Symbol _TCP_ENDPOINT not found

Question

I've been reading "The art of memory forensics", on chapter 11 page 327 they added the output of Windbg dt(_TCP_ENDPOINT) The Art Of Memory Forensics - _TCP_ENDPOINT

I have been trying to get the same result with Windbg but I keep getting the same error:

dt(_TCP_ENDPOINT)
Symbol _TCP_ENDPOINT not found.

even though I loaded the tcpip.sys symbols file

1: kd> lml
start             end                 module name
....... 
fffff805`3bfc0000 fffff805`3c2a9000   tcpip      (pdb symbols)          C:\ProgramData\Dbg\sym\tcpip.pdb\4EF7BCB071F28E1DAAAA937D59B39D121\tcpip.pdb

I dont get this kind of error when looking other Kernel structures,

1: kd>  dt(_EPROCESS)
ntdll!_EPROCESS
   +0x000 Pcb              : _KPROCESS
   +0x2e0 ProcessLock      : _EX_PUSH_LOCK
   ......

What am I doing wrong?

`_TCP_ENDPOINT` appears to be an overlay defined in volatility's netscan plugin. You won't find it in `tcpip.sys` because it never was there to begin with. — dxiv, Sep 20 '20 at 02:07

score 1 · Accepted Answer · answered Sep 20 '20 at 15:25

1

The output in the book was from the dt() command from the volshell plugin in volatility 2.7, not Windbg.

And like @dxiv said, _TCP_ENDPOINT is an overlay used by Volatility.

answered Sep 20 '20 at 15:25

Thomas Weller

55,411
20
125
222

Symbol _TCP_ENDPOINT not found

1 Answers1