Research On Memory Forensics For Memory Injection In Windows 10 User Address Space

Computer forensics is the basic step of network security incident response.Abnormal or unauthorized operations performed by malware can be detected by analyzing the disk driver or physical memory.In recent years,some malware no longer write the key data to disk,which makes disk forensics unable to obtain effective digital evidence.Therefore,the memory forensics aiming at volatile memory gradually plays an irreplaceable role in digital forensics.At present,the field of memory forensics only focuses on kernel address space of system,while seldom studies user address space.On the other hand,Windows 10 system,as the current mainstream operating system,is the main target of network attackers.Therefore,a memory injection detection method for user address space of windows 10 64-bit system is proposed.The main research contents of this paper include the following three aspects:1.A new approach is proposed in this paper to describe all allocations of user address space in Windows 10x64.Firstly,based on VAD tree the basic information of each allocation is determined,such as starting address,used size,protection field and memory type.Then the related metadata is parsed to determine the description of each region,such as mapped file,shared memory,heap,stack or reserved system data structures.2.Based on the above traversal method of user address space in Windows 10 system,a memory injection detection method in Windows 10 system is proposed.Firstly,the user address space is abstracted into mapped file area and unmapped file area,and all pages with executable permissions are obtained based on page table entry(PTE).The executable pages into unmapped file area are output as suspicious pages.The executable pages belonging to the mapped file area are compared with the PE files in the disk for hash values,and the pages with different hash values are output as suspicious pages.3.Based on volatility and rekall,this paper develops the windows 10 user address space traversal plugin named win10 userspace.The plugin can print the key information of the memory area allocated in the target process,and meet the forensic requirements based on memory dump and live response.Based on volatility,malfindplus,a memory injection detection plugin for windows 10 system,is implemented to output pages that may contain injected code in the process.The user address space traversal method based on VAD tree in this paper can assist forensics analysts to clarify the user address space layout of Windows 10 process,screen out the accessible memory area and clarify its details without losing effective digital evidence,which can reduce the workload of forensics analysts in detecting,locating and extracting malicious code.The method of detecting memory injection attack in windows 10 user address space can effectively detect several common memory injection attacks,extract the pages of injected malicious code,and assist forensic analysts to quickly locate the memory space of injected malicious code,so as to carry out subsequent malicious code analysis and security response.