search

ksanchezcld / volatility

Automatically exported from code.google.com/p/volatility
GNU General Public License v2.0
1 stars 0 forks source link

duplicate offset reported in sockets command #258

Closed GoogleCodeExporter closed 9 years ago

GoogleCodeExporter commented 9 years ago 
In Volatility 2.0 I noticed something strange:

$ python vol.py -f ~/Desktop/memory/zeroaccess.vmem sockets
Volatile Systems Volatility Framework 2.0
 Offset(V)  PID    Port   Proto               Address        Create Time               
---------- ------ ------ ------------------- -------------- 
-------------------------- 
0x81dc2008    680    500     17 UDP            0.0.0.0            2010-10-29 
17:09:05       
0x82061c08      4    445      6 TCP            0.0.0.0            2010-10-29 
17:08:53       
0x82294aa8    940    135      6 TCP            0.0.0.0            2010-10-29 
17:08:55       
0x821a5008    188   1025      6 TCP            127.0.0.1          2010-10-29 
17:09:09       
0x81cb3d70   1080   1141     17 UDP            0.0.0.0            2010-10-31 
16:36:16       
0x81da4d18    680      0    255 Reserved       0.0.0.0            2010-10-29 
17:09:05       
0x81da4d18   1032    123     17 UDP            127.0.0.1          2011-10-13 
04:26:19       
0x81c79778   1080   1142     17 UDP            0.0.0.0            2010-10-31 
16:36:16       
0x81fdbe98   1200   1900     17 UDP            127.0.0.1          2011-10-13 
04:26:19       
0x82060008    680   4500     17 UDP            0.0.0.0            2010-10-29 
17:09:05       
0x81cb9e98   1580   5152      6 TCP            127.0.0.1          2010-10-29 
17:09:05       
0x81cb9e98      4    445     17 UDP            0.0.0.0            2010-10-29 
17:08:53

You can see the last two objects both have a virtual offset of 0x81cb9e98, but 
they're different. If you use the --physical option to print physical offsets, 
you'll see the have the same physical offset also...which is just not possible. 

In the current branch, you don't see this duplication, but its because our 
duplicate-prevention patch in Issue #224 is preventing it:

$ python vol.py -f ~/Desktop/memory/zeroaccess.vmem sockets
Volatile Systems Volatility Framework 2.1_alpha
 Offset(V)  PID    Port   Proto               Address        Create Time               
---------- ------ ------ ------------------- -------------- 
-------------------------- 
0x81dc2008    680    500     17 UDP            0.0.0.0            2010-10-29 
17:09:05       
0x82061c08      4    445      6 TCP            0.0.0.0            2010-10-29 
17:08:53       
0x82294aa8    940    135      6 TCP            0.0.0.0            2010-10-29 
17:08:55       
0x821a5008    188   1025      6 TCP            127.0.0.1          2010-10-29 
17:09:09       
0x81cb3d70   1080   1141     17 UDP            0.0.0.0            2010-10-31 
16:36:16       
0x81da4d18    680      0    255 Reserved       0.0.0.0            2010-10-29 
17:09:05       
0x81c79778   1080   1142     17 UDP            0.0.0.0            2010-10-31 
16:36:16       
0x81fdbe98   1200   1900     17 UDP            127.0.0.1          2011-10-13 
04:26:19       
0x82060008    680   4500     17 UDP            0.0.0.0            2010-10-29 
17:09:05       
0x81cb9e98   1580   5152      6 TCP            127.0.0.1          2010-10-29 
17:09:05

If I revert the duplicate-prevention patch, and then add a .dereference() line 
as shown below, then I get the full output *and* the correct offsets for the 
last two objects: 

Index: volatility/win32/network.py
===================================================================
--- volatility/win32/network.py (revision 1707)
+++ volatility/win32/network.py (working copy)
@@ -207,4 +207,4 @@
                             while sock.is_valid() and sock.obj_offset not in seen:
                                 yield sock
                                 seen.add(sock.obj_offset)
-                                sock = sock.Next
+                                sock = sock.Next.dereference()

Here is the output now:

$ python vol.py -f ~/Desktop/memory/zeroaccess.vmem sockets
Volatile Systems Volatility Framework 2.1_alpha
 Offset(V)  PID    Port   Proto               Address        Create Time               
---------- ------ ------ ------------------- -------------- 
-------------------------- 
0x81dc2008    680    500     17 UDP            0.0.0.0            2010-10-29 
17:09:05       
0x82061c08      4    445      6 TCP            0.0.0.0            2010-10-29 
17:08:53       
0x82294aa8    940    135      6 TCP            0.0.0.0            2010-10-29 
17:08:55       
0x821a5008    188   1025      6 TCP            127.0.0.1          2010-10-29 
17:09:09       
0x81cb3d70   1080   1141     17 UDP            0.0.0.0            2010-10-31 
16:36:16       
0x81da4d18    680      0    255 Reserved       0.0.0.0            2010-10-29 
17:09:05       
0x821b7d58   1032    123     17 UDP            127.0.0.1          2011-10-13 
04:26:19       
0x81c79778   1080   1142     17 UDP            0.0.0.0            2010-10-31 
16:36:16       
0x81fdbe98   1200   1900     17 UDP            127.0.0.1          2011-10-13 
04:26:19       
0x82060008    680   4500     17 UDP            0.0.0.0            2010-10-29 
17:09:05       
0x81cb9e98   1580   5152      6 TCP            127.0.0.1          2010-10-29 
17:09:05       
0x81da54b0      4    445     17 UDP            0.0.0.0            2010-10-29 
17:08:53

Also note we may want to dereference the connection pointers also, so a more 
complete patch would be: 

Index: volatility/win32/network.py
===================================================================
--- volatility/win32/network.py (revision 1707)
+++ volatility/win32/network.py (working copy)
@@ -168,7 +168,7 @@
                             while conn.is_valid() and conn.obj_offset not in seen:
                                 yield conn
                                 seen.add(conn.obj_offset)
-                                conn = conn.Next
+                                conn = conn.Next.dereference()

 def determine_sockets(addr_space):
     """Determines all sockets for each module"""
@@ -207,4 +207,4 @@
                             while sock.is_valid() and sock.obj_offset not in seen:
                                 yield sock
                                 seen.add(sock.obj_offset)
-                                sock = sock.Next
+                                sock = sock.Next.dereference()

Can anyone see anything negative by dereferencing the pointers like this 
instead of just using sock.Next or conn.Next?

Original issue reported on code.google.com by michael.hale@gmail.com on 16 May 2012 at 1:53

GoogleCodeExporter commented 9 years ago 
sorry for the spam, just updating the milestone

Original comment by michael.hale@gmail.com on 16 May 2012 at 2:14

GoogleCodeExporter commented 9 years ago 
This issue was closed by revision r1710.

Original comment by michael.hale@gmail.com on 16 May 2012 at 4:37

GoogleCodeExporter commented 9 years ago 
Great work!  Finding, filing, fixing and finishing a bug in the space of three 
hours!  Keep it up, you're on a roll!  5:)

Original comment by mike.auty@gmail.com on 16 May 2012 at 8:44

GoogleCodeExporter commented 9 years ago 
This issue was closed by revision r1722.

Original comment by mike.auty@gmail.com on 18 May 2012 at 10:15