From 5119cbf038714cf08eee66422f9f2b58d612d6ae Mon Sep 17 00:00:00 2001 From: TMPLR11 <55187710+TMPLR11@users.noreply.github.com> Date: Thu, 12 Sep 2019 12:35:43 +0200 Subject: [PATCH] Netscan ports disunite to facilite searches Both local and remote ports disunite. --- volatility/plugins/netscan.py | 54 ++++++++++++++++------------------- 1 file changed, 24 insertions(+), 30 deletions(-) diff --git a/volatility/plugins/netscan.py b/volatility/plugins/netscan.py index 943797162..cdbc8f3d7 100644 --- a/volatility/plugins/netscan.py +++ b/volatility/plugins/netscan.py @@ -114,7 +114,7 @@ def dual_stack_sockets(self): # connects to the listener, a TCP_ENDPOINT is created # and that structure contains the remote address. if local_addr != None: - inaddr = local_addr.inaddr + inaddr = local_addr.pData.dereference().dereference() if self.AddressFamily == AF_INET: yield "v4", inaddr.addr4, inaddr_any else: @@ -169,18 +169,6 @@ def is_valid(self): class _UDP_ENDPOINT(_TCP_LISTENER): """Class for objects found in UdpA pools""" -class _LOCAL_ADDRESS(obj.CType): - - @property - def inaddr(self): - return self.pData.dereference().dereference() - -class _LOCAL_ADDRESS_WIN10_UDP(obj.CType): - - @property - def inaddr(self): - return self.pData.dereference() - #-------------------------------------------------------------------------------- # profile modifications #-------------------------------------------------------------------------------- @@ -198,9 +186,7 @@ def modification(self, profile): profile.object_classes.update({ '_TCP_LISTENER': _TCP_LISTENER, '_TCP_ENDPOINT': _TCP_ENDPOINT, - '_LOCAL_ADDRESS': _LOCAL_ADDRESS, '_UDP_ENDPOINT': _UDP_ENDPOINT, - '_LOCAL_ADDRESS_WIN10_UDP': _LOCAL_ADDRESS_WIN10_UDP, }) #-------------------------------------------------------------------------------- @@ -246,8 +232,10 @@ def calculate(self): def unified_output(self, data): return TreeGrid([(self.offset_column(), Address), ("Proto", str), - ("LocalAddr", str), - ("ForeignAddr", str), + ("LocalIP", str), + ("LocalPort", str), + ("ForeignIP", str), + ("ForeignPort", str), ("State", str), ("PID", int), ("Owner", str), @@ -257,8 +245,10 @@ def unified_output(self, data): def generator(self, data): for net_object, proto, laddr, lport, raddr, rport, state in data: - lendpoint = "{0}:{1}".format(laddr, lport) - rendpoint = "{0}:{1}".format(raddr, rport) + localIP = laddr + localPort = lport + remoteIp = raddr + remotePort = rport pid = -1 owner = "" if net_object.Owner != None: @@ -266,32 +256,36 @@ def generator(self, data): owner = str(net_object.Owner.ImageFileName) yield (0, - [Address(net_object.obj_offset), - str(proto), - lendpoint, - rendpoint, + [Address(net_object.obj_offset), + str(proto), + str(localIP), + str(localPort), + str(remoteIp), + str(remotePort), str(state), pid, owner, str(net_object.CreateTime or '')]) def render_text(self, outfd, data): - outfd.write("{0:<18} {1:<8} {2:<30} {3:<20} {4:<16} {5:<8} {6:<14} {7}\n".format( - self.offset_column(), "Proto", "Local Address", "Foreign Address", + outfd.write("{0:<18} {1:<8} {2:<5} {3:<30} {4:<5} {5:<20} {6:<16} {7:<8} {8:<14} {9}\n".format( + self.offset_column(), "Proto", "Local IP", "Local Port", "Foreign IP", "Foreign Port", "State", "Pid", "Owner", "Created")) for net_object, proto, laddr, lport, raddr, rport, state in data: - lendpoint = "{0}:{1}".format(laddr, lport) - rendpoint = "{0}:{1}".format(raddr, rport) + localIP = laddr + localPort = lport + remoteIp = raddr + remotePort = rport pid = -1 owner = "" if net_object.Owner != None: pid = int(net_object.Owner.UniqueProcessId) owner = str(net_object.Owner.ImageFileName) - outfd.write("{0:<#18x} {1:<8} {2:<30} {3:<20} {4:<16} {5:<8} {6:<14} {7}\n".format( - net_object.obj_offset, proto, lendpoint, - rendpoint, state, pid, + outfd.write("{0:<#18x} {1:<8} {2:<5} {3:<30} {4:<8} {5:<20} {6:<16} {7:<8} {8:<14} {9}\n".format( + net_object.obj_offset, proto, localIP, localPort, + remoteIp, remotePort, state, pid, owner, str(net_object.CreateTime or '') ))