volatility3 icon indicating copy to clipboard operation
volatility3 copied to clipboard

Published 20 hours ago verified publisher icon volatilityfoundation

windows.netscan, windows.netstat

Open Deathkon opened this issue 3 years ago • 14 comments

I have been trying to use windows.netscan and windows.netstat but doesn't exist in volatility 3

Deathkon avatar May 30 '22 09:05 Deathkon

Sorry, that's an extremely short description to try and diagnose the problem from? Could you please provide the requested information (notably, the command line you used to run the commands, and the output you got from the commands, when running with at least vol.py -vvv).

ikelos avatar May 30 '22 09:05 ikelos

@Deathkon it does exist, i think you should pull latest develop branch. I have tested both. Netstat worked fine image Netscan sometimes failed or took time, depending the image/os version: image

B4caguilar avatar Jun 02 '22 14:06 B4caguilar

Interesting... I ran netscan with vol2 and netsat with vol3 and vol3 doesn't show the ESTABLISHED connections.

wilsq36 avatar Jun 11 '22 19:06 wilsq36

Sounds like one that @japhlange might know more about?

ikelos avatar Jun 11 '22 21:06 ikelos

@wilsq36 Can you provide more information about the memory image you are looking at?

It is possible that newer Windows versions may have changed their offsets again.

japhlange avatar Jun 11 '22 23:06 japhlange

Hi,

It is somewhat related to this question. When I run the netstat plugin on new versions of Windows (10, 11 and server 2022). It seems like the netstat plugin does not always display the process. Is this normal?

As an example, in the output of netstat listed below, the first connection should be by process rmet.exe (PID 7872) but the process name and PID is now shown.

I have ran the same command again with debug so that you can see that volatility3.framework.symbols.windows.pdbutil previously downloaded tcpip.pdb D17014EA1A4CFE34C871090246252BF7-1 and is using it now. But, I also see that:

DEBUG    volatility3.plugins.windows.netscan: Unable to find exact matching symbol file, going with latest: netscan-win10-19041-x64
DEBUG    volatility3.plugins.windows.netscan: Determined symbol filename: netscan-win10-19041-x64

Is this why the plugin is not able to print the process PIDs and name. Is there a ways to obtain newer json for netscan/netstat? Thank you for your help.

$ vol -f web.vmem windows.netstat
Volatility 3 Framework 2.2.0
Progress:  100.00		PDB scanning finished                          
Offset	Proto	LocalAddr	LocalPort	ForeignAddr	ForeignPort	State	PID	Owner	Created

