Merge pull request #1277 from dgmcdona/dgmcdona/windows-netscan-missing-connections

ikelos · web-flow · commit 495f3a92d4fb · 2024-09-30T20:51:28.000+01:00
Windows: Netscan - fix missing TCP connections
diff --git a/volatility3/framework/plugins/windows/netscan.py b/volatility3/framework/plugins/windows/netscan.py
@@ -76,7 +76,7 @@ def create_netscan_constraints(
 
         # ~ vollog.debug("Using pool size constraints: TcpL {}, TcpE {}, UdpA {}".format(tcpl_size, tcpe_size, udpa_size))
 
-        return [
+        constraints = [
             # TCP listener
             poolscanner.PoolConstraint(
                 b"TcpL",
@@ -100,6 +100,19 @@ def create_netscan_constraints(
             ),
         ]
 
+        if symbol_table.startswith("netscan-win10-20348"):
+            vollog.debug("Adding additional pool constraint for `TTcb` tags")
+            constraints.append(
+                poolscanner.PoolConstraint(
+                    b"TTcb",
+                    type_name=symbol_table + constants.BANG + "_TCP_ENDPOINT",
+                    size=(tcpe_size, None),
+                    page_type=poolscanner.PoolType.NONPAGED | poolscanner.PoolType.FREE,
+                )
+            )
+
+        return constraints
+
     @classmethod
     def determine_tcpip_version(
         cls,
