search

volatilityfoundation / volatility3

Volatility 3.0 development
http://volatilityfoundation.org/
Other
2.61k stars 447 forks source link

windows.netstat.NetStat crashes Volatility #490

Closed dfirnewbie closed 9 months ago

dfirnewbie commented 3 years ago

Describe the bug When running the plugin windows.netstat.NetStat, Volatility crashed

Context Volatility Version: Volatility 3 Framework 1.0.1 Operating System: Windows 7 Enterprise SP1 Python Version: 3.8.9 Suspected Operating System: Windows Server 2019 Standard, Release 1809 Command: python vol.py -f "C:\Users\IEUser\Desktop\work\server.dmp" windows.netstat.NetStat > "C:\Users\IEUser\Desktop\work\server-mem-netstat.txt"

To Reproduce Run the above command

Expected behavior No errors?

Additional information -vvv log below.

21-04-12 10:47:07 volatility3.cli INFO     Logging started
21-04-12 10:47:07 volatility3.cli INFO     Volatility plugins path: ['C:\\Users\\IEUser\\Desktop\\tools\\volatility3-develop\\volatility3\\plugins', 'C:\\Users\\IEUser\\Desktop\\tools\\volatility3-develop\\volatility3\\framework\\plugins']
21-04-12 10:47:07 volatility3.cli INFO     Volatility symbols path: ['C:\\Users\\IEUser\\Desktop\\tools\\volatility3-develop\\volatility3\\symbols', 'C:\\Users\\IEUser\\Desktop\\tools\\volatility3-develop\\volatility3\\framework\\symbols']
21-04-12 10:47:07 volatility3.framework Level 6  Importing from the following paths: C:\Users\IEUser\Desktop\tools\volatility3-develop\volatility3\plugins, C:\Users\IEUser\Desktop\tools\volatility3-develop\volatility3\framework\plugins
21-04-12 10:47:07 volatility3.plugins.yarascan INFO     Python Yara module not found, plugin (and dependent plugins) not available
21-04-12 10:47:07 volatility3.framework DEBUG    No module named 'yara'
21-04-12 10:47:07 volatility3.framework DEBUG    Failed to import module volatility3.plugins.yarascan based on file: yarascan
21-04-12 10:47:07 volatility3.framework DEBUG    No module named 'Crypto'
21-04-12 10:47:07 volatility3.framework DEBUG    Failed to import module volatility3.plugins.windows.cachedump based on file: windows\cachedump
21-04-12 10:47:07 volatility3.plugins.yarascan INFO     Python Yara module not found, plugin (and dependent plugins) not available
21-04-12 10:47:07 volatility3.framework DEBUG    No module named 'yara'
21-04-12 10:47:07 volatility3.framework DEBUG    Failed to import module volatility3.plugins.windows.callbacks based on file: windows\callbacks
21-04-12 10:47:07 volatility3.framework DEBUG    No module named 'Crypto'
21-04-12 10:47:07 volatility3.framework DEBUG    Failed to import module volatility3.plugins.windows.hashdump based on file: windows\hashdump
21-04-12 10:47:07 volatility3.framework DEBUG    No module named 'Crypto'
21-04-12 10:47:07 volatility3.framework DEBUG    Failed to import module volatility3.plugins.windows.lsadump based on file: windows\lsadump
21-04-12 10:47:07 volatility3.plugins.yarascan INFO     Python Yara module not found, plugin (and dependent plugins) not available
21-04-12 10:47:07 volatility3.framework DEBUG    No module named 'yara'
21-04-12 10:47:07 volatility3.framework DEBUG    Failed to import module volatility3.plugins.windows.svcscan based on file: windows\svcscan
21-04-12 10:47:07 volatility3.plugins.yarascan INFO     Python Yara module not found, plugin (and dependent plugins) not available
21-04-12 10:47:07 volatility3.framework DEBUG    No module named 'yara'
21-04-12 10:47:07 volatility3.framework DEBUG    Failed to import module volatility3.plugins.windows.vadyarascan based on file: windows\vadyarascan
21-04-12 10:47:07 volatility3.cli INFO     The following plugins could not be loaded (use -vv to see why): volatility3.plugins.windows.cachedump, volatility3.plugins.windows.callbacks, volatility3.plugins.windows.hashdump, volatility3.plugins.windows.lsadump, volatility3.plugins.windows.svcscan, volatility3.plugins.windows.vadyarascan, volatility3.plugins.yarascan
21-04-12 10:47:07 volatility3.framework Level 6  Importing from the following paths: C:\Users\IEUser\Desktop\tools\volatility3-develop\volatility3\framework\automagic
