volatility3
volatility3 copied to clipboard
volatilityfoundation
Are old versions of windows supported by the Network Plugins?
Describe the bug
File under test: https://www.jonrajewski.com/data/Malware/stuxnet.vmem.zip
Note: With this file and Volatility2 I was using the arg --profile=WinXPSP3x86 and the sockets command.
Most Volatility3 commands are working with this file, but for the netstat and netscan commands I'm getting an error that the version of Windows is not supported. I would still like to be able to see TCP/UDP connections with this file using Volatility3.
Context
Volatility Version: Volatility 3 Framework 1.1.1
Operating System: Kali 2021.2 - Linux kali 5.10.0-kali9-cloud-amd64 #1 SMP Debian 5.10.46-1kali1 (2021-06-25) x86_64 GNU/Linux
Python Version: Python 3.9.2
Suspected Operating System: WinXPSP3x86
Command: python3 vol.py -f stuxnet.vmem windows.netstat.NetStat
To Reproduce
Steps to reproduce the behavior:
- Download vmem file from the link above
- Run the command:
python3 vol.py -f stuxnet.vmem windows.netstat.NetStat - See error:
File "/root/volatility3/volatility3/framework/plugins/windows/netscan.py", line 217, in determine_tcpip_version raise NotImplementedError("This version of Windows is not supported: {}.{} {}.{}!".format( NotImplementedError: This version of Windows is not supported: 5.1 15.2600!
Expected behavior Expected output similar to the "sockets" command from Volatility2. TCP/UDP/port connection info etc.
Windows XP handles network connections differently than Vista onwards. Vol2 has 4 different plugins for network objects in XP (https://github.com/volatilityfoundation/volatility/wiki/Command-Reference#networking) incorporating different approaches.
When porting netscan to vol3 I made the deliberate decision not to include XP support to keep down complexity. As I'm not sure if it would be worth extending netscan for XP's structures I think the best solution would be for someone™ to port over vol2's plugins. Unfortunately I don't think I'll be able to do that in the short-term :/
Thanks for the answer @japhlange. I'm afraid XP is unsupported for the foreseeable future then @jcunning6. I'm going to mark this as a question instead, but not close it so people can find it if they go looking...
No worries, thank you for the info and the updates. I appreciate y'all looking into it!
Didn't want to create a new issue because I had something similar happen to me on a Windows Server 2008.
Attached file with output after running:
python ~/volatility3/vol.py -vvv -f memdump.mem windows.netstat
I got the memory file from here:
https://samsclass.info/121/proj/memdump.7z
I'm running:
Python 3.10.5 Linux kali 5.18.0-kali5-amd64 #1 SMP PREEMPT_DYNAMIC Debian 5.18.5-1kali5 (2022-07-04) x86_64 GNU/Linux Volatility 3 Framework 2.3.0
Cheers!
Hi everyone! I encountered the same error. @jcunning6 did you manage to solve your problem?
No, I still have the same problem. Only older version of windows (i.e. Win10 1503...) are supported by the network plugins. Let me know if you hear otherwise.
On Sun, Aug 27, 2023 at 11:33 AM Sergey Ermolov @.***> wrote:
Hi everyone! I encountered the same error. @jcunning6 https://github.com/jcunning6 did you manage to solve your problem?
— Reply to this email directly, view it on GitHub https://github.com/volatilityfoundation/volatility3/issues/550#issuecomment-1694697259, or unsubscribe https://github.com/notifications/unsubscribe-auth/AECDNZJU6DKNT46KS5GEF3TXXNSETANCNFSM5CD75B7Q . You are receiving this because you commented.Message ID: @.***>
