|
|
论文:2019,Vol:37,Issue(5):1044-1052 |
|
|
引用本文: |
|
|
翟继强, 肖亚军, 杨海陆, 王健. 基于内存池标记快速扫描技术的Windows内核驱动对象扫描[J]. 西北工业大学学报 |
|
|
ZHAI Jiqiang, XIAO Yajun, YANG Hailu, WANG Jian. Object Scanning of Windows Kernel Driver Based on Pool Tag Quick Scanning[J]. Northwestern polytechnical university |
|
|
|
|
|
|
|
| 基于内存池标记快速扫描技术的Windows内核驱动对象扫描 |
|
| 翟继强, 肖亚军, 杨海陆, 王健 |
|
| 哈尔滨理工大学 计算机科学与技术学院, 黑龙江 哈尔滨 150080 |
| 摘要: |
| 计算机内存取证领域中,基于内存池标记的池标记扫描技术在对内核驱动对象进行扫描时需要对全部物理内存进行详尽搜索,效率很低。提出了一种使用内存池标记快速扫描技术扫描Windows内核驱动对象的方法。该方法采用内存池标记快速扫描技术,减小扫描的内存范围,然后根据内核驱动对象特征对驱动对象进行快速扫描,以帮助调查人员判断驱动是否存在异常。实验表明,使用内存池标记快速扫描技术进行内核驱动对象扫描可以在保证误报率不变的情况下,极大地提高扫描效率,减少在扫描步骤花费的时间。 |
| 关键词:
内存取证
内存池标记
内存池标记快速扫描
内核驱动对象
|
|
| Object Scanning of Windows Kernel Driver Based on Pool Tag Quick Scanning |
|
| ZHAI Jiqiang, XIAO Yajun, YANG Hailu, WANG Jian |
|
| School of Computer Science and Technology, Harbin University of Science and Technology, Harbin 150080, China |
| Abstract: |
| In the memory forensics, the Pool Tag Scanning based on the memory pool tag requires a detailed search of the physical memory when scanning the kernel driver object, which is very inefficient. The object scanning of Windows kernel driver by using the pool tag quick scanning is proposed. The method uses the quick pool tag scanning to reduce the memory range of the scan, and then scan the driver object according to the characteristics of the kernel driver object quickly, to help investigator to determine whether the driver is normal. Experimental results shows that the scanning efficiency for object scanning of kernel driver is improved greatly by using the quick pool tag scanning technology and the time spent in the scanning step is reduced while ensuring the false alarm rate is same. |
| Key words:
memory forensics
pool tag
pool tag quick scanning
kernel driver object
|
|
| 收稿日期: 2018-10-22
修回日期:
|
| DOI: 10.1051/jnwpu/20193751044 |
| 基金项目: 国家自然科学基金(61403109)、黑龙江省自然科学基金(F2016024)与黑龙江省教育厅科技面上项目(12531121)资助 |
| 通讯作者:
Email: |
| 作者简介: 翟继强(1972-),哈尔滨理工大学教授,主要从事网络与信息安全研究。
|
|
|
|
|
|
|
|
参考文献: |
|
|
[1] AMRITA H, WONJUN L. Hiding Kernel Level Rootkits Using Buffer Overflow and Return Oriented Programming[J]. Information Systems Security, 2017(10717):107-126
[2] 王宁,刘志军,麦永浩. Windows RootKit检测与取证技术研究[J]. 信息网络安全,2012(2):51-52 WANG Ning, LIU Zhijun, MAI Yonghao. Windows RootKit Detection and Forensics[J]. Netinfo Security, 2012(2):51-52(in Chinese)
[3] 兰芸, 李宝林. 木马恶意软件的电子数据勘查与取证分析初探[J]. 信息网络安全, 2014(5):87-91 LAN Yun, LI Baolin.The Digital Investigation and Forensics of Trojan Malware[J]. Netinfo Security, 2014(5):87-91(in Chinse)
[4] SCHUSTER A. Pool Allocations as an Information Source in Windows Memory Forensics[J]. IMF, 2006:104-115
[5] COHEN M. Characterization of the Windows Kernel Version Variability for Accurate Memory Analysis[J]. Digital Investigation, 2015, 12(1):38-49
[6] STüTTGEN J, COHEN M. Anti-Forensic Resilient Memory Acquisition[J]. Digital Investigation, 2013, 10:105-115
[7] STüTTGEN J, VMEL S, DENZEL M. Acquisition and Analysis of Compromised Firmware Using Memory Forensics[J]. Digital Investigation, 2015, 12(1):S50-S60
[8] JOE T SYLVE, VICO M, GOLDEN G R. Pool Tag Quick Scanning for Windows Memory Analysis[J]. Digital Investigation, 2016, 16(suppl):S25-S32
[9] SCHUSTER A. The Impact of Microsoft Windows Pool Allocation Strategies on Memory Forensics[J]. Digital Investigation, 2008, 5:S58-S64
[10] COHEN M. Scanning Memory with Yara[J]. Digital Investigation, 2017, 20:34-43
[11] SOLOMON David A Russinovich. Windows Internals Part 2(Developer Reference)[M]. 北京:人民邮电出版社, 2012:213 SOLOMON David A Russinovich. Windows Internals Part 2(Developer Reference)[M]. Beijing, Posts & Telecom Press, 2012:213(in Chinese)
[12] LIGH M, CASE A, LEVY J. The Art of Memory Forensics[M]. Indianapolis, John Wiley & Sons, 2014:142-146
[13] QUYNH N A, TAKEFUJI Y. Towards a Tamper-Resistant Kernel Rootkit Detector[C]//Proceedings of the 2007 ACM Symposium on Applied Computing, Seoul, Korea, 2007:276-283
[14] WANGTONG L, SENLIN L, YU L, LIMIN P, QAMAS S. A Kernel Stack Protection Model against Attacks from Kernel Execution Units[J]. Computers & Security, 2018, 72:96-106
[15] CHOI W, PARK J, BYEON J. Dual-Mode Kernel Rootkit Scan and Recovery with Process ID Brute-Force[J]. Advanced Science Letters, 2017, 23(3):1568-1572
[16] 章怡. Windows驱动程序信息库分析与开发研究[D]. 大连:大连理工大学, 2012 ZHANG YI.Windows Driver Library To Parse And Development[D]. Dalian, Dalian University of Technology, 2012
[17] CHOW J, PFAFF B, GARFINKEL T, et al. Shredding Your Garbage:Reducing Data Lifetime through Secure Deallocation[J]. Usenix Security, 2005, 14:22-22
[18] COHEN M. Rekall Forensics blog:Adding Rekall's Windows 10 Support[EB/OL]. (2015-06-10)[2018-09-27]. http://rekall-forensic.blogspot.com/2015/06/adding-rekalls-windows-10-support.html
[19] WU T, DISSO J, JONES K. Towards a SCADA Forensics Architecture[C]//Proceedings of the 1st International Symposium on ICS & SCADA Cyber Security Research, 2013:12-21 |
|
|
|
|
|
|
|
