The traversal method for user address space in Windows 10 system based on VAD tree
The existing traversal method for user address space in the memory forensic research is only applicable to Windows XP and Windows 7 32-bit system. Windows 10 64-bit system is currently used by most users, which is the main target of network attackers. A method to traverse Windows 10 user address spa...
| Main Authors: | , , , |
|---|---|
| Format: | Article |
| Language: | zho |
| Published: |
EDP Sciences
2022-06-01
|
| Series: | Xibei Gongye Daxue Xuebao |
| Subjects: | |
| Online Access: | https://www.jnwpu.org/articles/jnwpu/full_html/2022/03/jnwpu2022403p699/jnwpu2022403p699.html |
| _version_ | 1797642371993698304 |
|---|---|
| author | ZHAI Jiqiang SUN Hongtai ZHAO Luoping YANG Hailu |
| author_facet | ZHAI Jiqiang SUN Hongtai ZHAO Luoping YANG Hailu |
| author_sort | ZHAI Jiqiang |
| collection | DOAJ |
| description | The existing traversal method for user address space in the memory forensic research is only applicable to Windows XP and Windows 7 32-bit system. Windows 10 64-bit system is currently used by most users, which is the main target of network attackers. A method to traverse Windows 10 user address space based on VAD(virtual address descriptor) tree is proposed. The memory kernel and user address space metadata of Windows 10 64-bit system was located. The related metadata such as mapping files, shared memory, heap, stack and reserved system structures were parsed and matched with the information in VAD tree nodes. The starting address, ending address, used size, allocating protection, memory type and details of each memory area were output. The results show that the method is compatible with all versions of Windows 10 64-bit system and can effectively traverse common structures when dealing with processes with different complexity. |
| first_indexed | 2024-03-11T13:59:07Z |
| format | Article |
| id | doaj.art-6985b2fad96444aaabb374aaed8ffe58 |
| institution | Directory Open Access Journal |
| issn | 1000-2758 2609-7125 |
| language | zho |
| last_indexed | 2024-03-11T13:59:07Z |
| publishDate | 2022-06-01 |
| publisher | EDP Sciences |
| record_format | Article |
| series | Xibei Gongye Daxue Xuebao |
| spelling | doaj.art-6985b2fad96444aaabb374aaed8ffe582023-11-02T05:23:48ZzhoEDP SciencesXibei Gongye Daxue Xuebao1000-27582609-71252022-06-0140369970710.1051/jnwpu/20224030699jnwpu2022403p699The traversal method for user address space in Windows 10 system based on VAD treeZHAI Jiqiang0SUN Hongtai1ZHAO Luoping2YANG Hailu3School of Computer Science and Technology, Harbin University of Science and TechnologySchool of Computer Science and Technology, Harbin University of Science and TechnologySchool of Computer Science and Technology, Harbin University of Science and TechnologySchool of Computer Science and Technology, Harbin University of Science and TechnologyThe existing traversal method for user address space in the memory forensic research is only applicable to Windows XP and Windows 7 32-bit system. Windows 10 64-bit system is currently used by most users, which is the main target of network attackers. A method to traverse Windows 10 user address space based on VAD(virtual address descriptor) tree is proposed. The memory kernel and user address space metadata of Windows 10 64-bit system was located. The related metadata such as mapping files, shared memory, heap, stack and reserved system structures were parsed and matched with the information in VAD tree nodes. The starting address, ending address, used size, allocating protection, memory type and details of each memory area were output. The results show that the method is compatible with all versions of Windows 10 64-bit system and can effectively traverse common structures when dealing with processes with different complexity.https://www.jnwpu.org/articles/jnwpu/full_html/2022/03/jnwpu2022403p699/jnwpu2022403p699.html内存取证vad树用户地址空间volatilityrekall |
| spellingShingle | ZHAI Jiqiang SUN Hongtai ZHAO Luoping YANG Hailu The traversal method for user address space in Windows 10 system based on VAD tree Xibei Gongye Daxue Xuebao 内存取证 vad树 用户地址空间 volatility rekall |
| title | The traversal method for user address space in Windows 10 system based on VAD tree |
| title_full | The traversal method for user address space in Windows 10 system based on VAD tree |
| title_fullStr | The traversal method for user address space in Windows 10 system based on VAD tree |
| title_full_unstemmed | The traversal method for user address space in Windows 10 system based on VAD tree |
| title_short | The traversal method for user address space in Windows 10 system based on VAD tree |
| title_sort | traversal method for user address space in windows 10 system based on vad tree |
| topic | 内存取证 vad树 用户地址空间 volatility rekall |
| url | https://www.jnwpu.org/articles/jnwpu/full_html/2022/03/jnwpu2022403p699/jnwpu2022403p699.html |
| work_keys_str_mv | AT zhaijiqiang thetraversalmethodforuseraddressspaceinwindows10systembasedonvadtree AT sunhongtai thetraversalmethodforuseraddressspaceinwindows10systembasedonvadtree AT zhaoluoping thetraversalmethodforuseraddressspaceinwindows10systembasedonvadtree AT yanghailu thetraversalmethodforuseraddressspaceinwindows10systembasedonvadtree AT zhaijiqiang traversalmethodforuseraddressspaceinwindows10systembasedonvadtree AT sunhongtai traversalmethodforuseraddressspaceinwindows10systembasedonvadtree AT zhaoluoping traversalmethodforuseraddressspaceinwindows10systembasedonvadtree AT yanghailu traversalmethodforuseraddressspaceinwindows10systembasedonvadtree |