CN113987498A - Method for traversing user address space based on real-time response - Google Patents

Method for traversing user address space based on real-time response Download PDF

Info

Publication number
CN113987498A
CN113987498A CN202111305378.9A CN202111305378A CN113987498A CN 113987498 A CN113987498 A CN 113987498A CN 202111305378 A CN202111305378 A CN 202111305378A CN 113987498 A CN113987498 A CN 113987498A
Authority
CN
China
Prior art keywords
heap
address space
traversing
memory
user address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN202111305378.9A
Other languages
Chinese (zh)
Inventor
孙海旭
杨晓秋
张家奇
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Harbin University of Science and Technology
Original Assignee
Harbin University of Science and Technology
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Harbin University of Science and Technology filed Critical Harbin University of Science and Technology
Priority to CN202111305378.9A priority Critical patent/CN113987498A/en
Publication of CN113987498A publication Critical patent/CN113987498A/en
Pending legal-status Critical Current

Links

Images

Classifications

    • GPHYSICS
    • G06COMPUTING; CALCULATING OR COUNTING
    • G06FELECTRIC DIGITAL DATA PROCESSING
    • G06F21/00Security arrangements for protecting computers, components thereof, programs or data against unauthorised activity
    • G06F21/50Monitoring users, programs or devices to maintain the integrity of platforms, e.g. of processors, firmware or operating systems
    • G06F21/55Detecting local intrusion or implementing counter-measures
    • G06F21/56Computer malware detection or handling, e.g. anti-virus arrangements
    • G06F21/566Dynamic detection, i.e. detection performed at run-time, e.g. emulation, suspicious activities

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • General Engineering & Computer Science (AREA)
  • Software Systems (AREA)
  • Theoretical Computer Science (AREA)
  • Health & Medical Sciences (AREA)
  • General Health & Medical Sciences (AREA)
  • Virology (AREA)
  • Physics & Mathematics (AREA)
  • General Physics & Mathematics (AREA)
  • Storage Device Security (AREA)

Abstract

The invention relates to a method for traversing a user address space based on real-time response. Firstly, determining a system version and a configuration file of a computer; then, importing a kernel symbol according to the configuration file, matching the kernel symbol with node information in the VAD tree, and analyzing relevant metadata such as a memory mapping file, a shared memory, a stack buffer area, a reserved system structure and the like; traversing the NT heap and the segment heap through the PEB structure; traversing the thread stack through the PCB; and finally, outputting the memory allocation start-stop address, the occupation size, the allocation protection, the memory type and the detailed information. The method for traversing the user address space can effectively and completely traverse the memory address space of Windows10, is beneficial to determining the detailed information of the memory address space, can reduce the workload of forensic analysts in detecting, positioning and extracting malicious codes, and reduces the time required by security event response.

