The traversal method for user address space in Windows 10 system based on VAD tree

被引：0

作者：

Zhai J. ^{[1
]}

Sun H. ^{[1
]}

Zhao L. ^{[1
]}

Yang H. ^{[1
]}

机构：

[1] School of Computer Science and Technology, Harbin University of Science and Technology, Harbin

来源：

Xibei Gongye Daxue Xuebao/Journal of Northwestern Polytechnical University | 2022年 / 40卷 / 03期

关键词：

memory forensic; Rekall; user address space; VAD tree; Volatility;

D O I：

10.1051/jnwpu/20224030699

中图分类号：

学科分类号：

摘要：

The existing traversal method for user address space in the memory forensic research is only applicable to Windows XP and Windows 7 32-bit system. Windows 10 64-bit system is currently used by most users, which is the main target of network attackers. A method to traverse Windows 10 user address space based on VAD (virtual address descriptor) tree is proposed. The memory kernel and user address space metadata of Windows 10 64-bit system was located. The related metadata such as mapping files, shared memory, heap, stack and reserved system structures were parsed and matched with the information in VAD tree nodes. The starting address, ending address, used size, allocating protection, memory type and details of each memory area were output. The results show that the method is compatible with all versions of Windows 10 64-bit system and can effectively traverse common structures when dealing with processes with different complexity. ©2022 Journal of Northwestern Polytechnical University.

引用

页码：699 / 707

页数：8

共 17 条

[1] ALICIA F, ALASTAIR N., Forensic analysis and data recovery from water-submerged hard drives, International Journal of Electronic Security and Digital Forensics, 13, 2, pp. 219-231, (2020)
[2] ZOLLNER S, CHOO K R, LE-KHAC N, Et al., An automated live forensic and postmortem analysis tool for bitcoin on windows systems, IEEE Access, 7, pp. 158250-158263, (2019)
[3] DIOGO B, TIAGO B, DAVID D, Et al., Forensic analysis of communication records of messaging applications from physical memory, Computers and Security, 86, pp. 484-497, (2019)
[4] ZHANG Yu, LIU Qingzhong, LI Tao, Et al., Research and development of memory forensics, Journal of Software, 26, 5, pp. 1151-1172, (2015)
[5] ZHAI Jiqiang, XIAO Yajun, YANG Hailu, Et al., Object scanning of Windows kernel driver based on pool tag quick scanning, Journal of Northwestern Polytechnical University, 37, 5, pp. 1044-1052, (2019)
[6] CHEN Zhifeng, LI Qingbao, ZHANG Ping, Et al., Kernel integrity measurement method based on memory forensic, Journal of Software, 27, 9, pp. 2443-2458, (2016)
[7] AKABANE S, MIWA T, OKAMOTO T., An EAF guard driver to prevent shellcode from removing guard pages, Procedia Computer Science, 159, pp. 2432-2439, (2019)
[8] YU Yongbin, YU Wenjian, MO Jiehong, Et al., Research on detection of dynamic link library injected by static modifying import table of portable executable file, Journal of University of Electronic Science and Technology of China, 49, 6, pp. 854-859, (2020)
[9] GAVITT D., The VAD tree: a process-eye view of physical memory, Digital Investigation, 4, pp. 62-64, (2007)
[10] WHITE A, SCHATZ B, FOO E., Surveying the user space through user allocations, Digital Investigation, 9, pp. 3-12, (2012)

← 1 2 →