volatility3.plugins.windows.netstat module

class NetStat(context, config_path, progress_callback=None)[source]

Bases: volatility3.framework.interfaces.plugins.PluginInterface, volatility3.plugins.timeliner.TimeLinerInterface

Traverses network tracking structures present in a particular windows memory image.

Parameters

  • context (ContextInterface) – The context that the plugin will operate within

  • config_path (str) – The path to configuration data within the context configuration data

  • progress_callback (Optional[Callable[[float, str], None]]) – A callable that can provide feedback at progress points

build_configuration()

Constructs a HierarchicalDictionary of all the options required to build this component in the current context.

Ensures that if the class has been created, it can be recreated using the configuration built Inheriting classes must override this to ensure any dependent classes update their configurations too

Return type

HierarchicalDict

property config: volatility3.framework.interfaces.configuration.HierarchicalDict

The Hierarchical configuration Dictionary for this Configurable object.

Return type

HierarchicalDict

property config_path: str

The configuration path on which this configurable lives.

Return type

str

property context: volatility3.framework.interfaces.context.ContextInterface

The context object that this configurable belongs to/configuration is stored in.

Return type

ContextInterface

classmethod create_tcpip_symbol_table(context, config_path, layer_name, tcpip_module_offset, tcpip_module_size)[source]

DEPRECATED: Use PDBUtility.symbol_table_from_pdb instead

Creates symbol table for the current image’s tcpip.sys driver.

Searches the memory section of the loaded tcpip.sys module for its PDB GUID and loads the associated symbol table into the symbol space.

Parameters

  • context (ContextInterface) – The context to retrieve required elements (layers, symbol tables) from

  • config_path (str) – The config path where to find symbol files

  • layer_name (str) – The name of the layer on which to operate

  • tcpip_module_offset (int) – This memory dump’s tcpip.sys image offset

  • tcpip_module_size (int) – The size of tcpip.sys for this dump

Return type

str

Returns

The name of the constructed and loaded symbol table

classmethod enumerate_structures_by_port(context, layer_name, net_symbol_table, port, port_pool_addr, proto='tcp')[source]

Lists all UDP Endpoints and TCP Listeners by parsing UdpPortPool and TcpPortPool.

Parameters

  • context (ContextInterface) – The context to retrieve required elements (layers, symbol tables) from

  • layer_name (str) – The name of the layer on which to operate

  • net_symbol_table (str) – The name of the table containing the tcpip types

  • port (int) – Current port as integer to lookup the associated object.

  • port_pool_addr (int) – Address of port pool object

  • proto – Either “tcp” or “udp” to decide which types to use.

Return type

Iterable[ObjectInterface]

Returns

The list of network objects from this image’s TCP and UDP PortPools

classmethod find_port_pools(context, layer_name, net_symbol_table, tcpip_symbol_table, tcpip_module_offset)[source]

Finds the given image’s port pools. Older Windows versions (presumably < Win10 build 14251) use driver symbols called UdpPortPool and TcpPortPool which point towards the pools. Newer Windows versions use UdpCompartmentSet and TcpCompartmentSet, which we first have to translate into the port pool address. See also: http://redplait.blogspot.com/2016/06/tcpip-port-pools-in-fresh-windows-10.html

Parameters

  • context (ContextInterface) – The context to retrieve required elements (layers, symbol tables) from

  • layer_name (str) – The name of the layer on which to operate

  • net_symbol_table (str) – The name of the table containing the tcpip types

  • tcpip_module_offset (int) – This memory dump’s tcpip.sys image offset

  • tcpip_symbol_table (str) – The name of the table containing the tcpip driver symbols

Return type

Tuple[int, int]

Returns

The tuple containing the address of the UDP and TCP port pool respectively.

generate_timeline()[source]

Method generates Tuples of (description, timestamp_type, timestamp)

These need not be generated in any particular order, sorting will be done later

classmethod get_requirements()[source]

Returns a list of Requirement objects for this plugin.

classmethod get_tcpip_module(context, layer_name, nt_symbols)[source]

Uses windows.modules to find tcpip.sys in memory.

