Windows Memory Forensics: Detecting (Un)Intentionally Hidden Injected Code by Examining Page Table Entries
Block F, Dewald A (2019)
Publication Type: Journal article
Publication year: 2019
Journal
Book Volume: 29
Pages Range: S3-S12
DOI: 10.1016/j.diin.2019.04.008
Abstract
Malware utilizes code injection techniques to either manipulate other processes (e.g. done by banking trojans) or hide its existence. With some exceptions, such as ROP gadgets, the injected code needs to be executable by the CPU (at least at some point in time). In this work, we cover and evaluate hiding techniques that prevent executable pages (containing injected code) from being reported by current detection tools. These techniques can either be implemented by malware in order to hide its injected code (as already observed) or can, in one case, unintentionally be taken care of by the operating system through its paging mechanism. In a second step, we present an approach to reveal such pages despite the mentioned hiding techniques by examining Page Table Entries. We implement our approach in a plugin for the memory forensic framework Rekall, which automatically reports any memory region containing executable pages, and evaluate it against own implementations of different hiding techniques, as well as against real-world malware samples. (C) 2019 The Author(s). Published by Elsevier Ltd on behalf of DFRWS.
Authors with CRIS profile
Involved external institutions
Germany (DE)How to cite
APA:
Block, F., & Dewald, A. (2019). Windows Memory Forensics: Detecting (Un)Intentionally Hidden Injected Code by Examining Page Table Entries. Digital Investigation, 29, S3-S12. https://dx.doi.org/10.1016/j.diin.2019.04.008
MLA:
Block, Frank, and Andreas Dewald. "Windows Memory Forensics: Detecting (Un)Intentionally Hidden Injected Code by Examining Page Table Entries." Digital Investigation 29 (2019): S3-S12.
BibTeX: Download