Windows Memory Forensics: Detecting (Un)Intentionally Hidden Injected Code by Examining Page Table Entries

Beitrag in einer Fachzeitschrift


Details zur Publikation

Autorinnen und Autoren: Block F, Dewald A
Zeitschrift: Digital Investigation
Jahr der Veröffentlichung: 2019
Band: 29
Seitenbereich: S3-S12
ISSN: 1742-2876
eISSN: 1873-202X


Abstract

Malware utilizes code injection techniques to either manipulate other processes (e.g. done by banking trojans) or hide its existence. With some exceptions, such as ROP gadgets, the injected code needs to be executable by the CPU (at least at some point in time). In this work, we cover and evaluate hiding techniques that prevent executable pages (containing injected code) from being reported by current detection tools. These techniques can either be implemented by malware in order to hide its injected code (as already observed) or can, in one case, unintentionally be taken care of by the operating system through its paging mechanism. In a second step, we present an approach to reveal such pages despite the mentioned hiding techniques by examining Page Table Entries. We implement our approach in a plugin for the memory forensic framework Rekall, which automatically reports any memory region containing executable pages, and evaluate it against own implementations of different hiding techniques, as well as against real-world malware samples. (C) 2019 The Author(s). Published by Elsevier Ltd on behalf of DFRWS.


FAU-Autorinnen und Autoren / FAU-Herausgeberinnen und Herausgeber

Dewald, Andreas Dr.-Ing.
Lehrstuhl für Informatik 1 (IT-Sicherheitsinfrastrukturen)


Einrichtungen weiterer Autorinnen und Autoren

ERNW Enno Rey Netzwerke GmbH


Zitierweisen

APA:
Block, F., & Dewald, A. (2019). Windows Memory Forensics: Detecting (Un)Intentionally Hidden Injected Code by Examining Page Table Entries. Digital Investigation, 29, S3-S12. https://dx.doi.org/10.1016/j.diin.2019.04.008

MLA:
Block, Frank, and Andreas Dewald. "Windows Memory Forensics: Detecting (Un)Intentionally Hidden Injected Code by Examining Page Table Entries." Digital Investigation 29 (2019): S3-S12.

BibTeX: 

Zuletzt aktualisiert 2019-01-08 um 07:53