0xde0df6ef29a0	TCPv4	10.10.1.3	49990	14.16.2.36	31337	ESTABLISHED	-	-	N/A
0xde0df685a260	TCPv4	10.10.1.3	50040	23.78.75.237	443	ESTABLISHED	-	-	N/A
0xde0df12c1cb0	TCPv4	0.0.0.0	80	0.0.0.0	0	LISTENING	4	System	2022-07-06 16:06:49.000000 
0xde0df12c1cb0	TCPv6	::	80	::	0	LISTENING	4	System	2022-07-06 16:06:49.000000 
0xde0df37f8230	TCPv4	0.0.0.0	135	0.0.0.0	0	LISTENING	1000	svchost.exe	2022-07-06 16:06:46.000000 
0xde0df37f8230	TCPv6	::	135	::	0	LISTENING	1000	svchost.exe	2022-07-06 16:06:46.000000 
0xde0df3efe730	TCPv4	0.0.0.0	135	0.0.0.0	0	LISTENING	1000	svchost.exe	2022-07-06 16:06:46.000000 
0xde0df509f7b0	TCPv4	10.10.1.3	139	0.0.0.0	0	LISTENING	4	System	2022-07-06 16:06:48.000000 
0xde0df12c19f0	TCPv4	0.0.0.0	445	0.0.0.0	0	LISTENING	4	System	2022-07-06 16:06:49.000000 
0xde0df12c19f0	TCPv6	::	445	::	0	LISTENING	4	System	2022-07-06 16:06:49.000000 
0xde0df509f390	TCPv4	0.0.0.0	5357	0.0.0.0	0	LISTENING	4	System	2022-07-06 16:06:50.000000 
0xde0df509f390	TCPv6	::	5357	::	0	LISTENING	4	System	2022-07-06 16:06:50.000000 
0xde0df509f230	TCPv4	0.0.0.0	5985	0.0.0.0	0	LISTENING	4	System	2022-07-06 16:06:50.000000 
0xde0df509f230	TCPv6	::	5985	::	0	LISTENING	4	System	2022-07-06 16:06:50.000000 
0xde0df509fa70	TCPv4	0.0.0.0	47001	0.0.0.0	0	LISTENING	4	System	2022-07-06 16:06:49.000000 
0xde0df509fa70	TCPv6	::	47001	::	0	LISTENING	4	System	2022-07-06 16:06:49.000000 
0xde0df3efe5d0	TCPv4	0.0.0.0	49664	0.0.0.0	0	LISTENING	812	lsass.exe	2022-07-06 16:06:46.000000 
0xde0df3efe5d0	TCPv6	::	49664	::	0	LISTENING	812	lsass.exe	2022-07-06 16:06:46.000000 
0xde0df3efe470	TCPv4	0.0.0.0	49664	0.0.0.0	0	LISTENING	812	lsass.exe	2022-07-06 16:06:46.000000 
0xde0df3eff650	TCPv4	0.0.0.0	49665	0.0.0.0	0	LISTENING	696	wininit.exe	2022-07-06 16:06:46.000000 
0xde0df3eff650	TCPv6	::	49665	::	0	LISTENING	696	wininit.exe	2022-07-06 16:06:46.000000 
0xde0df3eff4f0	TCPv4	0.0.0.0	49665	0.0.0.0	0	LISTENING	696	wininit.exe	2022-07-06 16:06:46.000000 
0xde0df3eff7b0	TCPv4	0.0.0.0	49666	0.0.0.0	0	LISTENING	1272	svchost.exe	2022-07-06 16:06:47.000000 
0xde0df3eff7b0	TCPv6	::	49666	::	0	LISTENING	1272	svchost.exe	2022-07-06 16:06:47.000000 
0xde0df3efee10	TCPv4	0.0.0.0	49666	0.0.0.0	0	LISTENING	1272	svchost.exe	2022-07-06 16:06:47.000000 
0xde0df509fd30	TCPv4	0.0.0.0	49667	0.0.0.0	0	LISTENING	1624	svchost.exe	2022-07-06 16:06:47.000000 
0xde0df509fd30	TCPv6	::	49667	::	0	LISTENING	1624	svchost.exe	2022-07-06 16:06:47.000000 
0xde0df509e1b0	TCPv4	0.0.0.0	49667	0.0.0.0	0	LISTENING	1624	svchost.exe	2022-07-06 16:06:47.000000 
0xde0df509ee10	TCPv4	0.0.0.0	49668	0.0.0.0	0	LISTENING	1440	spoolsv.exe	2022-07-06 16:06:47.000000 
0xde0df509ee10	TCPv6	::	49668	::	0	LISTENING	1440	spoolsv.exe	2022-07-06 16:06:47.000000 
0xde0df509f650	TCPv4	0.0.0.0	49668	0.0.0.0	0	LISTENING	1440	spoolsv.exe	2022-07-06 16:06:47.000000 
0xde0df509e730	TCPv4	0.0.0.0	49669	0.0.0.0	0	LISTENING	804	services.exe	2022-07-06 16:06:49.000000 
0xde0df509e730	TCPv6	::	49669	::	0	LISTENING	804	services.exe	2022-07-06 16:06:49.000000 
0xde0df509f4f0	TCPv4	0.0.0.0	49669	0.0.0.0	0	LISTENING	804	services.exe	2022-07-06 16:06:49.000000 
0xde0df548bce0	UDPv4	10.10.1.3	137	*	0		4	System	2022-07-06 16:06:48.000000 
0xde0df548c320	UDPv4	10.10.1.3	138	*	0		4	System	2022-07-06 16:06:48.000000 
0xde0df5291e70	UDPv4	0.0.0.0	500	*	0		2084	svchost.exe	2022-07-06 16:06:48.000000 
0xde0df5291e70	UDPv6	::	500	*	0		2084	svchost.exe	2022-07-06 16:06:48.000000 
0xde0df52927d0	UDPv4	0.0.0.0	500	*	0		2084	svchost.exe	2022-07-06 16:06:48.000000 
0xde0df5a0d620	UDPv4	0.0.0.0	3702	*	0		3364	svchost.exe	2022-07-06 16:06:50.000000 
0xde0df5a0d620	UDPv6	::	3702	*	0		3364	svchost.exe	2022-07-06 16:06:50.000000 
0xde0df5a0c810	UDPv4	0.0.0.0	3702	*	0		3364	svchost.exe	2022-07-06 16:06:50.000000 
0xde0df5a0c810	UDPv6	::	3702	*	0		3364	svchost.exe	2022-07-06 16:06:50.000000 
0xde0df5a08800	UDPv4	0.0.0.0	3702	*	0		3364	svchost.exe	2022-07-06 16:06:50.000000 
0xde0df5a0bd20	UDPv4	0.0.0.0	3702	*	0		3364	svchost.exe	2022-07-06 16:06:50.000000 
0xde0df52916a0	UDPv4	0.0.0.0	4500	*	0		2084	svchost.exe	2022-07-06 16:06:48.000000 
0xde0df52916a0	UDPv6	::	4500	*	0		2084	svchost.exe	2022-07-06 16:06:48.000000 
0xde0df5292320	UDPv4	0.0.0.0	4500	*	0		2084	svchost.exe	2022-07-06 16:06:48.000000 
0xde0df51b1990	UDPv4	0.0.0.0	5353	*	0		1644	svchost.exe	2022-07-06 16:06:48.000000 
0xde0df51b1990	UDPv6	::	5353	*	0		1644	svchost.exe	2022-07-06 16:06:48.000000 
0xde0df51b0860	UDPv4	0.0.0.0	5353	*	0		1644	svchost.exe	2022-07-06 16:06:48.000000 
0xde0df6e94d00	UDPv4	0.0.0.0	5353	*	0		5636	msedge.exe	2022-07-06 16:07:39.000000 
0xde0df73226a0	UDPv4	0.0.0.0	5353	*	0		5948	msedge.exe	2022-07-06 16:08:00.000000 
0xde0df6e97280	UDPv4	0.0.0.0	5353	*	0		5636	msedge.exe	2022-07-06 16:07:39.000000 
0xde0df6e97280	UDPv6	::	5353	*	0		5636	msedge.exe	2022-07-06 16:07:39.000000 
0xde0df7323c80	UDPv4	0.0.0.0	5353	*	0		5948	msedge.exe	2022-07-06 16:08:00.000000 
0xde0df7323c80	UDPv6	::	5353	*	0		5948	msedge.exe	2022-07-06 16:08:00.000000 
0xde0df548c960	UDPv4	0.0.0.0	5355	*	0		1644	svchost.exe	2022-07-06 16:06:48.000000 
0xde0df548c960	UDPv6	::	5355	*	0		1644	svchost.exe	2022-07-06 16:06:48.000000 
0xde0df548da90	UDPv4	0.0.0.0	5355	*	0		1644	svchost.exe	2022-07-06 16:06:48.000000 
0xde0df6b697e0	UDPv4	0.0.0.0	49943	*	0		1644	svchost.exe	2022-07-06 16:07:36.000000 
0xde0df6b697e0	UDPv6	::	49943	*	0		1644	svchost.exe	2022-07-06 16:07:36.000000 
0xde0df5a0d170	UDPv4	0.0.0.0	50201	*	0		3364	svchost.exe	2022-07-06 16:06:50.000000 
0xde0df5a0c680	UDPv4	0.0.0.0	50202	*	0		3364	svchost.exe	2022-07-06 16:06:50.000000 
0xde0df5a0c680	UDPv6	::	50202	*	0		3364	svchost.exe	2022-07-06 16:06:50.000000 
0xde0df6b6a780	UDPv4	0.0.0.0	50341	*	0		1644	svchost.exe	2022-07-06 16:07:36.000000 
0xde0df6b6a780	UDPv6	::	50341	*	0		1644	svchost.exe	2022-07-06 16:07:36.000000 
0xde0df6b6c210	UDPv4	0.0.0.0	50607	*	0		1644	svchost.exe	2022-07-06 16:07:36.000000 
0xde0df6b6c210	UDPv6	::	50607	*	0		1644	svchost.exe	2022-07-06 16:07:36.000000 
0xde0df5694a60	UDPv4	127.0.0.1	57616	*	0		2104	svchost.exe	2022-07-06 16:06:49.000000 
0xde0df6b6b720	UDPv4	0.0.0.0	63208	*	0		1644	svchost.exe	2022-07-06 16:07:36.000000 
0xde0df6b6b720	UDPv6	::	63208	*	0		1644	svchost.exe	2022-07-06 16:07:36.000000 
0xde0df607ec80	UDPv4	0.0.0.0	64106	*	0		5948	msedge.exe	2022-07-06 16:08:01.000000 
0xde0df608ecc0	UDPv4	0.0.0.0	64107	*	0		5948	msedge.exe	2022-07-06 16:08:01.000000 
0xde0df608ecc0	UDPv6	::	64107	*	0		5948	msedge.exe	2022-07-06 16:08:01.000000 
0xde0df5c879c0	UDPv4	0.0.0.0	64181	*	0		1644	svchost.exe	2022-07-06 16:06:54.000000 
0xde0df5c879c0	UDPv6	::	64181	*	0		1644	svchost.exe	2022-07-06 16:06:54.000000

