The traversal method for user address space in Windows 10 system based on VAD tree

The existing traversal method for user address space in the memory forensic research is only applicable to Windows XP and Windows 7 32-bit system. Windows 10 64-bit system is currently used by most users, which is the main target of network attackers. A method to traverse Windows 10 user address space based on VAD (virtual address descriptor) tree is proposed. The memory kernel and user address space metadata of Windows 10 64-bit system was located. The related metadata such as mapping files, shared memory, heap, stack and reserved system structures were parsed and matched with the information in VAD tree nodes. The starting address, ending address, used size, allocating protection, memory type and details of each memory area were output. The results show that the method is compatible with all versions of Windows 10 64-bit system and can effectively traverse common structures when dealing with processes with different complexity. ©2022 Journal of Northwestern Polytechnical University.