search

Leor3961 / volatility

Automatically exported from code.google.com/p/volatility
0 stars 0 forks source link

Connections not returning information #45

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
What steps will reproduce the problem?
1. python volatility connections -f <file.image>
2. also connscan & connscan2 have the same problem
3.
What is the expected output? What do you see instead?
No output

What version of the product are you using? On what operating system?
Volatility 1.3, Windows XP SP 3, python 2.7

Please provide any additional information below.

Tried various image gathering tools same affect
When I used the sample memory dumps it works fine
Tried version 1.1.2 of volatility same problem
Target OS is XP version 2002 running within a VM
pslist, dlllist, ident

Original issue reported on code.google.com by geraintg...@gmail.com on 15 Nov 2010 at 8:09

GoogleCodeExporter commented 8 years ago 
Volatility 1.3 only supports Windows XP SP2, and as such the plugins you 
mentioned may not work against an XP SP3 box.  Version 1.4_rc1 has basic 
support for Windows XP SP3, and you can test and see if the newer version works.

You can get a copy of volatility-1.4 using subversion (see 
http://code.google.com/p/volatility/source/checkout) and you'll find the code 
under branch/Volatility-1.4_rc1.  Please note, when running plugins against an 
XPSP3 image, you'll need to tell volatility to use the XPSP3 profile by adding 
"--profile=WinXPSP3".

If that solves it, please let us know, so we can mark this as fixed.  If you're 
still having trouble, also let us know and we can try to help you debug the 
problem further...

Original comment by mike.auty@gmail.com on 15 Nov 2010 at 11:33

GoogleCodeExporter commented 8 years ago 
Please also note that issue 6 may be relevant here.

Original comment by mike.auty@gmail.com on 15 Nov 2010 at 11:34

GoogleCodeExporter commented 8 years ago

Original comment by mike.auty@gmail.com on 23 Nov 2010 at 8:32

GoogleCodeExporter commented 8 years ago 
[deleted comment]
GoogleCodeExporter commented 8 years ago 
I'm getting the following error on most commands now:

$ python volatility.py connections -f XPSP3.vmem --profile=WinXPSP3
Volatile Systems Volatility Framework 1.4_rc1
Traceback (most recent call last):
  File "volatility.py", line 126, in <module>
    main()
  File "volatility.py", line 90, in main
    config.parse_options(False)
  File "/TESTING/vol_1.4/volatility/conf.py", line 225, in parse_options
    (opts, args) = self.optparser.parse_args()
  File "/usr/lib/python2.6/optparse.py", line 1394, in parse_args
    stop = self._process_args(largs, rargs, values)
  File "/TESTING/vol_1.4/volatility/conf.py", line 84, in _process_args
    return optparse.OptionParser._process_args(self, largs, rargs, values)
  File "/usr/lib/python2.6/optparse.py", line 1438, in _process_args
    self._process_short_opts(rargs, values)
  File "/usr/lib/python2.6/optparse.py", line 1545, in _process_short_opts
    option.process(opt, value, values, self)
  File "/usr/lib/python2.6/optparse.py", line 788, in process
    self.action, self.dest, opt, value, values, parser)
  File "/usr/lib/python2.6/optparse.py", line 808, in take_action
    self.callback(self, opt, value, parser, *args, **kwargs)
  File "/TESTING/vol_1.4/volatility/plugins/fileparam.py", line 35, in set_location
    if parser.values.location == None:
AttributeError: Values instance has no attribute 'location'

I know it's probably temporary, but thought I'd post it for now in case it 
helps

Original comment by jamie.l...@gmail.com on 24 Nov 2010 at 5:10

GoogleCodeExporter commented 8 years ago 
Errr, yep, can you please ensure you remove all your .pyc files since you 
updated, as that may have an effect on this...

If you hop on channel, I can talk through various things to check until we 
figure out what's going wrong.  5:)

Original comment by mike.auty@gmail.com on 24 Nov 2010 at 5:15

GoogleCodeExporter commented 8 years ago 
Hey guys, just had a second free and an XPSP3 image available, so I tested this 
to give another perspective. In my case, it worked fine without 
"--profile=WinXPSP3" but when I added "--profile=WinXPSP3" I got an error. This 
is with rev 553 of 1.4 branch, Python 2.6 and OS X.