This is with verbose:

$ vol -vvv -f web.vmem windows.netstat
Volatility 3 Framework 2.2.0
INFO     volatility3.cli: Volatility plugins path: ['/usr/local/lib/python3.10/dist-packages/volatility3/plugins', '/usr/local/lib/python3.10/dist-packages/volatility3/framework/plugins']
INFO     volatility3.cli: Volatility symbols path: ['/usr/local/lib/python3.10/dist-packages/volatility3/symbols', '/usr/local/lib/python3.10/dist-packages/volatility3/framework/symbols']
INFO     volatility3.framework.automagic: Detected a windows category plugin
INFO     volatility3.framework.automagic: Running automagic: ConstructionMagic
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.NetStat.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.NetStat.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.NetStat.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.NetStat.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.NetStat.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.NetStat.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.NetStat.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.NetStat.kernel.layer_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.NetStat.kernel
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.NetStat.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.NetStat.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.NetStat.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.NetStat.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.NetStat.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.NetStat.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.NetStat
INFO     volatility3.framework.automagic: Running automagic: SymbolBannerCache
INFO     volatility3.framework.automagic: Running automagic: LayerStacker
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.NetStat.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.NetStat.kernel.symbol_table_name
DEBUG    volatility3.framework.automagic.windows: Detecting Self-referential pointer for recent windows
DEBUG    volatility3.framework.automagic.windows: DtbSelfRef64bit test succeeded at 0x1ae000
DEBUG    volatility3.framework.automagic.windows: DTB was found at: 0x1ae000
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.NetStat.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.NetStat.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.NetStat.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.NetStat.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.NetStat.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.NetStat.kernel
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.NetStat.kernel.layer_name
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.NetStat.kernel.layer_name.memory_layer
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.NetStat.kernel.layer_name.memory_layer.base_layer
Level 9  volatility3.framework.configuration.requirements: IndexError - No configuration provided: plugins.NetStat.kernel.layer_name.memory_layer.meta_layer
Level 9  volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9  volatility3.framework.interfaces.configuration: TypeError - kernel_virtual_offset requirements only accept int type: None
Level 9  volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 9  volatility3.framework.interfaces.configuration: TypeError - kernel_banner requirements only accept str type: None
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.NetStat.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.NetStat.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.NetStat.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.NetStat.kernel
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.NetStat.kernel.symbol_table_name
Level 9  volatility3.framework.automagic.construct_layers: Failed on requirement: plugins.NetStat
DEBUG    volatility3.framework.automagic.stacker: Stacked layers: ['IntelLayer', 'VmwareLayer', 'FileLayer']
INFO     volatility3.framework.automagic: Running automagic: WinSwapLayers
INFO     volatility3.framework.automagic: Running automagic: KernelPDBScanner
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.NetStat.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.NetStat.kernel.symbol_table_name
Level 9  volatility3.framework.configuration.requirements: Symbol table requirement not yet fulfilled: plugins.NetStat.kernel.symbol_table_name
DEBUG    volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure
DEBUG    volatility3.framework.automagic.pdbscan: Kernel base determination - searching layer module list structure
DEBUG    volatility3.framework.automagic.pdbscan: Kernel base determination - testing fixed base address
DEBUG    volatility3.framework.automagic.pdbscan: Potential kernel_virtual_offset caused a page fault: 0xf80100400000
DEBUG    volatility3.framework.automagic.pdbscan: Kernel base determination - optimized scan virtual layer
DEBUG    volatility3.framework.automagic.pdbscan: Setting kernel_virtual_offset to 0xf8024e200000
DEBUG    volatility3.framework.symbols.windows.pdbutil: Using symbol library: ntkrnlmp.pdb/21E85D1745416FB7ACF01CF90A132AAB-1
INFO     volatility3.schemas: Dependency for validation unavailable: jsonschema
DEBUG    volatility3.schemas: All validations will report success, even with malformed input
INFO     volatility3.framework.automagic: Running automagic: SymbolFinder      
INFO     volatility3.framework.automagic: Running automagic: KernelModule

