No netstat output in a working memory dump (Windows 7 and XP)

Question

No netstat output in a working memory dump (Windows 7 and XP)

SolitudePy opened this issue 6 months ago · 3 comments

Hello, I tried running memprocfs on the known cridex.vmem. it can be found online, the memory is Windows XP I wonder if the tool support that since netstat output comes empty, while volatility sockets is able to show it.
Great tool by the way!

Answer 1 · 2024-07-14T23:03:34.000Z

It does not support windows XP network connections currently.

Windows XP was ancient and no longer really used in the real world when this tool was created.

I never could warrant myself spending the time required to add it, especially since microsoft completely remade the network stack since. Network connections in Win8 memory and onwards should be mostly fine though.

I should clarify this in the guide pages or add a readme/info file in the file system to clarify though.

Answer 2 · 2024-07-15T04:39:29.000Z

@ufrisk I understand, thanks

Answer 3 · 2024-07-21T21:42:15.000Z

I believe this is a duplicate issue of #283

I should be looking into this I guess since it seems like Windows 7 is still quite popular in CTF's and memory forensics classes. I'm closing this issue though and keeping the other one open until it's been added.