$ python volatility.py connections -f XPSP3.vmem
Volatile Systems Volatility Framework 1.4_rc1
Local Address             Remote Address            Pid   
172.16.237.156:2734       65.55.249.67:80             1904
172.16.237.156:2723       63.84.59.32:80              1904
172.16.237.156:2731       65.55.197.248:80            1904
172.16.237.156:2749       72.14.204.148:80            1904
172.16.237.156:2767       65.54.81.47:80              1904

$ python volatility.py connections -f XPSP3.vmem --profile=WinXPSP3
Volatile Systems Volatility Framework 1.4_rc1
Local Address             Remote Address            Pid   
Traceback (most recent call last):
  File "volatility.py", line 126, in <module>
    main()
  File "volatility.py", line 117, in main
    command.execute()
  File "/Users/mike/Desktop/Volatility-1.4_rc1/volatility/commands.py", line 101, in execute
    func(outfd, data)
  File "/Users/mike/Desktop/Volatility-1.4_rc1/volatility/plugins/connections.py", line 43, in render_text
    for conn in data:
  File "/Users/mike/Desktop/Volatility-1.4_rc1/volatility/win32/network.py", line 107, in determine_connections
    conn = entry.dereference()
  File "/Users/mike/Desktop/Volatility-1.4_rc1/volatility/obj.py", line 531, in dereference
    name = self.obj_name)
  File "/Users/mike/Desktop/Volatility-1.4_rc1/volatility/obj.py", line 240, in Object
    **kwargs)
  File "/Users/mike/Desktop/Volatility-1.4_rc1/volatility/obj.py", line 675, in __init__
    raise RuntimeError("No members specified for CType")
RuntimeError: No members specified for CType

Original comment by michael.hale@gmail.com on 29 Nov 2010 at 6:07

GoogleCodeExporter commented 8 years ago 
Yep, so this is because the plugin attempts to overlay additional fields into 
the _TCPT_OBJECT, which exists in the XPSP2 manually created vtypes, but not 
the XPSP3 auto-generated one.  It only happens to certain images based on how 
deep a table is (as to whether the _TCPT_OBJECT gets instantiated or not).

This may get fixed as part of labarum_X's work on autogenerated XPSP2, but 
otherwise it'll require the _TCPT_OBJECT to be defined once by the plugin 
(assuming it doesn't change across all the profiles), or it could be defined 
several times based on common DLL versions, and then those could be found 
first, or it could be defined by profile.  It mostly depends on how/where this 
symbol is defined on the system.

Original comment by mike.auty@gmail.com on 29 Nov 2010 at 10:27

GoogleCodeExporter commented 8 years ago 
What if we do an update to the WinXPSP3 profile (in xp_sp3_x86.py) like we have 
in WinXPSP2?

xp_sp3_x86_vtypes.ntoskrnl_types.update( {\
  '_ADDRESS_OBJECT' : [ 0x68, { \ 
    'Next' : [ 0x0, ['pointer', ['_ADDRESS_OBJECT']]], \
    'LocalIpAddress' : [ 0x0c, ['unsigned long']], \
    'LocalPort' : [ 0x30, ['unsigned short']], \
    'Protocol'  : [ 0x32, ['unsigned short']], \
    'Pid' : [ 0x148, ['unsigned long']], \
    'CreateTime' : [ 0x158, ['_LARGE_INTEGER']], \
} ], \
  '_TCPT_OBJECT' : [ 0x20, { \ 
  'Next' : [ 0x0, ['pointer', ['_TCPT_OBJECT']]], \
  'RemoteIpAddress' : [ 0xc, ['unsigned long']], \
  'LocalIpAddress' : [ 0x10, ['unsigned long']], \
  'RemotePort' : [ 0x14, ['unsigned short']], \
  'LocalPort' : [ 0x16, ['unsigned short']], \
  'Pid' : [ 0x18, ['unsigned long']], \
} ], \
})

That seems to work:

