search

volatilityfoundation / volatility3

Volatility 3.0 development
http://volatilityfoundation.org/
Other
2.61k stars 447 forks source link

Network connectivity? #1007

Closed djhons closed 1 year ago

djhons commented 1 year ago

When I use pyinstaller to package my code into vol.exe, it cannot be run without an internet connection. However, when connected to the internet, the program accesses blob.satxxxxa.trafficmanager.net and a-0016.a-msedge.net, and downloads some files. What is the purpose of these two addresses, and I couldn't find them in the source code? Where are the downloaded files stored? image image

eve-mem commented 1 year ago

Interesting. If it is anything from vol itself, I'd image it will be related to automatically attempting to download windows symbols from Microsoft. Does this happen when you try and use a linux plugin?

ikelos commented 1 year ago

Also, are you making use of the --offline flag to ensure volatility does not attempt to contact the internet?

The only time volatility will connect to the internet is when analysing a Windows image that it does not already have a suitable JSON ISF file for (or when the URL you provide for an image is on the internet). The servers it accesses should only be Microsoft debug servers, although these may be spread across a Content Delivery Network (hence the unusual addresses)...

On Wed, 27 Sept 2023, 09:57 Eve, @.***> wrote:

Interesting. If it is anything from vol itself, I'd image it will be related to automatically attempting to download windows symbols from Microsoft. Does this happen when you try and use a linux plugin?

— Reply to this email directly, view it on GitHub https://github.com/volatilityfoundation/volatility3/issues/1007#issuecomment-1736989881, or unsubscribe https://github.com/notifications/unsubscribe-auth/AALIZVJKK5FZBUGWDRSOWPTX4PS7NANCNFSM6AAAAAA5I7OQSA . You are receiving this because you are subscribed to this thread.Message ID: @.***>

djhons commented 1 year ago

Interesting. If it is anything from vol itself, I'd image it will be related to automatically attempting to download windows symbols from Microsoft. Does this happen when you try and use a linux plugin?

Yes, it is indeed a download of Windows symbol files, and the traffic initiated by the downloaded file again is only 50kb, but it was 4.5MB before, maybe it was downloaded many times

eve-mem commented 1 year ago

I wouldn't expect vol to download symbols more than once, it should use the local JSON it's downloaded.

Don't forget thr offline option that @ikelos highlighted too.

Now you know what's happening do you still think this is an issue or can this one be closed now?