Also note yarascan only accesses available pages. The IP could be in a page that's swapped to the pagefile or in a page that's been freed/deallocated and is no longer referenced from any page table(s). In the later case, you could find it by extracting strings from the memory dump or by scanning with yara signatures across the memory dump file (i.e. not caring about virtual address spaces)...however if you find it in either of two methods, there's no way to trace the page back to its owner.
MHL On 5/10/16 7:56 AM, Andrew Case wrote: > Hey, > > Did you try the IP hex value in reverse? It is likely that the IP > address is stored as little endian in memory. > > Thanks, > Andrew (@attrc) > > On 05/10/2016 05:15 AM, [email protected] wrote: >> Hello, >> >> I am starting to play with Volatility (2.5) and I am currently working >> on a Win2008R2 image (memory dump with winpmem). I would like to >> understand what is causing some network connections initiated by the >> "System" process. >> netscan shows those connections and I would like to be able to find >> references to the IP addresses in the memory dump. I have tried >> "yarascan -Y" plugin with the IP string, with the IP to integer value >> (converted to Hex) but no luck finding IPs that , however, I can see in >> the netscan result... >> Either I am wrong with the yarascan syntax or there is something I don't >> know regarding how Win2008 stores IP... >> >> Any hints ? >> >> Thanks, >> >> Laurent >> _______________________________________________ >> Vol-users mailing list >> [email protected] >> http://lists.volatilesystems.com/mailman/listinfo/vol-users >> > _______________________________________________ > Vol-users mailing list > [email protected] > http://lists.volatilesystems.com/mailman/listinfo/vol-users >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Vol-users mailing list [email protected] http://lists.volatilesystems.com/mailman/listinfo/vol-users
