Windows Memory Forensics: Detecting (Un)Intentionally Hidden Injected Code by Examining Page Table Entries

Block F, Dewald A (2019)


Publication Type: Journal article

Publication year: 2019

Journal

Book Volume: 29

Pages Range: S3-S12

DOI: 10.1016/j.diin.2019.04.008

Abstract

Malware utilizes code injection techniques to either manipulate other processes (e.g. done by banking trojans) or hide its existence. With some exceptions, such as ROP gadgets, the injected code needs to be executable by the CPU (at least at some point in time). In this work, we cover and evaluate hiding techniques that prevent executable pages (containing injected code) from being reported by current detection tools. These techniques can either be implemented by malware in order to hide its injected code (as already observed) or can, in one case, unintentionally be taken care of by the operating system through its paging mechanism. In a second step, we present an approach to reveal such pages despite the mentioned hiding techniques by examining Page Table Entries. We implement our approach in a plugin for the memory forensic framework Rekall, which automatically reports any memory region containing executable pages, and evaluate it against own implementations of different hiding techniques, as well as against real-world malware samples. (C) 2019 The Author(s). Published by Elsevier Ltd on behalf of DFRWS.

Authors with CRIS profile

Involved external institutions

How to cite

APA:

Block, F., & Dewald, A. (2019). Windows Memory Forensics: Detecting (Un)Intentionally Hidden Injected Code by Examining Page Table Entries. Digital Investigation, 29, S3-S12. https://doi.org/10.1016/j.diin.2019.04.008

MLA:

Block, Frank, and Andreas Dewald. "Windows Memory Forensics: Detecting (Un)Intentionally Hidden Injected Code by Examining Page Table Entries." Digital Investigation 29 (2019): S3-S12.

BibTeX: Download