Re: [Vol-users] [Newbie] Searching for specific IP addresses in memory (Win2008 R2)
10 May
2016
10 May
'16
11:14 a.m.
Also note yarascan only accesses available pages. The IP could be in a
page that's swapped to the pagefile or in a page that's been
freed/deallocated and is no longer referenced from any page table(s). In
the later case, you could find it by extracting strings from the memory
dump or by scanning with yara signatures across the memory dump file
(i.e. not caring about virtual address spaces)...however if you find it
in either of two methods, there's no way to trace the page back to its
owner.
MHL
On 5/10/16 7:56 AM, Andrew Case wrote:
Hey,
Did you try the IP hex value in reverse? It is likely that the IP
address is stored as little endian in memory.
Thanks,
Andrew (@attrc)
On 05/10/2016 05:15 AM, tech(a)nisteo.fr wrote:
Hello,
I am starting to play with Volatility (2.5) and I am currently working
on a Win2008R2 image (memory dump with winpmem). I would like to
understand what is causing some network connections initiated by the
"System" process.
netscan shows those connections and I would like to be able to find
references to the IP addresses in the memory dump. I have tried
"yarascan -Y" plugin with the IP string, with the IP to integer value
(converted to Hex) but no luck finding IPs that , however, I can see in
the netscan result...
Either I am wrong with the yarascan syntax or there is something I don't
know regarding how Win2008 stores IP...
Any hints ?
Thanks,
Laurent
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users
Attachments:
- signature.asc (application/pgp-signature — 236 bytes)