21-04-12 10:47:07 volatility3.cli Level 7  Cache directory used: C:\Users\IEUser\.cache\volatility3
21-04-12 10:47:07 volatility3.framework.automagic INFO     Detected a windows category plugin
21-04-12 10:47:07 volatility3.framework Level 6  Importing from the following paths: C:\Users\IEUser\Desktop\tools\volatility3-develop\volatility3\framework\layers
21-04-12 10:47:07 volatility3.framework.automagic INFO     Running automagic: ConstructionMagic
21-04-12 10:47:07 volatility3.framework Level 6  Importing from the following paths: C:\Users\IEUser\Desktop\tools\volatility3-develop\volatility3\framework\layers
21-04-12 10:47:07 volatility3.framework.configuration.requirements Level 9  IndexError - No configuration provided: plugins.NetStat.primary
21-04-12 10:47:07 volatility3.framework.configuration.requirements Level 9  Symbol table requirement not yet fulfilled: plugins.NetStat.nt_symbols
21-04-12 10:47:07 volatility3.framework Level 6  Importing from the following paths: C:\Users\IEUser\Desktop\tools\volatility3-develop\volatility3\framework\layers
21-04-12 10:47:07 volatility3.framework.configuration.requirements Level 9  IndexError - No configuration provided: plugins.NetStat.primary
21-04-12 10:47:07 volatility3.framework Level 6  Importing from the following paths: C:\Users\IEUser\Desktop\tools\volatility3-develop\volatility3\framework\layers
21-04-12 10:47:07 volatility3.framework.automagic.construct_layers Level 9  Failed on requirement: plugins.NetStat.primary
21-04-12 10:47:07 volatility3.framework.configuration.requirements Level 9  IndexError - No configuration provided: plugins.NetStat.primary
21-04-12 10:47:07 volatility3.framework.automagic.construct_layers Level 9  Failed on requirement: plugins.NetStat
21-04-12 10:47:07 volatility3.framework Level 6  Importing from the following paths: C:\Users\IEUser\Desktop\tools\volatility3-develop\volatility3\framework\layers
21-04-12 10:47:07 volatility3.framework.configuration.requirements Level 9  Symbol table requirement not yet fulfilled: plugins.NetStat.nt_symbols
21-04-12 10:47:07 volatility3.framework Level 6  Importing from the following paths: C:\Users\IEUser\Desktop\tools\volatility3-develop\volatility3\framework\layers
21-04-12 10:47:07 volatility3.framework.automagic.construct_layers Level 9  Failed on requirement: plugins.NetStat.nt_symbols
21-04-12 10:47:07 volatility3.framework.configuration.requirements Level 9  Symbol table requirement not yet fulfilled: plugins.NetStat.nt_symbols
21-04-12 10:47:07 volatility3.framework.automagic.construct_layers Level 9  Failed on requirement: plugins.NetStat
21-04-12 10:47:07 volatility3.framework Level 6  Importing from the following paths: C:\Users\IEUser\Desktop\tools\volatility3-develop\volatility3\framework\layers
21-04-12 10:47:07 volatility3.framework Level 6  Importing from the following paths: C:\Users\IEUser\Desktop\tools\volatility3-develop\volatility3\framework\layers
21-04-12 10:47:07 volatility3.framework Level 6  Importing from the following paths: C:\Users\IEUser\Desktop\tools\volatility3-develop\volatility3\framework\layers
21-04-12 10:47:07 volatility3.framework Level 6  Importing from the following paths: C:\Users\IEUser\Desktop\tools\volatility3-develop\volatility3\framework\layers
21-04-12 10:47:07 volatility3.framework.automagic INFO     Running automagic: LayerStacker
21-04-12 10:47:07 volatility3.framework Level 6  Importing from the following paths: C:\Users\IEUser\Desktop\tools\volatility3-develop\volatility3\framework\layers
21-04-12 10:47:07 volatility3.framework.configuration.requirements Level 9  IndexError - No configuration provided: plugins.NetStat.primary
21-04-12 10:47:07 volatility3.framework.configuration.requirements Level 9  Symbol table requirement not yet fulfilled: plugins.NetStat.nt_symbols
21-04-12 10:47:07 volatility3.framework.layers.resources Level 7  Available URL handlers: HTTPErrorProcessor, HTTPDefaultErrorHandler, HTTPRedirectHandler, ProxyHandler, HTTPBasicAuthHandler, ProxyBasicAuthHandler, HTTPDigestAuthHandler, ProxyDigestAuthHandler, AbstractHTTPHandler, HTTPHandler, HTTPSHandler, HTTPCookieProcessor, UnknownHandler, FileHandler, FTPHandler, CacheFTPHandler, DataHandler, VolatilityHandler, JarHandler
