As shown earlier a search based on the similarity in the upper portion of Page Directories leads to several false-positives. In this article I'm going to take a closer look at these PD look-alikes.
First of all, it is extremely unlikely that a random block of data matches a Page Directory. Also I did not analyze memory structures on the machines prior to dumping memory. So the PD look-alikes are not artifacts from a cached memory dump.
If it looks like a PD, what happens when one interprets it as PD? Exploiting the self-reference of the PD once again, PDE 0x0300 will tell us the page frame number of the "true" PD. Interestingly there is a valid PD at this address.
I compared the original Page Directories with their assumed copies. They matched. So what kind of system activity creates these copies?
I obtained the first dumps through dd. One might argue that the system keeps running while dd writes the contents of physical memory to disk. If the system moves the PD around while dd copies page by page, this could result in the same PD being imaged multiple times. The same PD? Strictly speaking it would not be the same PD, because PDE 0x300 would have to be different.
Also I found copies of PD in images obtained through suspending a VMware session and forcing the system to crash. Both methods ensure that there's no regular system activity while the image is created.
I do believe that it is some kind of regular system activity that creates all these copies. But I still don't know what it is.
Below are the results from a run on the first image of the DFRWS 2005 memory analysis challenge. Test1 is based on the self-reference of Page Directories, test 2 is based on the similarity in the upper region of Page Directories among processes.
Offset Test1 Test2 Remarks 0x00000000 0.0000 1.0000 0x00030000 1.0000 1.0000 0x00233000 0.0000 1.0000 0x0059e000 0.9902 1.0000 0x01a24000 0.9902 1.0000 0x01a6d000 0.9902 1.0000 0x01d9e000 0.9901 1.0000 0x01f93000 0.9902 0.0000 appears to be PDE at 0x01a24000 (WinMgmt.exe) 0x02bf1000 0.9902 1.0000 0x02ce5000 0.9902 1.0000 0x02ce7000 0.9902 1.0000 0x02dbc000 0.9902 1.0000 0x02e4c000 0.9901 1.0000 0x030cb000 0.9901 0.0000 appears to be PDE at 0x02e4c000 (alogserv.exe) 0x03104000 0.9901 1.0000 0x039a2000 0.9901 1.0000 0x039cb000 0.9902 0.0000 appears to be PDE at 0x02dbc000 (DragDrop.exe) 0x03b46000 0.9902 0.0000 appears to be PDE at 0x02dbc000 (DragDrop.exe) 0x03ca1000 0.9902 1.0000 0x03e02000 0.9902 1.0000 0x03fb0000 0.9901 1.0000 0x0429f000 0.9902 1.0000 0x043de000 0.9902 1.0000 0x04461000 0.9902 0.0000 appears to be PDE at 0x02dbc000 (DragDrop.exe) 0x04fe4000 0.9902 1.0000 0x052ad000 0.9902 1.0000 0x052e5000 0.9902 1.0000 0x0575e000 0.9901 1.0000 0x058dd000 0.9901 1.0000 0x05a23000 0.9902 1.0000 0x05cb4000 0.9902 1.0000 0x05d0c000 0.9901 1.0000 0x05e2e000 0.9902 1.0000 0x05f78000 0.9902 1.0000 0x0600d000 0.9902 1.0000 0x0615e000 0.9901 0.0000 appears to be PDE at 0x0575e000 (cmd.exe) 0x06173000 0.9902 1.0000 0x06423000 0.9901 0.0000 appears to be PDE at 0x058dd000 (cmd2k.exe) 0x067b5000 0.9900 1.0000 0x06955000 0.9902 1.0000 0x06c98000 0.9902 1.0000 0x06f53000 0.9903 1.0000 0x07234000 0.9902 1.0000 0x0739d000 0.9901 1.0000 0x075a7000 0.9902 1.0000 0x076b2000 0.9901 1.0000
