volatility icon indicating copy to clipboard operation
volatility copied to clipboard
verified publisher icon volatilityfoundation

UDP addresses/ports update in netscan - Win 18363

Open mikevsunny opened this issue 5 years ago • 0 comments

The netscan plugin does no longer work on Windows version 18363: addresses and ports of UDP listening are incorrect. Solution: Change offsets in volatility/plugins/overlays/windows/tcpip_vtypes.py.

ATTENTION: I am using the profile Win10x64_18362 (therefore the comparison below is for build >=18362), but the Windows image is from a version 18363 (Version 1909 with all updates till 1.12.2020: OS build 18363.1237)! I do not know when (=which version) exactly this changed.

class Win10x64_18363_Tcpip(obj.ProfileModification): """TCP Endpoint for version 18363"""

before = ['Win10x64_15063_Tcpip']
conditions = {'os': lambda x: x == 'windows',
              'memory_model': lambda x: x == '64bit',
              'major': lambda x : x == 6,
              'minor': lambda x : x == 4,
              'build': lambda x : x >= 18362}
def modification(self, profile):
    profile.merge_overlay({
        '_UDP_ENDPOINT': [ None, {
            'LocalAddr' : [ 0x88, ['pointer', ['_LOCAL_ADDRESS_WIN10_UDP']]],
            'Port' : [ 0x80, ['unsigned be short']],
            }],
        })

mikevsunny avatar Dec 03 '20 07:12 mikevsunny