Walking the VAD Tree

Virtual Address Descriptors (VAD) record the usage of virtual addresses by a process. VAD are kept in a balanced tree whereas a member of the _EPROCESS structure points to the root node. Rebuilding the VAD tree allows to reconstruct a process' memory space along with all the files mapped into it. Brendan Dolan-Gavitt will speak about the matter at the DFRWS 2007. He has just released a set of tools called vadtools accompanying his paper.
Vadtools are written in Python and hence require a python interpreter. The tools work with plain (dd-style) memory dumps; Windows crash dump format is not supported. The reconstructed VAD tree vadwalk.py reconstructs the VAD tree. It displays the result either as a table, an ASCII tree or a DOT file suitable to be rendered by GraphViz. Detailed view at the VAD tree vadinfo.py reports a lot of technical details for every single VAD. Shown below is the VAD for an event log file which has been mapped into memory by the event log service, running under the hood of services.exe.
>python vadtools\vadinfo.py  dump.bin 0x1051a70
...
VAD node @ffba4560 Start 00a10000 End 00a20000 Level 4 Tag Vad
Flags:
Commit Charge: 0 Protection: 4
ControlArea @811a79d8 Segment e14d0850
Dereference list: Flink 00000000, Blink 00000000
NumberOfSectionReferences:          2 NumberOfPfnReferences:           1
NumberOfMappedViews:                2 NumberOfSubsections:             2
FlushInProgressCount:               0 NumberOfUserReferences:          2
Flags: Accessed, HadUserReference, WasPurged, File
FileObject @811a7740 (01107740), Name: \WINDOWS\system32\config\AppEvent.Evt
WaitingForDeletion Event: 00000000
ModifiedWriteCount:        0 NumberOfSystemCacheViews:        1
First prototype PTE: e15214b8 Last contiguous PTE: e15214f4
Flags2:
File offset: 00000000
..
vaddump.py writes the memory regions described by the VAD nodes into separate files. procdump.py reconstructs a single DLL or EXE file. I had to copy this module from the misc directory to the distribution's main directory to get it to work. As documented in the README file this script also requires the pefile module.
>python vadtools\procdump.py" -e test.exe dump.bin 0x1051a70
DEBUG: PEB found at 7ffd5000 (67ab000)
DEBUG: Starting section .text
DEBUG: Starting section .data
DEBUG: Starting section .rsrc
listdlls.py provides a list of all dynamic link libraries loaded by a process. Again I had to copy this script from the misc directory to the main directory to make it work.
>python vadtools\listdll.py dump.bin 0x1051a70
DEBUG: getting string of size 64 at 00020630
DEBUG: getting string of size 24 at 00020658
01000000 services.exe
DEBUG: getting string of size 58 at 7c97dee8
DEBUG: getting string of size 18 at 7c9226a4
7c900000 ntdll.dll
DEBUG: getting string of size 64 at 00191f70
DEBUG: getting string of size 24 at 00191f98
7c800000 kernel32.dll
DEBUG: getting string of size 60 at 00192018
DEBUG: getting string of size 20 at 00192040
77c10000 msvcrt.dll
...

Archives

Imprint

This blog is a project of:
Andreas Schuster
Im Äuelchen 45
D-53177 Bonn
impressum@forensikblog.de

Copyright © 2005-2012 by
Andreas Schuster
All rights reserved.