7SP1x86 -f e:\w7-32\memdump.mem 
netscan

What is the expected output? What do you see instead?
For established connections you should see process information

What version of the product are you using? On what operating system?
trunk version

Thanks,
sharrajesh

Original issue reported on code.google.com by sharraj...@gmail.com on 6 Mar 2014 at 9:10

Merged into: #174

Attachments:

tcpip_vtypes.py.patch

GoogleCodeExporter commented 8 years ago

Hi sharrajesh, 

Thanks for the patch. Would you mind extracting your tcpip.sys kernel module 
and attaching it here? The command would be: 

$ volatility-2.3.1.standalone.exe --profile=Win7SP1x86 -f e:\w7-32\memdump.mem 
moddump -D . -r tcpip.sys

The offset 0x174 works for several versions of Windows 7 (also 6.1.7601) so it 
must be the minor build number or a security patch that's been applied which 
changed the offset to 0x178.

Original comment by michael.hale@gmail.com on 7 Mar 2014 at 3:37

GoogleCodeExporter commented 8 years ago

Sure Mike. I am attaching the file for your reference.

Original comment by sharraj...@gmail.com on 7 Mar 2014 at 5:53

Attachments:

driver.85817000.sys

GoogleCodeExporter commented 8 years ago

Thanks! Unfortunately the file version information is paged out (swapped to 
disk), so I can't see the build/revision number. Do you perhaps have access to 
the tcpip.sys from disk? Its not a huge deal if not, I'm pretty sure that's the 
issue. In fact there are a few other similar cases where the offsets for 
specific members differ between builds of the same OS and service pack. So I'm 
going to merge this issue into the other issues that reference this topic.

Original comment by michael.hale@gmail.com on 7 Mar 2014 at 6:25

Changed state: Duplicate

GoogleCodeExporter commented 8 years ago

0: kd> lm v m tcpip
start    end        module name
85812000 8595e000   tcpip      (pdb symbols)          
c:\sym\ms\tcpip.pdb\6B11C44E900B428D95FB17D3C439A5602\tcpip.pdb
    Loaded symbol image file: tcpip.sys
    Image path: \SystemRoot\System32\drivers\tcpip.sys
    Image name: tcpip.sys
    Timestamp:        Sat Sep 07 18:53:38 2013 (522BCA92)
    CheckSum:         0013CD57
    ImageSize:        0014C000
    Translations:     0000.04b0 0000.04e4 0409.04b0 0409.04e4

Original comment by sharraj...@gmail.com on 7 Mar 2014 at 7:07

GoogleCodeExporter commented 8 years ago

File Version 6.1.7601.17514

Original comment by sharraj...@gmail.com on 7 Mar 2014 at 7:18

Attachments:

tcpip.sys