Offset	Proto	LocalAddr	LocalPort	ForeignAddr	ForeignPort	State	PID	Owner	Created
DEBUG    volatility3.plugins.windows.netscan: Determined OS Version: 10.0 15.20348
DEBUG    volatility3.plugins.windows.netscan: Unable to find exact matching symbol file, going with latest: netscan-win10-19041-x64
DEBUG    volatility3.plugins.windows.netscan: Determined symbol filename: netscan-win10-19041-x64
INFO     volatility3.schemas: Dependency for validation unavailable: jsonschema
DEBUG    volatility3.schemas: All validations will report success, even with malformed input
DEBUG    volatility3.plugins.windows.netstat: Found tcpip.sys image base @ 0xf80251cf0000
DEBUG    volatility3.framework.symbols.windows.pdbutil: Found tcpip.pdb: D17014EA1A4CFE34C871090246252BF7-1
DEBUG    volatility3.framework.symbols.windows.pdbutil: Using symbol library: tcpip.pdb/D17014EA1A4CFE34C871090246252BF7-1
INFO     volatility3.schemas: Dependency for validation unavailable: jsonschema
DEBUG    volatility3.schemas: All validations will report success, even with malformed input
DEBUG    volatility3.plugins.windows.netstat: Found TCP connection PartitionTable @ 0xde0df3235000 (partition count: 1)
DEBUG    volatility3.framework.symbols: Unresolved reference: netscan-win10-19041-x641!__unnamed_2
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_PO_PROCESS_ENERGY_CONTEXT
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_EPROCESS_QUOTA_BLOCK
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_PS_SYSCALL_PROVIDER
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_PAGEFAULT_HISTORY
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_JOB_ACCESS_STATE
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_JOB_CPU_RATE_CONTROL
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_JOB_NET_RATE_CONTROL
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_JOB_NOTIFICATION_INFORMATION
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_PSP_STORAGE
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ACTIVATION_CONTEXT_DATA
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_CHPEV2_PROCESS_INFO
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ASSEMBLY_STORAGE_MAP
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_EXP_LICENSE_STATE
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_NLS_STATE
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_DBGKP_ERROR_PORT
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_CI_NGEN_PATHS
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_EX_WNF_SUBSCRIPTION
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ETW_EVENT_CALLBACK_CONTEXT
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ETW_SOFT_RESTART_CONTEXT
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ETW_STACK_CACHE
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_ETW_PERFECT_HASH_FUNCTION
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_EX_TIMER
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_HAL_PMC_COUNTERS
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_DEVICE_NODE_IOMMU_EXTENSION
DEBUG    volatility3.framework.symbols: Unresolved reference: symbol_table_name1!_SCSI_REQUEST_BLOCK
DEBUG    volatility3.plugins.windows.netstat: Parsing partition 0
DEBUG    volatility3.plugins.windows.netstat: Found _TCP_ENDPOINT @ 0xde0df6ef29a0

0xde0df6ef29a0	TCPv4	10.10.1.3	49990	14.16.2.36	31337	ESTABLISHED	-	-	N/ADEBUG    volatility3.plugins.windows.netstat: Found _TCP_ENDPOINT @ 0xde0df685a260

0xde0df685a260	TCPv4	10.10.1.3	50040	23.78.75.237	443	ESTABLISHED	-	-	N/ADEBUG    volatility3.plugins.windows.netstat: Found PortPools @ 0xde0df36bd000 (UDP) && 0xde0df36c0000 (TCP)
DEBUG    volatility3.plugins.windows.netstat: Found TCP Ports: [0, 80, 135, 139, 445, 5357, 5985, 47001, 49664, 49665, 49666, 49667, 49668, 49669, 49990, 50040]
DEBUG    volatility3.plugins.windows.netstat: Found UDP Ports: [0, 137, 138, 500, 3702, 4500, 5353, 5355, 49943, 50201, 50202, 50341, 50607, 57616, 63208, 64106, 64107, 64181]
DEBUG    volatility3.plugins.windows.netstat: Current Port: 80
DEBUG    volatility3.plugins.windows.netstat: Found _TCP_LISTENER @ 0xde0df12c1cb0

