volatility3.plugins.windows.netstat module¶
- class NetStat(context, config_path, progress_callback=None)[source]¶
Bases:
PluginInterface
,TimeLinerInterface
Traverses network tracking structures present in a particular windows memory image.
- Parameters:
- build_configuration()¶
Constructs a HierarchicalDictionary of all the options required to build this component in the current context.
Ensures that if the class has been created, it can be recreated using the configuration built Inheriting classes must override this to ensure any dependent classes update their configurations too
- Return type:
- property config: HierarchicalDict¶
The Hierarchical configuration Dictionary for this Configurable object.
- property context: ContextInterface¶
The context object that this configurable belongs to/configuration is stored in.
- classmethod create_tcpip_symbol_table(context, config_path, layer_name, tcpip_module_offset, tcpip_module_size)[source]¶
DEPRECATED: Use PDBUtility.symbol_table_from_pdb instead
Creates symbol table for the current image’s tcpip.sys driver.
Searches the memory section of the loaded tcpip.sys module for its PDB GUID and loads the associated symbol table into the symbol space.
- Parameters:
context (
ContextInterface
) – The context to retrieve required elements (layers, symbol tables) fromconfig_path (
str
) – The config path where to find symbol fileslayer_name (
str
) – The name of the layer on which to operatetcpip_module_offset (
int
) – This memory dump’s tcpip.sys image offsettcpip_module_size (
int
) – The size of tcpip.sys for this dump
- Return type:
- Returns:
The name of the constructed and loaded symbol table
- classmethod enumerate_structures_by_port(context, layer_name, net_symbol_table, port, port_pool_addr, proto='tcp')[source]¶
Lists all UDP Endpoints and TCP Listeners by parsing UdpPortPool and TcpPortPool.
- Parameters:
context (
ContextInterface
) – The context to retrieve required elements (layers, symbol tables) fromlayer_name (
str
) – The name of the layer on which to operatenet_symbol_table (
str
) – The name of the table containing the tcpip typesport (
int
) – Current port as integer to lookup the associated object.port_pool_addr (
int
) – Address of port pool objectproto – Either “tcp” or “udp” to decide which types to use.
- Return type:
- Returns:
The list of network objects from this image’s TCP and UDP PortPools
- classmethod find_port_pools(context, layer_name, net_symbol_table, tcpip_symbol_table, tcpip_module_offset)[source]¶
Finds the given image’s port pools. Older Windows versions (presumably < Win10 build 14251) use driver symbols called UdpPortPool and TcpPortPool which point towards the pools. Newer Windows versions use UdpCompartmentSet and TcpCompartmentSet, which we first have to translate into the port pool address. See also: http://redplait.blogspot.com/2016/06/tcpip-port-pools-in-fresh-windows-10.html
- Parameters:
context (
ContextInterface
) – The context to retrieve required elements (layers, symbol tables) fromlayer_name (
str
) – The name of the layer on which to operatenet_symbol_table (
str
) – The name of the table containing the tcpip typestcpip_module_offset (
int
) – This memory dump’s tcpip.sys image offsettcpip_symbol_table (
str
) – The name of the table containing the tcpip driver symbols
- Return type:
- Returns:
The tuple containing the address of the UDP and TCP port pool respectively.
- generate_timeline()[source]¶
Method generates Tuples of (description, timestamp_type, timestamp)
These need not be generated in any particular order, sorting will be done later
- classmethod get_tcpip_module(context, layer_name, nt_symbols)[source]¶
Uses windows.modules to find tcpip.sys in memory.
- Parameters:
context (
ContextInterface
) – The context to retrieve required elements (layers, symbol tables) fromlayer_name (
str
) – The name of the layer on which to operatent_symbols (
str
) – The name of the table containing the kernel symbols
- Return type:
- Returns:
The constructed tcpip.sys module object.
- classmethod list_sockets(context, layer_name, nt_symbols, net_symbol_table, tcpip_module_offset, tcpip_symbol_table)[source]¶
Lists all UDP Endpoints, TCP Listeners and TCP Endpoints in the primary layer that are in tcpip.sys’s UdpPortPool, TcpPortPool and TCP Endpoint partition table, respectively.
