But for example netscan returns results based on structures found in
memory dump, so I think I should be able to find corresponding IP with
yarascan too ? Or am I wrong when I think that IPs are also stored as
Integer in those structures ?
(sorry to be a pain)
Thanks,
Laurent
On 2016-05-17 15:12, Michael Ligh wrote:
Hi Laurent,
Not necessarily. You're assuming that everything once in memory stays
in
memory...which isn't the case. If you have an IP and you pass it to
ws2_32.connect() and then free or overwrite the memory containing the
IP...the connection stays up and running just fine. It could also be
swapped to the page file.
MHL
On 5/17/16 5:14 AM, Laurent LF wrote:
Thanks Michael,
What I don't understand is that yarascan on the "IP to integer" value
on
the full mem dump gives a result in the svchost process only and not
anywhere else. I should have at least two occurences, one in the
svchost
process and one other in the System process, right ?
Thanks,
Laurent
On 2016-05-12 23:18, Michael Ligh wrote:
I can't speak to whether its "normal" but its not surprising. The
System
process is the default home for threads that start in kernel mode.
Thus
any kernel driver using the winsock APIs for networking will make it
appear as if the System process is responsible. Now combine that with
a
DLL that's implementing a particular service (and running inside
svchost.exe process) who wants to communicate with its corresponding
driver...it could send an IOCTL and say "go connect to this x.x.x.x
IP
address." In that case you could easily end up with a reference to
the
IP in svchost.exe.
MHL
On 5/10/16 2:34 PM, Laurent LF wrote:
Hi,
I have progressed a bit on this.
I was first limiting my IP addresses searches on the process
returned by
"netscan", which was "System" with pid=4. As I was convinced I
should
have got some results within "System", I supposed I was wrong with
the
syntax or the IP representation and made several other tries (IP as
string, little indian ordering as suggested by Andrew,...), still
with
pid=4. I also made a few tries on the whole memory dump but with no
luck. It looks like I was doing something wrong because today I made
some tries again on full memory dump and finally found the IPs (Big
Indian ordering) in ... a "svchost" process.
I still need to go deeper in the analysis (as far as my little
knowledge
will allow me to go :-) ) but is it normal behavior to have netscan
reporting some connections linked with "System" when IP search with
yarascan on given IPs returns only a "svchost" process ?
Also, I was expecting to find references to the IPs in several
memory
locations but only one occurence in this case, in the given svchost
process...
Thanks,
Laurent
Le 10/05/2016 17:14, Michael Ligh a écrit :
Also note yarascan only accesses available pages. The IP could be
in a
page that's swapped to the pagefile or in a page that's been
freed/deallocated and is no longer referenced from any page
table(s). In
the later case, you could find it by extracting strings from the
memory
dump or by scanning with yara signatures across the memory dump
file
(i.e. not caring about virtual address spaces)...however if you
find it
in either of two methods, there's no way to trace the page back to
its
owner.
MHL
On 5/10/16 7:56 AM, Andrew Case wrote:
Hey,
Did you try the IP hex value in reverse? It is likely that the IP
address is stored as little endian in memory.
Thanks,
Andrew (@attrc)
On 05/10/2016 05:15 AM, [email protected] wrote:
Hello,
I am starting to play with Volatility (2.5) and I am currently
working
on a Win2008R2 image (memory dump with winpmem). I would like to
understand what is causing some network connections initiated by
the
"System" process.
netscan shows those connections and I would like to be able to
find
references to the IP addresses in the memory dump. I have tried
"yarascan -Y" plugin with the IP string, with the IP to integer
value
(converted to Hex) but no luck finding IPs that , however, I can
see in
the netscan result...
Either I am wrong with the yarascan syntax or there is something
I
don't
know regarding how Win2008 stores IP...
Any hints ?
Thanks,
Laurent
_______________________________________________
Vol-users mailing list
[email protected]
http://lists.volatilesystems.com/mailman/listinfo/vol-users
_______________________________________________
Vol-users mailing list
[email protected]
http://lists.volatilesystems.com/mailman/listinfo/vol-users
_______________________________________________
Vol-users mailing list
[email protected]
http://lists.volatilesystems.com/mailman/listinfo/vol-users