0xde0df12c1cb0	TCPv4	0.0.0.0	80	0.0.0.0	0	LISTENING	4	System	2022-07-06 16:06:49.000000 
0xde0df12c1cb0	TCPv6	::	80	::	0	LISTENING	4	System	2022-07-06 16:06:49.000000 DEBUG    volatility3.plugins.windows.netstat: Current Port: 135
DEBUG    volatility3.plugins.windows.netstat: Found _TCP_LISTENER @ 0xde0df37f8230

0xde0df37f8230	TCPv4	0.0.0.0	135	0.0.0.0	0	LISTENING	1000	svchost.exe	2022-07-06 16:06:46.000000 
0xde0df37f8230	TCPv6	::	135	::	0	LISTENING	1000	svchost.exe	2022-07-06 16:06:46.000000 DEBUG    volatility3.plugins.windows.netstat: Found _TCP_LISTENER @ 0xde0df3efe730

0xde0df3efe730	TCPv4	0.0.0.0	135	0.0.0.0	0	LISTENING	1000	svchost.exe	2022-07-06 16:06:46.000000 DEBUG    volatility3.plugins.windows.netstat: Current Port: 139
DEBUG    volatility3.plugins.windows.netstat: Found _TCP_LISTENER @ 0xde0df509f7b0

0xde0df509f7b0	TCPv4	10.10.1.3	139	0.0.0.0	0	LISTENING	4	System	2022-07-06 16:06:48.000000 DEBUG    volatility3.plugins.windows.netstat: Current Port: 445
DEBUG    volatility3.plugins.windows.netstat: Found _TCP_LISTENER @ 0xde0df12c19f0

0xde0df12c19f0	TCPv4	0.0.0.0	445	0.0.0.0	0	LISTENING	4	System	2022-07-06 16:06:49.000000 
0xde0df12c19f0	TCPv6	::	445	::	0	LISTENING	4	System	2022-07-06 16:06:49.000000 DEBUG    volatility3.plugins.windows.netstat: Current Port: 5357
DEBUG    volatility3.plugins.windows.netstat: Found _TCP_LISTENER @ 0xde0df509f390

0xde0df509f390	TCPv4	0.0.0.0	5357	0.0.0.0	0	LISTENING	4	System	2022-07-06 16:06:50.000000 
0xde0df509f390	TCPv6	::	5357	::	0	LISTENING	4	System	2022-07-06 16:06:50.000000 DEBUG    volatility3.plugins.windows.netstat: Current Port: 5985
DEBUG    volatility3.plugins.windows.netstat: Found _TCP_LISTENER @ 0xde0df509f230

0xde0df509f230	TCPv4	0.0.0.0	5985	0.0.0.0	0	LISTENING	4	System	2022-07-06 16:06:50.000000 
0xde0df509f230	TCPv6	::	5985	::	0	LISTENING	4	System	2022-07-06 16:06:50.000000 DEBUG    volatility3.plugins.windows.netstat: Current Port: 47001
DEBUG    volatility3.plugins.windows.netstat: Found _TCP_LISTENER @ 0xde0df509fa70

0xde0df509fa70	TCPv4	0.0.0.0	47001	0.0.0.0	0	LISTENING	4	System	2022-07-06 16:06:49.000000 
0xde0df509fa70	TCPv6	::	47001	::	0	LISTENING	4	System	2022-07-06 16:06:49.000000 DEBUG    volatility3.plugins.windows.netstat: Current Port: 49664
DEBUG    volatility3.plugins.windows.netstat: Found _TCP_LISTENER @ 0xde0df3efe5d0

0xde0df3efe5d0	TCPv4	0.0.0.0	49664	0.0.0.0	0	LISTENING	812	lsass.exe	2022-07-06 16:06:46.000000 
0xde0df3efe5d0	TCPv6	::	49664	::	0	LISTENING	812	lsass.exe	2022-07-06 16:06:46.000000 DEBUG    volatility3.plugins.windows.netstat: Found _TCP_LISTENER @ 0xde0df3efe470

0xde0df3efe470	TCPv4	0.0.0.0	49664	0.0.0.0	0	LISTENING	812	lsass.exe	2022-07-06 16:06:46.000000 DEBUG    volatility3.plugins.windows.netstat: Current Port: 49665
DEBUG    volatility3.plugins.windows.netstat: Found _TCP_LISTENER @ 0xde0df3eff650

0xde0df3eff650	TCPv4	0.0.0.0	49665	0.0.0.0	0	LISTENING	696	wininit.exe	2022-07-06 16:06:46.000000 
0xde0df3eff650	TCPv6	::	49665	::	0	LISTENING	696	wininit.exe	2022-07-06 16:06:46.000000 DEBUG    volatility3.plugins.windows.netstat: Found _TCP_LISTENER @ 0xde0df3eff4f0

0xde0df3eff4f0	TCPv4	0.0.0.0	49665	0.0.0.0	0	LISTENING	696	wininit.exe	2022-07-06 16:06:46.000000 DEBUG    volatility3.plugins.windows.netstat: Current Port: 49666
DEBUG    volatility3.plugins.windows.netstat: Found _TCP_LISTENER @ 0xde0df3eff7b0

0xde0df3eff7b0	TCPv4	0.0.0.0	49666	0.0.0.0	0	LISTENING	1272	svchost.exe	2022-07-06 16:06:47.000000 
0xde0df3eff7b0	TCPv6	::	49666	::	0	LISTENING	1272	svchost.exe	2022-07-06 16:06:47.000000 DEBUG    volatility3.plugins.windows.netstat: Found _TCP_LISTENER @ 0xde0df3efee10

