[Vol-users] Need some assistance with strings output

Tom Yarrish tom at yarrish.com
Wed Oct 26 16:43:41 CDT 2011


Hello all,
I'm looking for some guidance on next steps with some data I have from
a memory analysis.

I was following the steps on using strings to look for processes that
might have malicious IP's or URL's in memory:

https://code.google.com/p/volatility/wiki/CommandReference#strings

The issue I'm having now is where to proceed with the output I have.
So for example in my URL.txt file I have this:

1b64666b7 [2632:834520759] http://ghc.ru
1b646674d [2632:834520909] http://rst.void.ru

Now my understanding of the output is [PID:Address Space].  The
particular PID in this instance refers to:

0x89c82020 WINWORD.EXE            2632   2284     11    943 2011-10-11 15:07:13

So how do I go deeper in to looking at why winword.exe may be making
http requests?  And what does the first value (ex 1b64666b7) refer to?
 Is that the virtual address in the memory dump file or something
else?

If there's any additional docs online I could look at to explain this
further that would be helpful as well.

Thanks ahead of time,
Tom


More information about the Vol-users mailing list