Virtual Address Descriptors (VAD) record the usage of virtual addresses by a process. VAD are kept in a balanced tree whereas a member of the _EPROCESS structure points to the root node. Rebuilding the VAD tree allows to reconstruct a process' memory space along with all the files mapped into it. Brendan Dolan-Gavitt will speak about the matter at the DFRWS 2007. He has just released a set of tools called vadtools accompanying his paper.
Vadtools are written in Python and hence require a python interpreter. The tools work with plain (dd-style) memory dumps; Windows crash dump format is not supported.
vadwalk.py reconstructs the VAD tree. It displays the result either as a table, an ASCII tree or a DOT file suitable to be rendered by GraphViz.
vadinfo.py reports a lot of technical details for every single VAD. Shown below is the VAD for an event log file which has been mapped into memory by the event log service, running under the hood of services.exe.
vadwalk.py reconstructs the VAD tree. It displays the result either as a table, an ASCII tree or a DOT file suitable to be rendered by GraphViz.
vadinfo.py reports a lot of technical details for every single VAD. Shown below is the VAD for an event log file which has been mapped into memory by the event log service, running under the hood of services.exe.
>python vadtools\vadinfo.py dump.bin 0x1051a70 ... VAD node @ffba4560 Start 00a10000 End 00a20000 Level 4 Tag Vad Flags: Commit Charge: 0 Protection: 4 ControlArea @811a79d8 Segment e14d0850 Dereference list: Flink 00000000, Blink 00000000 NumberOfSectionReferences: 2 NumberOfPfnReferences: 1 NumberOfMappedViews: 2 NumberOfSubsections: 2 FlushInProgressCount: 0 NumberOfUserReferences: 2 Flags: Accessed, HadUserReference, WasPurged, File FileObject @811a7740 (01107740), Name: \WINDOWS\system32\config\AppEvent.Evt WaitingForDeletion Event: 00000000 ModifiedWriteCount: 0 NumberOfSystemCacheViews: 1 First prototype PTE: e15214b8 Last contiguous PTE: e15214f4 Flags2: File offset: 00000000 ..vaddump.py writes the memory regions described by the VAD nodes into separate files. procdump.py reconstructs a single DLL or EXE file. I had to copy this module from the misc directory to the distribution's main directory to get it to work. As documented in the README file this script also requires the pefile module.
>python vadtools\procdump.py" -e test.exe dump.bin 0x1051a70 DEBUG: PEB found at 7ffd5000 (67ab000) DEBUG: Starting section .text DEBUG: Starting section .data DEBUG: Starting section .rsrclistdlls.py provides a list of all dynamic link libraries loaded by a process. Again I had to copy this script from the misc directory to the main directory to make it work.
>python vadtools\listdll.py dump.bin 0x1051a70 DEBUG: getting string of size 64 at 00020630 DEBUG: getting string of size 24 at 00020658 01000000 services.exe DEBUG: getting string of size 58 at 7c97dee8 DEBUG: getting string of size 18 at 7c9226a4 7c900000 ntdll.dll DEBUG: getting string of size 64 at 00191f70 DEBUG: getting string of size 24 at 00191f98 7c800000 kernel32.dll DEBUG: getting string of size 60 at 00192018 DEBUG: getting string of size 20 at 00192040 77c10000 msvcrt.dll ...