21-04-12 10:47:07 volatility3.framework.automagic.stacker Level 8  Attempting to stack using Elf64Stacker
21-04-12 10:47:07 volatility3.framework.layers.elf Level 6  Exception: Bad magic 0x45474150 at file offset 0x0
21-04-12 10:47:07 volatility3.framework.automagic.stacker Level 8  Attempting to stack using LimeStacker
21-04-12 10:47:07 volatility3.framework.automagic.stacker Level 8  Attempting to stack using QemuStacker
21-04-12 10:47:07 volatility3.framework.automagic.stacker Level 8  Attempting to stack using WindowsCrashDumpStacker
21-04-12 10:47:07 volatility3.framework.symbols.intermed Level 6  Searching for symbols in C:\Users\IEUser\Desktop\tools\volatility3-develop\volatility3\symbols, C:\Users\IEUser\Desktop\tools\volatility3-develop\volatility3\framework\symbols
21-04-12 10:47:07 volatility3.schemas INFO     Dependency for validation unavailable: jsonschema
21-04-12 10:47:07 volatility3.schemas DEBUG    All validations will report success, even with malformed input
21-04-12 10:47:07 volatility3.framework.automagic.stacker Level 8  Stacked WindowsCrashDump64Layer using WindowsCrashDumpStacker
21-04-12 10:47:07 volatility3.framework.automagic.stacker Level 8  Attempting to stack using Elf64Stacker
21-04-12 10:47:07 volatility3.framework.layers.elf Level 6  Exception: Offset 0x0 does not exist within the base layer
21-04-12 10:47:07 volatility3.framework.automagic.stacker Level 8  Attempting to stack using LimeStacker
21-04-12 10:47:07 volatility3.framework.automagic.stacker Level 8  Attempting to stack using QemuStacker
21-04-12 10:47:07 volatility3.framework.automagic.stacker Level 8  Attempting to stack using VmwareStacker
21-04-12 10:47:07 volatility3.framework.automagic.stacker Level 8  Attempting to stack using WindowsIntelStacker
21-04-12 10:47:21 volatility3.framework.automagic.windows DEBUG    Self-referential pointer not in well-known location, moving to recent windows heuristic
21-04-12 10:47:21 volatility3.framework.automagic.windows DEBUG    DTB was found at: 0x1aa000
21-04-12 10:47:21 volatility3.framework.automagic.stacker Level 8  Stacked IntelLayer using WindowsIntelStacker
21-04-12 10:47:21 volatility3.framework.automagic.stacker Level 8  Attempting to stack using Elf64Stacker
21-04-12 10:47:21 volatility3.framework.layers.elf Level 6  Exception: Offset 0x0 does not exist within the base layer
21-04-12 10:47:21 volatility3.framework.automagic.stacker Level 8  Attempting to stack using LimeStacker
21-04-12 10:47:21 volatility3.framework.automagic.stacker Level 8  Attempting to stack using QemuStacker
21-04-12 10:47:21 volatility3.framework.automagic.stacker Level 8  Attempting to stack using VmwareStacker
21-04-12 10:47:21 volatility3.framework.configuration.requirements Level 9  IndexError - No configuration provided: plugins.NetStat.primary
21-04-12 10:47:21 volatility3.framework Level 6  Importing from the following paths: C:\Users\IEUser\Desktop\tools\volatility3-develop\volatility3\framework\layers
21-04-12 10:47:21 volatility3.framework.configuration.requirements Level 9  IndexError - No configuration provided: plugins.NetStat.primary
21-04-12 10:47:21 volatility3.framework.configuration.requirements Level 9  Symbol table requirement not yet fulfilled: plugins.NetStat.nt_symbols
21-04-12 10:47:21 volatility3.framework Level 6  Importing from the following paths: C:\Users\IEUser\Desktop\tools\volatility3-develop\volatility3\framework\layers
21-04-12 10:47:21 volatility3.framework.configuration.requirements Level 9  IndexError - No configuration provided: plugins.NetStat.primary
21-04-12 10:47:21 volatility3.framework Level 6  Importing from the following paths: C:\Users\IEUser\Desktop\tools\volatility3-develop\volatility3\framework\layers
21-04-12 10:47:21 volatility3.framework Level 6  Importing from the following paths: C:\Users\IEUser\Desktop\tools\volatility3-develop\volatility3\framework\layers
21-04-12 10:47:21 volatility3.framework.configuration.requirements Level 9  IndexError - No configuration provided: plugins.NetStat.primary.memory_layer
