| In the domain of attack and defense in network security,more and more hackers design heap overflow malicious attack program by using management mechanism of operating system process heap,which brings great threat to system security.Therefore,in the domain of memory forensics,it is urgent to extract heap information and detect heap overflow.Segment heap is a new heap management mechanism that only appears in Windows 10 system.The structure of segment heap is still in an unpublished state,and different versions of windows 10 own different segment heap structures.The research on memory management mechanism and memory forensics of segment heap is not enough.Therefore,it is necessary to further study the management mechanism of segment heap and the memory forensics technology of segment heap.The main research contents of this paper comprise the following three aspects:1.Segment heap management mechanism conversion(SHMMC)algorithm based on progressive recursive disassembly is proposed,which can analyze the segment heap management mechanism in Windows kernel and count the offset of core fields in segment heap structure and the function of core fields in memory management.What's more,to analyze multiple versions of the segment heap structure,proposing algorithm called HMOSIE(Heap Memory Object Structure Information Extraction).Using data obtained by using HOOK technology and the data of the segment heap to count the function of remaining fields.After parsing the fields,generate structure information and import it into the profile corresponding to the Windows 10 system in the Volatility memory forensic framework;2.After analyzing the VType description information of segment heap and its associated structure,it is found that combining pool scanning technology and the location relationship between process structure,process environment block structure,process heap arrays can locate the position of segment heap and its component structure,and then analyze the information of segment heap structure.According to the analysis results,five plugins that reconstruct the segment heap and its components information are developed on memory forensics framework.These plugins use VType description information to parse the segment heap and its components information and extract their internal information;3.Based on the above analysis of the segment heap management mechanism and the memory layout about heap chunks created by segment heap,segment heap security management mechanism is found.After the attack test on the segment heap,two ways of attacking the segment heap by using heap overflow are discovered,namely the virtual table address leakage attack and the virtual table address coverage attack.According to the information of the segment heap and the way of locating heap chunk,scan heap chunks in the segment heap.When the position of heap chunk is located,whether the heap overflow occurs in the segment heap can be judged by determining whether the heap chunk head or the padding data is covered.When an overflow occurs,it is checked whether the abnormal heap chunk or the adjacent heap chunk of the abnormal heap chunk contains a virtual table address,if so,it can be concluded that a heap overflow attack has occurred in the segment heap.The research contents of this paper can enable security researchers to understand the mechanism of managing segment heap and analyze the technology of defending segment heap overflow attack,and help forensic investigators to extract the internal information of segment heap and the information of segment heap overflow attack.The experimental results show that these plugins can reconstruct the internal information of the active process segment heap,and can scan the heap chunks in the segment heap successfully,locate the position of the abnormal heap chunk and output the abnormal information,which can help investigators analyze the running situation of the segment heap and obtain the malicious attack trace information against the segment heap. |
PDF Full Text Request