0xde0df3efee10	TCPv4	0.0.0.0	49666	0.0.0.0	0	LISTENING	1272	svchost.exe	2022-07-06 16:06:47.000000 DEBUG    volatility3.plugins.windows.netstat: Current Port: 49667
DEBUG    volatility3.plugins.windows.netstat: Found _TCP_LISTENER @ 0xde0df509fd30

0xde0df509fd30	TCPv4	0.0.0.0	49667	0.0.0.0	0	LISTENING	1624	svchost.exe	2022-07-06 16:06:47.000000 
0xde0df509fd30	TCPv6	::	49667	::	0	LISTENING	1624	svchost.exe	2022-07-06 16:06:47.000000 DEBUG    volatility3.plugins.windows.netstat: Found _TCP_LISTENER @ 0xde0df509e1b0

0xde0df509e1b0	TCPv4	0.0.0.0	49667	0.0.0.0	0	LISTENING	1624	svchost.exe	2022-07-06 16:06:47.000000 DEBUG    volatility3.plugins.windows.netstat: Current Port: 49668
DEBUG    volatility3.plugins.windows.netstat: Found _TCP_LISTENER @ 0xde0df509ee10

0xde0df509ee10	TCPv4	0.0.0.0	49668	0.0.0.0	0	LISTENING	1440	spoolsv.exe	2022-07-06 16:06:47.000000 
0xde0df509ee10	TCPv6	::	49668	::	0	LISTENING	1440	spoolsv.exe	2022-07-06 16:06:47.000000 DEBUG    volatility3.plugins.windows.netstat: Found _TCP_LISTENER @ 0xde0df509f650

0xde0df509f650	TCPv4	0.0.0.0	49668	0.0.0.0	0	LISTENING	1440	spoolsv.exe	2022-07-06 16:06:47.000000 DEBUG    volatility3.plugins.windows.netstat: Current Port: 49669
DEBUG    volatility3.plugins.windows.netstat: Found _TCP_LISTENER @ 0xde0df509e730

0xde0df509e730	TCPv4	0.0.0.0	49669	0.0.0.0	0	LISTENING	804	services.exe	2022-07-06 16:06:49.000000 
0xde0df509e730	TCPv6	::	49669	::	0	LISTENING	804	services.exe	2022-07-06 16:06:49.000000 DEBUG    volatility3.plugins.windows.netstat: Found _TCP_LISTENER @ 0xde0df509f4f0

0xde0df509f4f0	TCPv4	0.0.0.0	49669	0.0.0.0	0	LISTENING	804	services.exe	2022-07-06 16:06:49.000000 DEBUG    volatility3.plugins.windows.netstat: Current Port: 49990
DEBUG    volatility3.framework.symbols.windows.extensions.network: netw obj 0xde0df6d2d248 invalid due to invalid address_family 24728
DEBUG    volatility3.plugins.windows.netstat: Current Port: 50040
DEBUG    volatility3.framework.symbols.windows.extensions.network: netw obj 0xde0df6d40d48 invalid due to invalid address_family 12440
DEBUG    volatility3.plugins.windows.netstat: Current Port: 137
DEBUG    volatility3.plugins.windows.netstat: Found UDP_ENDPOINT @ 0xde0df548bce0

0xde0df548bce0	UDPv4	10.10.1.3	137	*	0		4	System	2022-07-06 16:06:48.000000 DEBUG    volatility3.plugins.windows.netstat: Current Port: 138
DEBUG    volatility3.plugins.windows.netstat: Found UDP_ENDPOINT @ 0xde0df548c320

0xde0df548c320	UDPv4	10.10.1.3	138	*	0		4	System	2022-07-06 16:06:48.000000 DEBUG    volatility3.plugins.windows.netstat: Current Port: 500
DEBUG    volatility3.plugins.windows.netstat: Found UDP_ENDPOINT @ 0xde0df5291e70

0xde0df5291e70	UDPv4	0.0.0.0	500	*	0		2084	svchost.exe	2022-07-06 16:06:48.000000 
0xde0df5291e70	UDPv6	::	500	*	0		2084	svchost.exe	2022-07-06 16:06:48.000000 DEBUG    volatility3.plugins.windows.netstat: Found UDP_ENDPOINT @ 0xde0df52927d0

0xde0df52927d0	UDPv4	0.0.0.0	500	*	0		2084	svchost.exe	2022-07-06 16:06:48.000000 DEBUG    volatility3.plugins.windows.netstat: Current Port: 3702
DEBUG    volatility3.plugins.windows.netstat: Found UDP_ENDPOINT @ 0xde0df5a0d620

0xde0df5a0d620	UDPv4	0.0.0.0	3702	*	0		3364	svchost.exe	2022-07-06 16:06:50.000000 
0xde0df5a0d620	UDPv6	::	3702	*	0		3364	svchost.exe	2022-07-06 16:06:50.000000 DEBUG    volatility3.plugins.windows.netstat: Found UDP_ENDPOINT @ 0xde0df5a0c810

0xde0df5a0c810	UDPv4	0.0.0.0	3702	*	0		3364	svchost.exe	2022-07-06 16:06:50.000000 
0xde0df5a0c810	UDPv6	::	3702	*	0		3364	svchost.exe	2022-07-06 16:06:50.000000 DEBUG    volatility3.plugins.windows.netstat: Found UDP_ENDPOINT @ 0xde0df5a08800

