[Vol-users] V2.0 connscan

12 Mar 2012

I have found an interesting result and have a fair amount of data to share.

Bottom line is that connscan may have missed (and miss reported) some connections (see
memory image). 

2 IPs are missing and note the ports recorded by cports and those reported by V2.0
connscan. Check the attached  xls search hits, where did port 1088 and 1064 come from?

I can provide a copy of the memory image!    Imager is win32dd.exe. 

Here is the IP connection record I have from cports:

Date      Time       Log action     PID   Program Name         Proto Source IP        
Destination IP
3/12/2012 3:53:10 PM Added          1344  fix_pack.exe         TCP   192.168.1.44:1063
212.117.175.34:80
3/12/2012 3:53:10 PM Added          1344  fix_pack.exe         TCP   192.168.1.44:1065
98.142.243.60:80
3/12/2012 3:53:10 PM Added          1344  fix_pack.exe         TCP   192.168.1.44:1066
98.142.243.60:80
3/12/2012 3:53:11 PM Removed        1344  fix_pack.exe         TCP   192.168.1.44:1065
98.142.243.60:80
3/12/2012 3:53:11 PM Removed        1344  fix_pack.exe         TCP   192.168.1.44:1066
98.142.243.60:80
3/12/2012 3:53:45 PM Added          1344  fix_pack.exe         TCP   192.168.1.44:1078
92.123.68.97:80
3/12/2012 3:54:06 PM Added          1344  fix_pack.exe         TCP   192.168.1.44:1080
98.142.243.60:80
3/12/2012 3:54:06 PM Removed        1344  fix_pack.exe         TCP   192.168.1.44:1078
92.123.68.97:80
3/12/2012 3:54:27 PM Removed        1344  fix_pack.exe         TCP   192.168.1.44:1080
98.142.243.60:80
3/12/2012 3:54:30 PM Added          1344  fix_pack.exe         TCP   192.168.1.44:1087
98.142.243.60:80
3/12/2012 3:54:31 PM Removed        1344  fix_pack.exe         TCP   192.168.1.44:1063
212.117.175.34:80
3/12/2012 3:54:31 PM Removed        1344  fix_pack.exe         TCP   192.168.1.44:1087
98.142.243.60:80

Here is the result of V2.0 connscan:

Scan for connection objects (connscan):  

 Offset     Local Address             Remote Address            Pid   
---------- ------------------------- ------------------------- ------ 
0x041484c0 192.168.1.44:1088         98.142.243.60:80            1344
0x04193278 192.168.1.44:1093         65.54.51.29:443             3756
0x041cdc40 192.168.1.44:1064         98.142.243.60:80            1344

Attached is search results of the memory image, with memory offsets. (A few are dups and
that may be the Win32dd imager)

Where did ports 1088 and 1064 come from?

If anyone wants a copy of the memory image, it is 115 MB

Mike

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

[Vol-users] V2.0 connscan