Closed porteybattey closed 10 months ago
ufrisk
commented
11 months ago Many thanks for this bug report.
I'm in the midst of coding some larger updates (ARM64 support) so I'll include this fix for this in that update. It may be a few weeks off still before I do it.
Meanwhile, as a workaround, you could use the VFS files from Python.
Apologies for the inconvenience.
porteybattey
commented
11 months ago Thank you for a lot your answer. Your updates seems to be really interesting ! :)
I was planning to use the vfs as a workaround, but if there is a way to read in the EPROCESS it would be great. Do you know if net map infos are kept in the handle table like if it was socket handles ? I'll use the vfs for now and I'll dig into another workaround also ^^
Thanks again and have a great day ! :)
ufrisk
commented
11 months ago Networking info is mostly kept inside tcpip.sys and related pool entries. It's not in handle table.
About reading the EPROCESS. Retrieve the base address of the EPROCESS from the process info (I assume you already did this). Then read it from the virtual memory of PID 4 (SYSTEM).
ufrisk
commented
10 months ago This should now be resolved. Many thanks for reporting and best wishes with your memory analysis project :)
porteybattey
commented
10 months ago Yes this is solved, thank you very much for this ! :) By the way, you told that tcp/ip infos are hold in the pool entries, what about raw sockets or sockets at all ? As on windows sockets gives handles, why aren't they in the handle table kept by the Eprocess ?
Thank you anyway and have a great week !
ufrisk
commented
10 months ago Awesome to see it works and thanks for confirming 👍
I've not looked into raw sockets. It's not supported at the moment. I'd have to add them in the future if needed.
My best guess is that they exists as pool allocations as well, but possibly not as handles in the handle table. But I have not researched this so I don't know...
porteybattey
commented
10 months ago Thank you for the informations, I might do some researches too. If I found out how they are maneged I'll comment this post. Have a great day :)
Hello, First of all, thank you for your genius work !
I realized that there was a bug in this function (vmm.maps.net()) by seeing destination IPs being the same than source IPs (when IPs are found of course). I know that they are not the same in reality and especially in the netstat-v files of the VFS, the correct destination IP is found. This error conern all processus and this is the same using the FPGA or on live memory using WinPmem.
Thank you in advance for you answer, and have a great day !