The traversal method for user address space in Windows 10 system based on VAD tree

被引:0
|
作者
Zhai J. [1 ]
Sun H. [1 ]
Zhao L. [1 ]
Yang H. [1 ]
机构
[1] School of Computer Science and Technology, Harbin University of Science and Technology, Harbin
来源
Xibei Gongye Daxue Xuebao/Journal of Northwestern Polytechnical University | 2022年 / 40卷 / 03期
关键词
memory forensic; Rekall; user address space; VAD tree; Volatility;
D O I
10.1051/jnwpu/20224030699
中图分类号
学科分类号
摘要
The existing traversal method for user address space in the memory forensic research is only applicable to Windows XP and Windows 7 32-bit system. Windows 10 64-bit system is currently used by most users, which is the main target of network attackers. A method to traverse Windows 10 user address space based on VAD (virtual address descriptor) tree is proposed. The memory kernel and user address space metadata of Windows 10 64-bit system was located. The related metadata such as mapping files, shared memory, heap, stack and reserved system structures were parsed and matched with the information in VAD tree nodes. The starting address, ending address, used size, allocating protection, memory type and details of each memory area were output. The results show that the method is compatible with all versions of Windows 10 64-bit system and can effectively traverse common structures when dealing with processes with different complexity. ©2022 Journal of Northwestern Polytechnical University.
引用
收藏
页码:699 / 707
页数:8
相关论文
共 17 条
  • [11] ZHAI Jiqiang, CHEN Pan, XU Xiao, Et al., The memory forensic research oriented to segment heap in Windows 10 system, Journal of Northwestern Polytechnical University, 39, 5, pp. 1139-1149, (2021)
  • [12] OTSUKI Y, KAWAKOYA Y, IWAMURA M, Et al., Building stack traces from memory dump of Windows x64, Digital Investigation, 24, pp. 101-110, (2018)
  • [13] Debugging using WinDbg preview
  • [14] LIGH M, CASE A, LEVY J, Et al., The art of memory forensics: detecting malware and threats in windows, linux, and mac-memory, (2014)
  • [15] Rekall memory forensic framework
  • [16] VMMap v3.31
  • [17] BLOCK F, DEWALD A., Memory forensics: detecting(un) intentionally hidden injected code by examining page table entries, Digital Investigation, 29, pp. 3-12, (2019)