21-04-12 10:47:21 volatility3.framework Level 6  Importing from the following paths: C:\Users\IEUser\Desktop\tools\volatility3-develop\volatility3\framework\layers
21-04-12 10:47:21 volatility3.framework Level 6  Importing from the following paths: C:\Users\IEUser\Desktop\tools\volatility3-develop\volatility3\framework\layers
21-04-12 10:47:21 volatility3.framework.configuration.requirements Level 9  IndexError - No configuration provided: plugins.NetStat.primary.memory_layer.base_layer
21-04-12 10:47:21 volatility3.framework Level 6  Importing from the following paths: C:\Users\IEUser\Desktop\tools\volatility3-develop\volatility3\framework\layers
21-04-12 10:47:21 volatility3.framework Level 6  Importing from the following paths: C:\Users\IEUser\Desktop\tools\volatility3-develop\volatility3\framework\layers
21-04-12 10:47:21 volatility3.framework.symbols.intermed Level 6  Searching for symbols in C:\Users\IEUser\Desktop\tools\volatility3-develop\volatility3\symbols, C:\Users\IEUser\Desktop\tools\volatility3-develop\volatility3\framework\symbols
21-04-12 10:47:21 volatility3.schemas INFO     Dependency for validation unavailable: jsonschema
21-04-12 10:47:21 volatility3.schemas DEBUG    All validations will report success, even with malformed input
21-04-12 10:47:21 volatility3.framework Level 6  Importing from the following paths: C:\Users\IEUser\Desktop\tools\volatility3-develop\volatility3\framework\layers
21-04-12 10:47:21 volatility3.framework Level 6  Importing from the following paths: C:\Users\IEUser\Desktop\tools\volatility3-develop\volatility3\framework\layers
21-04-12 10:47:21 volatility3.framework Level 6  Importing from the following paths: C:\Users\IEUser\Desktop\tools\volatility3-develop\volatility3\framework\layers
21-04-12 10:47:21 volatility3.framework.interfaces.configuration Level 9  TypeError - kernel_virtual_offset requirements only accept int type: None
21-04-12 10:47:21 volatility3.framework.interfaces.configuration Level 9  TypeError - kernel_virtual_offset requirements only accept int type: None
21-04-12 10:47:21 volatility3.framework Level 6  Importing from the following paths: C:\Users\IEUser\Desktop\tools\volatility3-develop\volatility3\framework\layers
21-04-12 10:47:21 volatility3.framework.interfaces.configuration Level 9  TypeError - kernel_banner requirements only accept str type: None
21-04-12 10:47:21 volatility3.framework.interfaces.configuration Level 9  TypeError - kernel_banner requirements only accept str type: None
21-04-12 10:47:21 volatility3.framework Level 6  Importing from the following paths: C:\Users\IEUser\Desktop\tools\volatility3-develop\volatility3\framework\layers
21-04-12 10:47:21 volatility3.framework.configuration.requirements Level 9  Symbol table requirement not yet fulfilled: plugins.NetStat.nt_symbols
21-04-12 10:47:21 volatility3.framework Level 6  Importing from the following paths: C:\Users\IEUser\Desktop\tools\volatility3-develop\volatility3\framework\layers
21-04-12 10:47:21 volatility3.framework.automagic.construct_layers Level 9  Failed on requirement: plugins.NetStat.nt_symbols
21-04-12 10:47:21 volatility3.framework.configuration.requirements Level 9  Symbol table requirement not yet fulfilled: plugins.NetStat.nt_symbols
21-04-12 10:47:21 volatility3.framework.automagic.construct_layers Level 9  Failed on requirement: plugins.NetStat
21-04-12 10:47:21 volatility3.framework Level 6  Importing from the following paths: C:\Users\IEUser\Desktop\tools\volatility3-develop\volatility3\framework\layers
21-04-12 10:47:21 volatility3.framework Level 6  Importing from the following paths: C:\Users\IEUser\Desktop\tools\volatility3-develop\volatility3\framework\layers
21-04-12 10:47:21 volatility3.framework Level 6  Importing from the following paths: C:\Users\IEUser\Desktop\tools\volatility3-develop\volatility3\framework\layers
21-04-12 10:47:21 volatility3.framework Level 6  Importing from the following paths: C:\Users\IEUser\Desktop\tools\volatility3-develop\volatility3\framework\layers
21-04-12 10:47:21 volatility3.framework.automagic.stacker DEBUG    Stacked layers: ['IntelLayer', 'WindowsCrashDump64Layer', 'FileLayer']