./volatility.py -f ds_fuzz_hidden_proc.img --no-cache --profile=WinXPSP3x86 
connections
Volatile Systems Volatility Framework 1.4_rc1
Local Address             Remote Address            Pid   
192.168.101.128:31337     192.168.101.1:1158          1696
192.168.101.128:1035      192.168.101.1:445              4

$ ./volatility.py -f ds_fuzz_hidden_proc.img --no-cache --profile=WinXPSP3x86 
sockets
Volatile Systems Volatility Framework 1.4_rc1
Pid    Port   Proto  Create Time               
   684    500     17 2008-11-26 07:38:45       
   512   1028      6 2008-11-26 07:38:53       
     4    445      6 2008-11-26 07:38:11       
   932    135      6 2008-11-26 07:38:20       
  1264   1900     17 2008-11-26 07:38:53       
     4   1035      6 2008-11-26 07:43:07       
     4    139      6 2008-11-26 07:38:28       
  1696  31337      6 2008-11-26 07:44:16       
  1064    123     17 2008-11-26 07:38:53       
   684      0    255 2008-11-26 07:38:45       
     4    137     17 2008-11-26 07:38:28       
  1264   1900     17 2008-11-26 07:38:53       
   684   4500     17 2008-11-26 07:38:45       
     4    138     17 2008-11-26 07:38:28       
     4    445     17 2008-11-26 07:38:11       
  1064    123     17 2008-11-26 07:38:53

Whereas before I get the crash:

$ ./volatility.py -f ds_fuzz_hidden_proc.img --no-cache --profile=WinXPSP3x86 
connections
Volatile Systems Volatility Framework 1.4_rc1
Local Address             Remote Address            Pid   
Traceback (most recent call last):
  File "./volatility.py", line 126, in <module>
    main()
  File "./volatility.py", line 117, in main
    command.execute()
  File "/volatility/Vol_1.4/volatility/commands.py", line 101, in execute
    func(outfd, data)
  File "/volatility/Vol_1.4/volatility/plugins/connections.py", line 50, in render_text
    local = "{0}:{1}".format(conn.LocalIpAddress, conn.LocalPort)
  File "/volatility/Vol_1.4/volatility/obj.py", line 301, in __getattr__
    raise AttributeError("Unable to resolve attribute {0} on {1}".format(attr, self.obj_name))
AttributeError: Unable to resolve attribute LocalIpAddress on Array 82

$ ./volatility.py -f ds_fuzz_hidden_proc.img --no-cache --profile=WinXPSP3x86 
sockets
Volatile Systems Volatility Framework 1.4_rc1
Pid    Port   Proto  Create Time                   
WARNING : volatility.obj      : Cant find object _ADDRESS_OBJECT in profile 
<volatility.plugins.overlays.windows.xp_sp3_x86.WinXPSP3x86 object at 
0xa8a312c>?Traceback (most recent call last):
  File "./volatility.py", line 126, in <module>
    main() 
  File "./volatility.py", line 117, in main
    command.execute()
  File "/volatility/Vol_1.4/volatility/commands.py", line 101, in execute
    func(outfd, data)
  File "/volatility/Vol_1.4/volatility/plugins/sockets.py", line 38, in render_text
    for sock in data:
  File "/volatility/Vol_1.4/volatility/win32/network.py", line 140, in determine_sockets
    while sock.is_valid():
AttributeError: 'NoneType' object has no attribute 'is_valid'

Original comment by jamie.l...@gmail.com on 31 Dec 2010 at 5:08

GoogleCodeExporter commented 8 years ago 
This issue was closed by revision r573.

Original comment by mike.auty@gmail.com on 31 Dec 2010 at 5:34

GoogleCodeExporter commented 8 years ago 
Ok, just a quick note that this is now fixed using Jamie's fix of copying the 
appropriate structures into a file and updating them into each profile's types. 
 I also cleaned up some of the imports in the profiles in the process.

Please note, this will only solve the problem for XPSP3, but that's what this 
specific issue was about.  Retrieving networking information for Vista and 
above is all part of issue 6, so anyone following this should go there for 
those operating systems.

As ever, feel free to reopen this issue if the fix doesn't work properly, or 
you believe the problem still exists.  5:)

Original comment by mike.auty@gmail.com on 31 Dec 2010 at 5:37