search

freddierice / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
0 stars 0 forks source link

'connections' and 'sockets' broke on win 2008 sp1 #80

Closed GoogleCodeExporter closed 8 years ago

GoogleCodeExporter commented 8 years ago 
I saw the new 2008 profiles and decided to give them a quick run... found one 
issue so far...

On 2008 sp1, 'connections' goes into an infinite loop and 'sockets' blows up 
with this error:

C:\Users\admin\Desktop\vol>C:\Python27\python.exe vol.py --profile=Win2K8SP1x86 
-f "Windows Server 2008.vmem" sockets
Volatile Systems Volatility Framework 1.4_rc1
*** Failed to import volatility.plugins.registry.lsadump (ImportError: No 
module named Crypto.Hash)
Pid    Port   Proto  Create Time
Traceback (most recent call last):
  File "vol.py", line 126, in <module>
    main()
  File "vol.py", line 117, in main
    command.execute()
  File "C:\Users\admin\Desktop\vol\volatility\commands.py", line 101, in execute
    func(outfd, data)
  File "C:\Users\admin\Desktop\vol\volatility\plugins\sockets.py", line 32, in render_text
    for sock in data:
  File "C:\Users\admin\Desktop\vol\volatility\win32\network.py", line 138, in determine_sockets
    for entry in table:
  File "C:\Users\admin\Desktop\vol\volatility\obj.py", line 613, in __iter__
    for position in range(0, self.count):
MemoryError

----

I then patched the line before the loop to print 'count' and this was the 
output:

count is 253755392

obviously seems off, but I didn't look further. I didn't get to investigate yet 
if sockets and connections use the same info (which would explain the infinite 
loop if they did), but will update after I get to look into it.

Original issue reported on code.google.com by atc...@gmail.com on 15 Feb 2011 at 4:48

GoogleCodeExporter commented 8 years ago 
alright this seems to dive into some hardcoded stuff in win32\network.py that I 
think remembered broke vista/7.. will leave it alone for now

Original comment by atc...@gmail.com on 15 Feb 2011 at 4:52

GoogleCodeExporter commented 8 years ago 
Ok, I've updated the documentation in r781.  The rest of this is really issue 
67, so marking as a duplicate.

Original comment by mike.auty@gmail.com on 15 Feb 2011 at 9:36

GoogleCodeExporter commented 8 years ago 
I know this is closed, but I'm just going to leave one comment:

Since Windows 2008 is related to Vista, you should use the "netscan" command 
and not "connections" or "sockets".  Sorry... I forgot to let everyone know 
about that....

Original comment by jamie.l...@gmail.com on 15 Feb 2011 at 2:02