Yes, those are IN_ADDR: https://msdn.microsoft.com/en-us/library/windows/hardware/ff556972(v=vs.85).aspx
So, not an integer - 4 UCHARs. You should be able to find the IN_ADDR structure with the proper yara rule in that case. MHL On 5/17/16 8:47 AM, Laurent LF wrote: > But for example netscan returns results based on structures found in > memory dump, so I think I should be able to find corresponding IP with > yarascan too ? Or am I wrong when I think that IPs are also stored as > Integer in those structures ? > > (sorry to be a pain) > > Thanks, > > Laurent > > > On 2016-05-17 15:12, Michael Ligh wrote: >> Hi Laurent, >> >> Not necessarily. You're assuming that everything once in memory stays in >> memory...which isn't the case. If you have an IP and you pass it to >> ws2_32.connect() and then free or overwrite the memory containing the >> IP...the connection stays up and running just fine. It could also be >> swapped to the page file. >> >> MHL >> >> On 5/17/16 5:14 AM, Laurent LF wrote: >>> Thanks Michael, >>> >>> What I don't understand is that yarascan on the "IP to integer" value on >>> the full mem dump gives a result in the svchost process only and not >>> anywhere else. I should have at least two occurences, one in the svchost >>> process and one other in the System process, right ? >>> >>> Thanks, >>> >>> Laurent >>> >>> >>> On 2016-05-12 23:18, Michael Ligh wrote: >>>> I can't speak to whether its "normal" but its not surprising. The >>>> System >>>> process is the default home for threads that start in kernel mode. Thus >>>> any kernel driver using the winsock APIs for networking will make it >>>> appear as if the System process is responsible. Now combine that with a >>>> DLL that's implementing a particular service (and running inside >>>> svchost.exe process) who wants to communicate with its corresponding >>>> driver...it could send an IOCTL and say "go connect to this x.x.x.x IP >>>> address." In that case you could easily end up with a reference to the >>>> IP in svchost.exe. >>>> >>>> MHL >>>> >>>> On 5/10/16 2:34 PM, Laurent LF wrote: >>>>> Hi, >>>>> >>>>> I have progressed a bit on this. >>>>> I was first limiting my IP addresses searches on the process >>>>> returned by >>>>> "netscan", which was "System" with pid=4. As I was convinced I should >>>>> have got some results within "System", I supposed I was wrong with the >>>>> syntax or the IP representation and made several other tries (IP as >>>>> string, little indian ordering as suggested by Andrew,...), still with >>>>> pid=4. I also made a few tries on the whole memory dump but with no >>>>> luck. It looks like I was doing something wrong because today I made >>>>> some tries again on full memory dump and finally found the IPs (Big >>>>> Indian ordering) in ... a "svchost" process. >>>>> >>>>> I still need to go deeper in the analysis (as far as my little >>>>> knowledge >>>>> will allow me to go :-) ) but is it normal behavior to have netscan >>>>> reporting some connections linked with "System" when IP search with >>>>> yarascan on given IPs returns only a "svchost" process ? >>>>> Also, I was expecting to find references to the IPs in several memory >>>>> locations but only one occurence in this case, in the given svchost >>>>> process... >>>>> >>>>> Thanks, >>>>> Laurent >>>>> >>>>> >>>>> Le 10/05/2016 17:14, Michael Ligh a écrit : >>>>>> Also note yarascan only accesses available pages. The IP could be >>>>>> in a >>>>>> page that's swapped to the pagefile or in a page that's been >>>>>> freed/deallocated and is no longer referenced from any page >>>>>> table(s). In >>>>>> the later case, you could find it by extracting strings from the >>>>>> memory >>>>>> dump or by scanning with yara signatures across the memory dump file >>>>>> (i.e. not caring about virtual address spaces)...however if you >>>>>> find it >>>>>> in either of two methods, there's no way to trace the page back to >>>>>> its >>>>>> owner. >>>>>> >>>>>> MHL >>>>>> >>>>>> On 5/10/16 7:56 AM, Andrew Case wrote: >>>>>>> Hey, >>>>>>> >>>>>>> Did you try the IP hex value in reverse? It is likely that the IP >>>>>>> address is stored as little endian in memory. >>>>>>> >>>>>>> Thanks, >>>>>>> Andrew (@attrc) >>>>>>> >>>>>>> On 05/10/2016 05:15 AM, [email protected] wrote: >>>>>>>> Hello, >>>>>>>> >>>>>>>> I am starting to play with Volatility (2.5) and I am currently >>>>>>>> working >>>>>>>> on a Win2008R2 image (memory dump with winpmem). I would like to >>>>>>>> understand what is causing some network connections initiated by >>>>>>>> the >>>>>>>> "System" process. >>>>>>>> netscan shows those connections and I would like to be able to find >>>>>>>> references to the IP addresses in the memory dump. I have tried >>>>>>>> "yarascan -Y" plugin with the IP string, with the IP to integer >>>>>>>> value >>>>>>>> (converted to Hex) but no luck finding IPs that , however, I can >>>>>>>> see in >>>>>>>> the netscan result... >>>>>>>> Either I am wrong with the yarascan syntax or there is something I >>>>>>>> don't >>>>>>>> know regarding how Win2008 stores IP... >>>>>>>> >>>>>>>> Any hints ? >>>>>>>> >>>>>>>> Thanks, >>>>>>>> >>>>>>>> Laurent >>>>>>>> _______________________________________________ >>>>>>>> Vol-users mailing list >>>>>>>> [email protected] >>>>>>>> http://lists.volatilesystems.com/mailman/listinfo/vol-users >>>>>>>> >>>>>>> _______________________________________________ >>>>>>> Vol-users mailing list >>>>>>> [email protected] >>>>>>> http://lists.volatilesystems.com/mailman/listinfo/vol-users >>>>>>> >>>>> >>>>> >>> >>> > > _______________________________________________ > Vol-users mailing list > [email protected] > http://lists.volatilesystems.com/mailman/listinfo/vol-users >
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Vol-users mailing list [email protected] http://lists.volatilesystems.com/mailman/listinfo/vol-users
