|
|
论文:2022,Vol:40,Issue(3):699-707 |
|
|
引用本文: |
|
|
翟继强, 孙宏泰, 赵洛平, 杨海陆. 基于VAD树的Windows 10用户地址空间遍历方法[J]. 西北工业大学学报 |
|
|
ZHAI Jiqiang, SUN Hongtai, ZHAO Luoping, YANG Hailu. The traversal method for user address space in Windows 10 system based on VAD tree[J]. Northwestern polytechnical university |
|
|
|
|
|
|
|
| 基于VAD树的Windows 10用户地址空间遍历方法 |
|
| 翟继强, 孙宏泰, 赵洛平, 杨海陆 |
|
| 哈尔滨理工大学 计算机科学与技术学院, 黑龙江 哈尔滨 150080 |
| 摘要: |
| 内存取证研究中,现存的用户地址空间遍历方法只适用于Windows XP和Windows 7的32位系统,而Windows 10 64位系统已经被个人用户广泛使用,是网络攻击者的主要目标。提出了一种基于虚拟地址描述符(virtual address descriptor,VAD)树的Windows 10用户地址空间遍历方法。方法对Windows 10 64位系统内存内核和用户地址空间元数据进行定位,解析内存映射文件、共享内存、堆栈缓冲区和保留系统结构等相关元数据,与VAD树中的节点信息相匹配,最后描述每一段内存区域的分配起止地址、占用大小、分配保护、内存类型和详细信息。测试结果表明,方法能够兼容目前所有版本的Windows 10 64位系统,在应对不同复杂程度的进程时能有效遍历常见的结构。 |
| 关键词:
内存取证
VAD树
用户地址空间
Volatility
Rekall
|
|
| The traversal method for user address space in Windows 10 system based on VAD tree |
|
| ZHAI Jiqiang, SUN Hongtai, ZHAO Luoping, YANG Hailu |
|
| School of Computer Science and Technology, Harbin University of Science and Technology, Harbin 150080, China |
| Abstract: |
| The existing traversal method for user address space in the memory forensic research is only applicable to Windows XP and Windows 7 32-bit system. Windows 10 64-bit system is currently used by most users, which is the main target of network attackers. A method to traverse Windows 10 user address space based on VAD(virtual address descriptor) tree is proposed. The memory kernel and user address space metadata of Windows 10 64-bit system was located. The related metadata such as mapping files, shared memory, heap, stack and reserved system structures were parsed and matched with the information in VAD tree nodes. The starting address, ending address, used size, allocating protection, memory type and details of each memory area were output. The results show that the method is compatible with all versions of Windows 10 64-bit system and can effectively traverse common structures when dealing with processes with different complexity. |
| Key words:
memory forensic
VAD tree
user address space
Volatility
Rekall
|
|
| 收稿日期: 2021-07-12
修回日期:
|
| DOI: 10.1051/jnwpu/20224030699 |
| 基金项目: 国家自然科学基金(61403109)、黑龙江省自然科学基金(F2016024)与黑龙江省教育厅科技面上项目(12531121)资助 |
| 通讯作者:
Email: |
| 作者简介: 翟继强(1972—),哈尔滨理工大学教授、博士,主要从事网络与信息安全研究。e-mail:zaijiqiang@163.com
|
|
|
|
|
|
|
|
参考文献: |
|
|
[1] ALICIA F, ALASTAIR N. Forensic analysis and data recovery from water-submerged hard drives[J]. International Journal of Electronic Security and Digital Forensics, 2020, 13(2): 219-231
[2] ZOLLNER S, CHOO K R, LE-KHAC N, et al. An automated live forensic and postmortem analysis tool for bitcoin on windows systems[J]. IEEE Access, 2019, 7: 158250-158263
[3] DIOGO B, TIAGO B, DAVID D, et al. Forensic analysis of communication records of messaging applications from physical memory[J]. Computers and Security, 2019, 86: 484-497
[4] 张瑜, 刘庆中, 李涛,等. 内存取证研究与进展[J]. 软件学报, 2015, 26(5): 1151-1172 ZHANG Yu, LIU Qingzhong, LI Tao, et al. Research and development of memory forensics[J]. Journal of Software, 2015, 26(5): 1151-1172 (in Chinese)
[5] 翟继强, 肖亚军, 杨海陆, 等. 基于内存池标记快速扫描技术的Windows内核驱动对象扫描[J]. 西北工业大学学报, 2019, 37(5): 1044-1052 ZHAI Jiqiang, XIAO Yajun, YANG Hailu, et al. Object scanning of Windows kernel driver based on pool tag quick scanning[J]. Journal of Northwestern Polytechnical University, 2019, 37(5): 1044-1052 (in Chinese)
[6] 陈志锋, 李清宝, 张平, 等. 基于内存取证的内核完整性度量方法[J]. 软件学报, 2016, 27(9): 2443-2458 CHEN Zhifeng, LI Qingbao, ZHANG Ping, et al. Kernel integrity measurement method based on memory forensic[J]. Journal of Software, 2016, 27(9): 2443-2458 (in Chinese)
[7] AKABANE S, MIWA T, OKAMOTO T. An EAF guard driver to prevent shellcode from removing guard pages[J]. Procedia Computer Science, 2019, 159: 2432-2439
[8] 于永斌, 余文健, 莫洁虹, 等. 静态修改PE输入表注入DLL的检测方法研究[J]. 电子科技大学学报, 2020, 49(6): 854-859 YU Yongbin, YU Wenjian, MO Jiehong, et al. Research on detection of dynamic link library injected by static modifying import table of portable executable file[J]. Journal of University of Electronic Science and Technology of China, 2020, 49(6): 854-859 (in Chinese)
[9] GAVITT D. The VAD tree: a process-eye view of physical memory[J]. Digital Investigation, 2007, 4: 62-64
[10] WHITE A, SCHATZ B, FOO E. Surveying the user space through user allocations[J]. Digital Investigation, 2012, 9(suppl): 3-12
[11] 翟继强, 陈攀, 徐晓, 等. 面向Windows 10系统段堆的内存取证研究[J]. 西北工业大学学报, 2021, 39(5): 1139-1149 ZHAI Jiqiang, CHEN Pan, XU Xiao, et al. The memory forensic research oriented to segment heap in Windows 10 system[J]. Journal of Northwestern Polytechnical University, 2021, 39(5): 1139-1149 (in Chinese)
[12] OTSUKI Y, KAWAKOYA Y, IWAMURA M, et al. Building stack traces from memory dump of Windows x64[J]. Digital Investigation, 2018, 24(suppl): 101-110
[13] MICROSOFT Documentation. Debugging using WinDbg preview[EB/OL]. (2010-01-16)[2021-06-08]. https://docs.microsoft.com/zh-cn/windows-hardware/drivers/debugger/debugging-using-windbg
[14] LIGH M, CASE A, LEVY J, et al. The art of memory forensics: detecting malware and threats in windows, linux, and macmemory[M]. New York: John Wily & Sons, Inc, 2014
[15] Rekall memory forensic framework[EB/OL]. (2020-10-18)[2021-06-08]. https://github.com/google/rekall
[16] Microsoft Documentation. VMMap v3.31[EB/OL](2020-11-04)[2021-06-08]. https://docs.microsoft.com/en-us/sysinternals/down-loads/vmmap
[17] BLOCK F, DEWALD A. Memory forensics: detecting(un) intentionally hidden injected code by examining page table entries[J]. Digital Investigation, 2019, 29(suppl): 3-12 |
|
|
|
|
|
|
|
