Hi,
It's late and I have no time to read all the answers..sorry
The first thing I would do is check if this IP is in allocated space (pagefile.sys) or unallocated space ("pagefile.sys" slack).
Next, I would look for known structures in the bytes arround this IP. In practice, when examining a memory dump or "pagefile.sys" file I often find well known structures which could give clues on the origin of a string.
For example, I found this afternoon a keyworld in "pagefile.sys" that was surrounded by two "LfLe" strings. In examining the data it appeared that my keyworld was inside an event record, so I can find its origin ("system.evt" = due to the event id and strings) and even a date.... not so bad !
Structures you should check :
* MFT File entries : "FILE" string is caractheristic
* Registry entries : "nk", "vk", "sk" strings which are caractheristic of registry keys or values
* EVENTS logs : string "LfLe" for ".evt" records or "ElfFile" or "ElfChunk" for evtx
* Pool tags : I'm not a memory expert so excuse me if my explanations are simplistic. In memory we can distinguish "paged pools" and "nonpaged pools". The last one will be stock in RAM only and the first one can be written in "pagefile.sys" if necessary. So in "pagefile.sys" (or even in free space) we can find "pool tags" which are specific "headers" allowing to determine which process / driver is at the origin of one record.
Pool tags examples :
"TSrp" -> Terminal Service"ScC?" -> CDROM"NDPa" -> Apple Talk
In a recent case I found "xxx.exe" in pagefile.sys, it was surrounded by "Sdba" strings which is a pool tag for "Application compatibility Sdb* allocations "...
A long list of pool tags here :
http://blogs.technet.com/b/yongrhee/archive/2009/06/24/pool-tag-list.aspx
If you don't find which driver is linked to a certain pool tag you can try this command :"strings * | findstr POOL_TAG" in "%Systemroot%\System32\Drivers " of the compromised computer.
Hope that helps.
Thierry
↧