0xde0df5a08800	UDPv4	0.0.0.0	3702	*	0		3364	svchost.exe	2022-07-06 16:06:50.000000 DEBUG    volatility3.plugins.windows.netstat: Found UDP_ENDPOINT @ 0xde0df5a0bd20

0xde0df5a0bd20	UDPv4	0.0.0.0	3702	*	0		3364	svchost.exe	2022-07-06 16:06:50.000000 DEBUG    volatility3.plugins.windows.netstat: Current Port: 4500
DEBUG    volatility3.plugins.windows.netstat: Found UDP_ENDPOINT @ 0xde0df52916a0

0xde0df52916a0	UDPv4	0.0.0.0	4500	*	0		2084	svchost.exe	2022-07-06 16:06:48.000000 
0xde0df52916a0	UDPv6	::	4500	*	0		2084	svchost.exe	2022-07-06 16:06:48.000000 DEBUG    volatility3.plugins.windows.netstat: Found UDP_ENDPOINT @ 0xde0df5292320

0xde0df5292320	UDPv4	0.0.0.0	4500	*	0		2084	svchost.exe	2022-07-06 16:06:48.000000 DEBUG    volatility3.plugins.windows.netstat: Current Port: 5353
DEBUG    volatility3.plugins.windows.netstat: Found UDP_ENDPOINT @ 0xde0df51b1990

0xde0df51b1990	UDPv4	0.0.0.0	5353	*	0		1644	svchost.exe	2022-07-06 16:06:48.000000 
0xde0df51b1990	UDPv6	::	5353	*	0		1644	svchost.exe	2022-07-06 16:06:48.000000 DEBUG    volatility3.plugins.windows.netstat: Found UDP_ENDPOINT @ 0xde0df51b0860

0xde0df51b0860	UDPv4	0.0.0.0	5353	*	0		1644	svchost.exe	2022-07-06 16:06:48.000000 DEBUG    volatility3.plugins.windows.netstat: Found UDP_ENDPOINT @ 0xde0df6e94d00

0xde0df6e94d00	UDPv4	0.0.0.0	5353	*	0		5636	msedge.exe	2022-07-06 16:07:39.000000 DEBUG    volatility3.plugins.windows.netstat: Found UDP_ENDPOINT @ 0xde0df73226a0

0xde0df73226a0	UDPv4	0.0.0.0	5353	*	0		5948	msedge.exe	2022-07-06 16:08:00.000000 DEBUG    volatility3.plugins.windows.netstat: Found UDP_ENDPOINT @ 0xde0df6e97280

0xde0df6e97280	UDPv4	0.0.0.0	5353	*	0		5636	msedge.exe	2022-07-06 16:07:39.000000 
0xde0df6e97280	UDPv6	::	5353	*	0		5636	msedge.exe	2022-07-06 16:07:39.000000 DEBUG    volatility3.plugins.windows.netstat: Found UDP_ENDPOINT @ 0xde0df7323c80

0xde0df7323c80	UDPv4	0.0.0.0	5353	*	0		5948	msedge.exe	2022-07-06 16:08:00.000000 
0xde0df7323c80	UDPv6	::	5353	*	0		5948	msedge.exe	2022-07-06 16:08:00.000000 DEBUG    volatility3.plugins.windows.netstat: Current Port: 5355
DEBUG    volatility3.plugins.windows.netstat: Found UDP_ENDPOINT @ 0xde0df548c960

0xde0df548c960	UDPv4	0.0.0.0	5355	*	0		1644	svchost.exe	2022-07-06 16:06:48.000000 
0xde0df548c960	UDPv6	::	5355	*	0		1644	svchost.exe	2022-07-06 16:06:48.000000 DEBUG    volatility3.plugins.windows.netstat: Found UDP_ENDPOINT @ 0xde0df548da90

0xde0df548da90	UDPv4	0.0.0.0	5355	*	0		1644	svchost.exe	2022-07-06 16:06:48.000000 DEBUG    volatility3.plugins.windows.netstat: Current Port: 49943
DEBUG    volatility3.plugins.windows.netstat: Found UDP_ENDPOINT @ 0xde0df6b697e0

0xde0df6b697e0	UDPv4	0.0.0.0	49943	*	0		1644	svchost.exe	2022-07-06 16:07:36.000000 
0xde0df6b697e0	UDPv6	::	49943	*	0		1644	svchost.exe	2022-07-06 16:07:36.000000 DEBUG    volatility3.plugins.windows.netstat: Current Port: 50201
DEBUG    volatility3.plugins.windows.netstat: Found UDP_ENDPOINT @ 0xde0df5a0d170

0xde0df5a0d170	UDPv4	0.0.0.0	50201	*	0		3364	svchost.exe	2022-07-06 16:06:50.000000 DEBUG    volatility3.plugins.windows.netstat: Current Port: 50202
DEBUG    volatility3.plugins.windows.netstat: Found UDP_ENDPOINT @ 0xde0df5a0c680

0xde0df5a0c680	UDPv4	0.0.0.0	50202	*	0		3364	svchost.exe	2022-07-06 16:06:50.000000 
0xde0df5a0c680	UDPv6	::	50202	*	0		3364	svchost.exe	2022-07-06 16:06:50.000000 DEBUG    volatility3.plugins.windows.netstat: Current Port: 50341
DEBUG    volatility3.plugins.windows.netstat: Found UDP_ENDPOINT @ 0xde0df6b6a780

0xde0df6b6a780	UDPv4	0.0.0.0	50341	*	0		1644	svchost.exe	2022-07-06 16:07:36.000000 
0xde0df6b6a780	UDPv6	::	50341	*	0		1644	svchost.exe	2022-07-06 16:07:36.000000 DEBUG    volatility3.plugins.windows.netstat: Current Port: 50607
DEBUG    volatility3.plugins.windows.netstat: Found UDP_ENDPOINT @ 0xde0df6b6c210

