Memory analysis tools like the Microsoft Debugger or PTFinder identify processes and will additionally show you the Page Directory Base Address, because this information is needed as a starting point to reconstruct the virtual address space of the process. I was thinking for a while about reversing this method, that is, to search a memory dump for Page Directories and use that information to locate the processes. In this post I describe an elegant method to locate Page Directories, which exploits the fact that Page Directories are self-referential.
Page Directories (PD) are the cornerstone to convert physical addresses into virtual addresses. They appear in the address space of a process at a fixed virtual address of 0xc0300000. Now if you manually convert this address into a physical address you'll find that Page Directory Entry no. 0x300 will point to the proper Page Table - which is the PD itself! This is well illustrated in presentation by Microsoft, please have a look at slides no. 44 to 46.
Joe Stewart makes use of this characteristic trait in his tool pmodump.pl, which is a part of the Truman project. For every memory page in a dump file pmodump checks whether the page frame number given by the dword at offset 3072 (that is PDE 0x300) equals the page frame number of the current page. If so, the tool assumes that it has found a PD.
This simple and fast test turns out to be astoundingly accurate. For a test I searched the first image from the DFRWS 2005 challenge for PDs. Also I let PTFinder generate a list of processes and their PDs and compared the results.
The test successfully identified all running processes and 5 out of 7 terminated processes which were visible to PTFinder. As expected it was not able to find PDs which could be connected to the artifacts from prior runs of Windows. So there are no false negatives. However the test produced 2 false positives, both were at relatively low physical addresses. This could be reproduced with other memory dumps as well, so it is an inherent yet not a serious problem with the simple approach taken for this test.
One other thing that might help is to look for addresses that are shared between kernel-space and user space. For example, _KUSER_SHARED_DATA is mapped to both 0x7FFE0000 (user-space, read-only) and 0xFFDF0000 (kernel-space, read-write). Thus any page directory will translate those two addresses to the same physical page.
Thanks a lot, I'll try that as well during the next days.
Did you use the tools on XP sp2 dump file or Win2K's?
I used dumps of both versions, W2k and XP SP2. XP was not running in PAE mode.