Hello,
connscan performs scanning of physical memory to find connection
structures. These structures can correspond to connections that
previously closed, but whose structures have not yet been overwritten by
a new connection.
What you are seeing is that a process with PID 1260 performed some
network activity and then later exited. The process structure (EPROCESS)
related to the process was later overwritten while the connection
structure was not.
Thanks,
Andrew (@attrc)
On 3/27/2014 2:09 AM, Nouman Zia wrote:
Hey,
In images (tigger.vmem, sality.vmem and black energy) the
connscan plugin gives an output which shows these images are making
connection with some IP and also tells the PID of process which are
making such connections but when I used PSLIST, PSSCAN and PSXVIEW
plugins then none of them shows the process which is having such
PID(which is making connection).
P.S: In all the above mentioned images the process id is same i.e. PID=1260
So the problem is why its not showing any detail about PID=1260???
_______________________________________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-users