Under Microsoft Windows the address space of a process is split into halves: the lower 2 GiB of virtual memory are available for the userland, while the upper 2GiB are reserved for the kernel (as always I assume a 32bit platform and the absence of fancy boot options here to keep things as simple as possible). In this post I describe how this organization of address space can be exploited in order to find Page Directories.
Windows assigns an individual address space to every process. The userland, that is the running application, utilizes the lower half of the address space. So obviously this part of the address space will vary significantly between processes.
The upper half of the address space is dedicated to the kernel. The hardware abstraction layer (HAL) and the kernel binaries along with their extensive system-wide data structures are kept here, for example. Most of these memory pages will look the same across all the processes.
The Page Directory (PD) is an array of 1024 Page Directory Entries (PDE). It provides a bird's eye view on the address space of a process. So we can expect that the upper halves (PDEs 512 to 1023) of every PD look similar.
The following diagram shows the count of matches by PDE, which has been normalized to the count of processes. Only valid PDE were counted.
So I derived a (dynamic) signature from the PDs of all the active processes detected by PTFinder and compared each page of the first image from the DFRWS 2005 challenge with this signature. As it can be seen from the following diagram, the (purported) Page Directories clearly poke out of the noise.
The computation of the signature is somewhat costly in terms of computing power, especially in read and seek operations. So I generated another signature, based only on the system process. The PD of the system process is at a constant physical address (0x30000 for Windows 2000, 0x39000 for XP), so there's no need to run PTFinder in preparation. Due to some subtle differences between the system/idle process and ordinary processes the similarity was decreased about 5 percent points. This however did not affect the result set.
All Page Directories were found; there are no false negatives. On the other hand this method produced 7 false positives. With respect to the relatively high effort this result is a bit disappointing at first. However there's an interesting finding, as I will show in a later post.