21-04-12 10:47:21 volatility3.framework.automagic INFO     Running automagic: WinSwapLayers
21-04-12 10:47:21 volatility3.framework.automagic INFO     Running automagic: WintelHelper
21-04-12 10:47:21 volatility3.framework.automagic INFO     Running automagic: KernelPDBScanner
21-04-12 10:47:21 volatility3.framework.configuration.requirements Level 9  Symbol table requirement not yet fulfilled: plugins.NetStat.nt_symbols
21-04-12 10:47:21 volatility3.framework.configuration.requirements Level 9  Symbol table requirement not yet fulfilled: plugins.NetStat.nt_symbols
21-04-12 10:47:21 volatility3.framework.configuration.requirements Level 9  Symbol table requirement not yet fulfilled: plugins.NetStat.nt_symbols
21-04-12 10:47:21 volatility3.framework.automagic.pdbscan DEBUG    Kernel base determination - searching layer module list structure
21-04-12 10:47:22 volatility3.framework.symbols.intermed Level 6  Searching for symbols in C:\Users\IEUser\Desktop\tools\volatility3-develop\volatility3\symbols, C:\Users\IEUser\Desktop\tools\volatility3-develop\volatility3\framework\symbols
21-04-12 10:47:22 volatility3.framework.symbols.windows.pdbutil DEBUG    Using symbol library: ntkrnlmp.pdb\DA1ED65E6D57F5D4114DF3407DD0EDFE-1
21-04-12 10:47:22 volatility3.schemas INFO     Dependency for validation unavailable: jsonschema
21-04-12 10:47:22 volatility3.schemas DEBUG    All validations will report success, even with malformed input
21-04-12 10:47:22 volatility3.framework.automagic.pdbscan DEBUG    Setting kernel_virtual_offset to 0xf8060be1b000
21-04-12 10:47:22 volatility3.framework.symbols.windows.versions Level 7  Windows PE version data is not available
21-04-12 10:47:22 volatility3.plugins.windows.netscan DEBUG    Determined OS Version: 10.0 15.17763
21-04-12 10:47:22 volatility3.plugins.windows.netscan DEBUG    Determined symbol filename: netscan-win10-17763-x64
21-04-12 10:47:22 volatility3.framework.symbols.intermed Level 6  Searching for symbols in C:\Users\IEUser\Desktop\tools\volatility3-develop\volatility3\symbols, C:\Users\IEUser\Desktop\tools\volatility3-develop\volatility3\framework\symbols
21-04-12 10:47:22 volatility3.schemas INFO     Dependency for validation unavailable: jsonschema
21-04-12 10:47:22 volatility3.schemas DEBUG    All validations will report success, even with malformed input
21-04-12 10:47:22 volatility3.plugins.windows.netstat DEBUG    Found tcpip.sys image base @ 0xf80f39bb0000
21-04-12 10:47:22 volatility3.cli DEBUG    Traceback (most recent call last):
  File "C:\Users\IEUser\Desktop\tools\volatility3-develop\volatility3\cli\__init__.py", line 326, in run
    renderers[args.renderer]().render(constructed.run())
  File "C:\Users\IEUser\Desktop\tools\volatility3-develop\volatility3\cli\text_renderer.py", line 178, in render
    grid.populate(visitor, outfd)
  File "C:\Users\IEUser\Desktop\tools\volatility3-develop\volatility3\framework\renderers\__init__.py", line 211, in populate
    for (level, item) in self._generator:
  File "C:\Users\IEUser\Desktop\tools\volatility3-develop\volatility3\framework\plugins\windows\netstat.py", line 427, in _generator
    tcpip_symbol_table = pdbutil.PDBUtility.symbol_table_from_pdb(
  File "C:\Users\IEUser\Desktop\tools\volatility3-develop\volatility3\framework\symbols\windows\pdbutil.py", line 311, in symbol_table_from_pdb
    raise exceptions.VolatilityException(
volatility3.framework.exceptions.VolatilityException: Did not find GUID of tcpip.pdb in module @ 0xf80f39bb0000!
japhlange commented 3 years ago

Heya, I know it's been a while, but is there a chance for you to provide the dump file?

The problem is caused by the plugin not finding the GUID of the symbol file of the tcpip.sys driver, which should normally be detectable.

Running netscan should be working, if you could verify that?

github-actions[bot] commented 11 months ago

This issue is stale because it has been open for 200 days with no activity.

github-actions[bot] commented 9 months ago

This issue was closed because it has been inactive for 60 days since being marked as stale.