Author:
Zhai Jiqiang,Xiao Yajun,Yang Hailu,Wang Jian
Abstract
In the memory forensics, the Pool Tag Scanning based on the memory pool tag requires a detailed search of the physical memory when scanning the kernel driver object, which is very inefficient. The object scanning of Windows kernel driver by using the pool tag quick scanning is proposed. The method uses the quick pool tag scanning to reduce the memory range of the scan, and then scan the driver object according to the characteristics of the kernel driver object quickly, to help investigator to determine whether the driver is normal. Experimental results shows that the scanning efficiency for object scanning of kernel driver is improved greatly by using the quick pool tag scanning technology and the time spent in the scanning step is reduced while ensuring the false alarm rate is same.
Reference19 articles.
1. Amrita H, Wonjun L. Hiding Kernel Level Rootkits Using Buffer Overflow and Return Oriented Programming[J]. Information Systems Security, 2017, (10717): 107–126 [Article]
2. Wang Ning, Liu Zhijun, Mai Yonghao. Windows RootKit Detection and Forensics[J]. Netinfo Security, 2012, (2): 51–52 [Article]
(in Chinese)
3. Lan Yun, Li Baolin. The Digital Investigation and Forensics of Trojan Malware[J]. Netinfo Security, 2014, (5): 87–91 [Article]
(in Chinse)
4. Schuster A. Pool Allocations as an Information Source in Windows Memory Forensics[J]. IMF, 2006104–115 [Article]
5. Characterization of the windows kernel version variability for accurate memory analysis
Cited by
2 articles.
订阅此论文施引文献
订阅此论文施引文献,注册后可以免费订阅5篇论文的施引文献,订阅后可以查看论文全部施引文献
1. The traversal method for user address space in Windows 10 system based on VAD tree;Xibei Gongye Daxue Xuebao/Journal of Northwestern Polytechnical University;2022-06
2. The memory forensic research oriented to segment heap in Windows 10 system;Xibei Gongye Daxue Xuebao/Journal of Northwestern Polytechnical University;2021-10