I'm excited to announce that my paper for DFRWS 2006 has been accepted. It is entitled Searching for Processes and Threads in Microsoft Windows Memory Dumps.
Abstract:
Current tools to analyze memory dumps of systems running Microsoft Windows more or less build on the concept of enumerating lists maintained by the kernel to keep track of processes, threads and other objects. This limits their scope to objects which were active in memory at the time the image was taken. Also malicious processes could exploit Direct Kernel Object Manipulation techniques to avoid detection.This article analyzes the in-memory structures which represent processes and threats. It identifies constant parts and develops search patterns which will then be used to scan the whole memory dump for traces of said objects, independent from the aforementioned lists. As demonstrated by a proof-of-concept implementation this approach could reveal hidden and terminated processes and threads. Under some conditions traces might be even found after a reboot of the system under examination.
Regular readers of this log may already know some of the things I'll be talking about. Of course I will address some novelties, the OBJECT_HEADER and POOL_HEADER structures in particular.
The DFRWS might be a good opportunity to meet with readers from abroad. So if you're attending the workshop, please say hi! I'm looking forward to meet you!
08/15/2006: I'm pleased to announce that the paper now is available at the conference website.
