Symbol _TCP_ENDPOINT not found

118 Views Asked by Cyber_Noob At 03 April 2025 at 21:35

I've been reading "The art of memory forensics", on chapter 11 page 327 they added the output of Windbg dt(_TCP_ENDPOINT) The Art Of Memory Forensics - _TCP_ENDPOINT

I have been trying to get the same result with Windbg but I keep getting the same error:

dt(_TCP_ENDPOINT)
Symbol _TCP_ENDPOINT not found.

even though I loaded the tcpip.sys symbols file

1: kd> lml
start             end                 module name
....... 
fffff805`3bfc0000 fffff805`3c2a9000   tcpip      (pdb symbols)          C:\ProgramData\Dbg\sym\tcpip.pdb\4EF7BCB071F28E1DAAAA937D59B39D121\tcpip.pdb

I dont get this kind of error when looking other Kernel structures,

1: kd>  dt(_EPROCESS)
ntdll!_EPROCESS
   +0x000 Pcb              : _KPROCESS
   +0x2e0 ProcessLock      : _EX_PUSH_LOCK
   ......

What am I doing wrong?

Original Q&A

There are 1 best solutions below

Thomas Weller On 20 September 2020 at 15:25 BEST ANSWER

The output in the book was from the dt() command from the volshell plugin in volatility 2.7, not Windbg.

And like @dxiv said, _TCP_ENDPOINT is an overlay used by Volatility.

Symbol _TCP_ENDPOINT not found

There are 1 best solutions below

Related Questions in WINDOWS

Related Questions in MEMORY

Related Questions in WINDBG

Related Questions in CRASH-DUMPS

Related Questions in VOLATILITY

Trending Questions

Popular # Hahtags

Popular Questions