0xde0df6b6c210	UDPv4	0.0.0.0	50607	*	0		1644	svchost.exe	2022-07-06 16:07:36.000000 
0xde0df6b6c210	UDPv6	::	50607	*	0		1644	svchost.exe	2022-07-06 16:07:36.000000 DEBUG    volatility3.plugins.windows.netstat: Current Port: 57616
DEBUG    volatility3.plugins.windows.netstat: Found UDP_ENDPOINT @ 0xde0df5694a60

0xde0df5694a60	UDPv4	127.0.0.1	57616	*	0		2104	svchost.exe	2022-07-06 16:06:49.000000 DEBUG    volatility3.plugins.windows.netstat: Current Port: 63208
DEBUG    volatility3.plugins.windows.netstat: Found UDP_ENDPOINT @ 0xde0df6b6b720

0xde0df6b6b720	UDPv4	0.0.0.0	63208	*	0		1644	svchost.exe	2022-07-06 16:07:36.000000 
0xde0df6b6b720	UDPv6	::	63208	*	0		1644	svchost.exe	2022-07-06 16:07:36.000000 DEBUG    volatility3.plugins.windows.netstat: Current Port: 64106
DEBUG    volatility3.plugins.windows.netstat: Found UDP_ENDPOINT @ 0xde0df607ec80

0xde0df607ec80	UDPv4	0.0.0.0	64106	*	0		5948	msedge.exe	2022-07-06 16:08:01.000000 DEBUG    volatility3.plugins.windows.netstat: Current Port: 64107
DEBUG    volatility3.plugins.windows.netstat: Found UDP_ENDPOINT @ 0xde0df608ecc0

0xde0df608ecc0	UDPv4	0.0.0.0	64107	*	0		5948	msedge.exe	2022-07-06 16:08:01.000000 
0xde0df608ecc0	UDPv6	::	64107	*	0		5948	msedge.exe	2022-07-06 16:08:01.000000 DEBUG    volatility3.plugins.windows.netstat: Current Port: 64181
DEBUG    volatility3.plugins.windows.netstat: Found UDP_ENDPOINT @ 0xde0df5c879c0

0xde0df5c879c0	UDPv4	0.0.0.0	64181	*	0		1644	svchost.exe	2022-07-06 16:06:54.000000 
0xde0df5c879c0	UDPv6	::	64181	*	0		1644	svchost.exe	2022-07-06 16:06:54.000000

For your info, this is the output of windows.info on my image. It is Windows Server 2022 21H2 20348.707

$ vol -f web.vmem windows.info
Volatility 3 Framework 2.2.0
Progress:  100.00		PDB scanning finished                          
Variable	Value

Kernel Base	0xf8024e200000
DTB	0x1ae000
Symbols	file:///usr/local/lib/python3.10/dist-packages/volatility3/symbols/windows/ntkrnlmp.pdb/21E85D1745416FB7ACF01CF90A132AAB-1.json.xz
Is64Bit	True
IsPAE	False
layer_name	0 WindowsIntel32e
memory_layer	1 VmwareLayer
base_layer	2 FileLayer
meta_layer	2 FileLayer
KdVersionBlock	0xf8024ee15508
Major/Minor	15.20348
MachineType	34404
KeNumberProcessors	1
SystemTime	2022-07-06 16:29:01
NtSystemRoot	C:\Windows
NtProductType	NtProductServer
NtMajorVersion	10
NtMinorVersion	0
PE MajorOperatingSystemVersion	10
PE MinorOperatingSystemVersion	0
PE Machine	34404
PE TimeDateStamp	Thu Jun 18 06:34:27 2015

Thank you, Vincent

vincentroberge avatar Jul 06 '22 17:07 vincentroberge

I searched more on the this forum and it seems like the problem is related to Volatility3 netstat/netscan not supporting the latest versions of Windows 10 and 11 yet. I would have to generate new .json files such as netscan-win10-19041-x64 which is the last available one that was developed. Is there a way to automatically build the .json files for the netscan/netstat plugins? @japhlange should know. Thank you.

vincentroberge avatar Jul 07 '22 12:07 vincentroberge

Hello, @vincentroberge

That's right, if you don't have a Symbol Table (.json) that corresponds to the latest version, you'll get a hard-to-trust result. There are two main ways to create a Symbol Table that we can use.

One is to convert the PDB provided by the MS official server. However, this is only available for some kernel and driver files. Files such as tcpip.sys, which are covered by the issue now, are not provided by MS, so unfortunately you have to use a different plan.

It's reverse engineering. In fact, we need to figure out what structures are constructed and used inside by direct analysis.

I think it would be possible to automate the binary structure that I know and the technology that is currently being studied. However, research and development have not yet been carried out enough to be used in volatility3.

For now, I think we should either analyze this directly, wait for it to be released on Microsoft, or look forward to community contributions.

digitalisx avatar Jul 08 '22 16:07 digitalisx

This issue is stale because it has been open for 200 days with no activity.

github-actions[bot] avatar Aug 22 '23 01:08 github-actions[bot]

Looks like netstat still doesn't work on windows 10/11

DYarizadeh avatar Sep 26 '23 23:09 DYarizadeh

This issue is stale because it has been open for 200 days with no activity.

github-actions[bot] avatar May 05 '24 01:05 github-actions[bot]