Parameters

  • context (ContextInterface) – The context to retrieve required elements (layers, symbol tables) from

  • layer_name (str) – The name of the layer on which to operate

  • nt_symbols (str) – The name of the table containing the kernel symbols

Return type

Optional[ObjectInterface]

Returns

The constructed tcpip.sys module object.

classmethod list_sockets(context, layer_name, nt_symbols, net_symbol_table, tcpip_module_offset, tcpip_symbol_table)[source]

Lists all UDP Endpoints, TCP Listeners and TCP Endpoints in the primary layer that are in tcpip.sys’s UdpPortPool, TcpPortPool and TCP Endpoint partition table, respectively.

Parameters

  • context (ContextInterface) – The context to retrieve required elements (layers, symbol tables) from

  • layer_name (str) – The name of the layer on which to operate

  • nt_symbols (str) – The name of the table containing the kernel symbols

  • net_symbol_table (str) – The name of the table containing the tcpip types

  • tcpip_module_offset (int) – Offset of tcpip.sys’s PE image in memory

  • tcpip_symbol_table (str) – The name of the table containing the tcpip driver symbols

Return type

Iterable[ObjectInterface]

Returns

The list of network objects from the layer_name layer’s PartitionTable and PortPools

classmethod make_subconfig(context, base_config_path, **kwargs)

Convenience function to allow constructing a new randomly generated sub-configuration path, containing each element from kwargs.

Parameters

  • context (ContextInterface) – The context in which to store the new configuration

  • base_config_path (str) – The base configuration path on which to build the new configuration

  • kwargs – Keyword arguments that are used to populate the new configuration path

Returns

The newly generated full configuration path

Return type

str

property open

Returns a context manager and thus can be called like open

classmethod parse_bitmap(context, layer_name, bitmap_offset, bitmap_size_in_byte)[source]

Parses a given bitmap and looks for each occurrence of a 1.

Parameters

  • context (ContextInterface) – The context to retrieve required elements (layers, symbol tables) from

  • layer_name (str) – The name of the layer on which to operate

  • bitmap_offset (int) – Start address of bitmap

  • bitmap_size_in_byte (int) – Bitmap size in Byte, not in bit.

Return type

list

Returns

The list of indices at which a 1 was found.

classmethod parse_hashtable(context, layer_name, ht_offset, ht_length, alignment, net_symbol_table)[source]

Parses a hashtable quick and dirty.

Parameters

  • context (ContextInterface) – The context to retrieve required elements (layers, symbol tables) from

  • layer_name (str) – The name of the layer on which to operate

  • ht_offset (int) – Beginning of the hash table

  • ht_length (int) – Length of the hash table

Return type

Generator[ObjectInterface, None, None]

Returns

The hash table entries which are _not_ empty

classmethod parse_partitions(context, layer_name, net_symbol_table, tcpip_symbol_table, tcpip_module_offset)[source]

Parses tcpip.sys’s PartitionTable containing established TCP connections. The amount of Partition depends on the value of the symbol PartitionCount and correlates with the maximum processor count (refer to Art of Memory Forensics, chapter 11).

Parameters

  • context (ContextInterface) – The context to retrieve required elements (layers, symbol tables) from

  • layer_name (str) – The name of the layer on which to operate

  • net_symbol_table (str) – The name of the table containing the tcpip types

  • tcpip_symbol_table (str) – The name of the table containing the tcpip driver symbols

  • tcpip_module_offset (int) – The offset of the tcpip module

Return type

Iterable[ObjectInterface]

Returns

The list of TCP endpoint objects from the layer_name layer’s PartitionTable

classmethod read_pointer(context, layer_name, offset, length)[source]

Reads a pointer at a given offset and returns the address it points to.

Parameters

  • context (ContextInterface) – The context to retrieve required elements (layers, symbol tables) from

  • layer_name (str) – The name of the layer on which to operate

  • offset (int) – Offset of pointer

  • length (int) – Pointer length

Return type

int

Returns

The value the pointer points to.

run()[source]

Executes the functionality of the code.

Note

This method expects self.validate to have been called to ensure all necessary options have been provided

Returns

A TreeGrid object that can then be passed to a Renderer.

set_open_method(handler)

Sets the file handler to be used by this plugin.

Return type

None

classmethod unsatisfied(context, config_path)

Returns a list of the names of all unsatisfied requirements.

Since a satisfied set of requirements will return [], it can be used in tests as follows:

unmet = configurable.unsatisfied(context, config_path)
if unmet:
    raise RuntimeError("Unsatisfied requirements: {}".format(unmet)
Return type

Dict[str, RequirementInterface]

version = (1, 0, 0)