- Parameters:
context (
ContextInterface
) – The context to retrieve required elements (layers, symbol tables) fromlayer_name (
str
) – The name of the layer on which to operatent_symbols (
str
) – The name of the table containing the kernel symbolsnet_symbol_table (
str
) – The name of the table containing the tcpip typestcpip_module_offset (
int
) – Offset of tcpip.sys’s PE image in memorytcpip_symbol_table (
str
) – The name of the table containing the tcpip driver symbols
- Return type:
- Returns:
The list of network objects from the layer_name layer’s PartitionTable and PortPools
- classmethod make_subconfig(context, base_config_path, **kwargs)¶
Convenience function to allow constructing a new randomly generated sub-configuration path, containing each element from kwargs.
- Parameters:
context (
ContextInterface
) – The context in which to store the new configurationbase_config_path (
str
) – The base configuration path on which to build the new configurationkwargs – Keyword arguments that are used to populate the new configuration path
- Returns:
The newly generated full configuration path
- Return type:
- property open¶
Returns a context manager and thus can be called like open
- classmethod parse_bitmap(context, layer_name, bitmap_offset, bitmap_size_in_byte)[source]¶
Parses a given bitmap and looks for each occurrence of a 1.
- Parameters:
context (
ContextInterface
) – The context to retrieve required elements (layers, symbol tables) fromlayer_name (
str
) – The name of the layer on which to operatebitmap_offset (
int
) – Start address of bitmapbitmap_size_in_byte (
int
) – Bitmap size in Byte, not in bit.
- Return type:
- Returns:
The list of indices at which a 1 was found.
- classmethod parse_hashtable(context, layer_name, ht_offset, ht_length, alignment, net_symbol_table)[source]¶
Parses a hashtable quick and dirty.
- Parameters:
context (
ContextInterface
) – The context to retrieve required elements (layers, symbol tables) fromlayer_name (
str
) – The name of the layer on which to operateht_offset (
int
) – Beginning of the hash tableht_length (
int
) – Length of the hash table
- Return type:
- Returns:
The hash table entries which are _not_ empty
- classmethod parse_partitions(context, layer_name, net_symbol_table, tcpip_symbol_table, tcpip_module_offset)[source]¶
Parses tcpip.sys’s PartitionTable containing established TCP connections. The amount of Partition depends on the value of the symbol PartitionCount and correlates with the maximum processor count (refer to Art of Memory Forensics, chapter 11).
- Parameters:
context (
ContextInterface
) – The context to retrieve required elements (layers, symbol tables) fromlayer_name (
str
) – The name of the layer on which to operatenet_symbol_table (
str
) – The name of the table containing the tcpip typestcpip_symbol_table (
str
) – The name of the table containing the tcpip driver symbolstcpip_module_offset (
int
) – The offset of the tcpip module
- Return type:
- Returns:
The list of TCP endpoint objects from the layer_name layer’s PartitionTable
- classmethod read_pointer(context, layer_name, offset, length)[source]¶
Reads a pointer at a given offset and returns the address it points to.
- Parameters:
context (
ContextInterface
) – The context to retrieve required elements (layers, symbol tables) fromlayer_name (
str
) – The name of the layer on which to operateoffset (
int
) – Offset of pointerlength (
int
) – Pointer length
- Return type:
- Returns:
The value the pointer points to.
- run()[source]¶
Executes the functionality of the code.
Note
This method expects self.validate to have been called to ensure all necessary options have been provided
- Returns:
A TreeGrid object that can then be passed to a Renderer.
- classmethod unsatisfied(context, config_path)¶
Returns a list of the names of all unsatisfied requirements.
Since a satisfied set of requirements will return [], it can be used in tests as follows:
unmet = configurable.unsatisfied(context, config_path) if unmet: raise RuntimeError("Unsatisfied requirements: {}".format(unmet)
- Return type:
- version = (1, 0, 0)¶