Yes, I search memory for all of the things you mention (except ROT13). I output offsets with encase and give it to Volatility to tell me who's it is (that was where I used the "UDO to 210...." label that Michael mentioned). It all works very well. I also include the ports in binary. It is then dead easy to see the convergences.
I don't know how to find the buffer yet. However with Michael providing me with the map of the structures, that may be the ticket.
This was more curiousity. I produced nothing with Volatility for old (mere minutes in this case) but wanted to be suree by doing the binary searches.
I have a lot to learn. It keeps me busy.
> Date: Thu, 21 Jun 2012 14:00:14 -0400
> From: ggarner_online@gmgsystemsinc.com
> To: vol-users@volatilityfoundation.org
> Subject: Re: [Vol-users] format of UDP record in memory
>
> Mike,
>
> > For example I'm looking for
> > from a connection UDP 192.168.136.129:1044 to 204.13.161.100:6600
>
> UDP is a stateless protocol, btw, so strictly speaking there never was
> any connection to leave artifacts. It is a crude method, however, you
> can try scanning memory for the remote IP address. At a minimum you
> need to look for the IP encoded as an ascii and Unicode string and as an
> integer value in both network and host byte order. You can also try
> searching for the ROT13 encoding of the ascii and Unicode string
> representations. Once you find the IP address in memory you can use
> (often) use the PFN database to determine which process owns the memory
> block.
>
> Also, sometimes you can find the raw packet in a deallocated ndis common
> buffer. Would have to look up how to find those, though. XP is a
> distant memory for me. Trying to remember stuff from 5 or 6 years ago. :-)
>
> Regards,
>
> George.
> _______________________________________________
> Vol-users mailing list
> Vol-users@volatilityfoundation.org
> http://lists.volatilesystems.com/mailman/listinfo/vol-users