Description

Method for traversing user address space based on real-time response
Technical Field
The invention relates to a method for traversing a user address space based on real-time response, which can completely traverse the memory address space of Windows10, reduce the workload of forensic analysts in detecting, positioning and extracting malicious codes, and reduce the time required by security event response.
Background
The memory injection attack is an attack technology for injecting malicious codes into a process user address space, such as Shellcode injection, DLL injection, and hellowng injection, and generally injects and executes the malicious codes into a buffer area, a dynamic link library, a shared memory, and other memory areas of a target process user address space. The Windows 1064-bit system is a main target of network attackers as a mainstream operating system at present. For a 64-bit operating system, detecting malicious code in an address space of up to 128TB exacerbates the effort of forensic analysts, increasing the time required for a security event response.
The definite user address space can play an important role in internal access evidence analysis, and according to the detailed information, the workload of evidence obtaining and analyzing personnel for detecting, positioning and extracting malicious codes can be reduced, and the time required by response of security events is reduced. The previous memory forensics research focuses on the structure and content of the memory kernel address space, and the structure and content of the user address space are analyzed and researched less.
A Virtual Address Descriptor (VAD) tree is a self-balancing binary tree maintained in the kernel space of each process, and each node in the tree stores basic information of user allocation, such as a start address, an end address, allocation protection, memory type, and the like. Useful information of the user address space can be obtained by traversing the VAD tree.
Disclosure of Invention
The invention aims to provide a method for traversing a user address space based on real-time response, which can detect the user address space in real time and reduce the workload of forensic analysts in detecting, positioning and extracting malicious codes.
The implementation of the invention comprises the following steps.
Step 1: a determination is made of a system version and a configuration file for the computer.
Step 2: and importing a kernel symbol according to the configuration file, matching the kernel symbol with node information in the VAD tree, and analyzing relevant metadata such as a memory mapping file, a shared memory, a stack buffer area, a reserved system structure and the like.
And step 3: the NT heap and segment heap are traversed by the PEB structure.
And 4, step 4: traversing the thread stack through the PCB.
And 5: and outputting the memory allocation start-stop address, the occupation size, the allocation protection, the memory type and the detailed information.
Further in step 1, it is determined whether the target system is a Windows10 family version and its configuration file is determined. The VAD tree structure of the Windows 1064-bit system is different from that of the old version, so that the traversal methods of the mapping file and the shared memory are different.
Further in step 2, each node of the VAD tree is maintained by the _ MMVAD structure, since the VAD tree is a self-balancing binary tree, all nodes are traversed by recursion of all left and right subtrees.
Further in step 3, segment heap blocks are also distributed in the user address space, the start addresses of the segment heap blocks being the same as the start addresses recorded in the partial VAD tree nodes.
Further in step 4, the _ TEB32 structure is located at +0x2000 offset of the _ TEB structure as found by the WinDbg debug Windows 1064 bit system, whose DeallocationStack member points to the WOW64 stack of the user address space.
Advantageous effects
The invention discloses a method for traversing a user address space based on real-time response. The method and the system mainly can traverse the information of the user address space in real time, reduce the workload of forensic analysts in detecting, positioning and extracting malicious codes, and reduce the time required by the response of security events.
The access to the user address space information through the VAD tree is reliable because the process VAD tree structure is very unstable in the system, and if a malicious software attempts to access or modify the data in the VAD tree in an illegal way, the system is easily crashed.
The method can completely show the user address space layout of the Windows 1064-bit system process, improves the completeness of traversal compared with the traditional traversal method, and is suitable for Windows 1064-bit systems of all versions at present.
Drawings
FIG. 1 is a flow chart for traversing an address space.
FIG. 2 is a flow chart of defining user assignments.
Fig. 3 is a diagram showing experimental results for obtaining user address space information.
Detailed Description
The invention will be explained in more detail below with reference to the drawings.
Step 1 is to determine the system version and configuration file of the computer.
And 2, importing a kernel symbol according to the configuration file, matching the kernel symbol with node information in the VAD tree, and analyzing relevant metadata such as a memory mapping file, a shared memory, a stack buffer area, a reserved system structure and the like. Each node of VAD tree is maintained by an _ MMVAD structure, a Core member in the structure is an _ MMVAD _ SHORT structure, and the StartingVpn member and the EndingVpn member of the Core structure record the starting and stopping virtual address distributed by each user; the u member records the authority of memory allocation.
The flow chart for defining user allocation is shown in fig. 1, since the VAD tree is a self-balancing binary tree, all nodes can be traversed by recursion of all left and right subtrees. The assigned start and end addresses are derived from the StartingVpn and EndingVpn members of the VAD node. The u members of the structure mark the protection assigned to each user in the form of index values, each index value corresponding to a different assigned protection, these are defined in winnt. When the ControlArea field of the VAD tree node is a valid pointer, the correspondingly allocated memory type is a shared type, and the rest are private types.
The relevant information of the memory mapping FILE is maintained by a _ FILE _ OBJECT FILE OBJECT, and a FileName member in the structure records the path of the FILE in a disk. The mapped file can be traversed by obtaining the file object. The traditional method for traversing the mapping file acquires the kernel file object by adopting a process handle table analysis mode, but the method is easily influenced by Rootkit hiding attack, so that the method cannot acquire the hidden file object. The VAD tree is analyzed, so that the FileObject members of the VAD tree nodes also point to the file object structure, and all file objects maintained by the process can be obtained by traversing all VAD nodes. In addition, the data in the VAD tree has reliability, and since the process VAD tree structure is very unstable in the system, once a malicious software attempts to access or modify the data in the VAD tree in an illegal way, the system is easily crashed.
Each process object structure contains a pointer to its process handle table, which contains the handle that the process is using. The _ session structure that maintains the shared memory can be obtained by parsing the handle table. By debugging the Windows 1064-bit system memory data structure by WinDbg, it is found that when the Controlarea member of the _ SECTION structure and the Controlarea member of part of VAD nodes point to the same address, the VAD tree and the _ SECTION structure describe the same user allocation.
The steps of traversing the mapping file and the shared memory are as follows:
step 2-1, firstly, a file object structure is obtained from a _ MMVAD structure, and a Fliename member is used as description information of a mapping file.
Step 2-2, acquiring the _ SECTION object by analyzing the process handle table, describing user allocation by using information stored in the _ SECTION object when a control area member of the VAD node and a control area member of the _ SECTION object point to the same address, and describing the area by using a shared memory when the information in the _ SECTION object is an empty character string or an unprintable character string.
Step 3 is to traverse the NT heap and segment heap through the PEB structure. The start address of the segment heap block is the same as the start address recorded in the partial VAD tree node, which means that the segment heap block is also distributed in the user address space. Traversing the segment pile:
step 3-1 first obtains all pointers to the Process heap structure through the Process heaps member of the Process Environment Block (PEB).
Step 3-2, the process heap is analyzed according to the heap signature, the process heap is divided into the NT heap and the segment heap, the heap signature is 0 xfeeffee to represent the NT heap, and the heap signature is 0 xdeeddeee to represent the segment heap.
Step 3-3, before the back end of the traversal segment stack is distributed, the version of the Windows10 system needs to be judged, and when the internal version number of the system is lower than or equal to 15063, all back end distributed base addresses can be obtained through a segmentListhead member traversal linked list; when the internal version number is higher than 15063, the SegContext member is analyzed into two pointers pointing to a _ HEAP _ SEG _ CONTEXT structure, and all base addresses distributed by the back end are acquired through a SegmentListHead member traversal linked list of the structure.
Step 3-4 for LARGE block allocations, then traverse all _ HEAP _ LARGE _ ALLOC _ DATA structures from the root node, writing segment HEAP allocation information into the user allocated description when the user allocated starting address matches the segment HEAP allocated starting address.
Step 4 is traversing the thread stack through the PCB. Traversing a thread stack:
step 4-1 firstly traverses the thread linked list to obtain all thread objects in the process, obtains a _ TEB structure through Teb members, and adds the _ TEB structure to the description information distributed by a corresponding user if the initial address of the structure is in the address range distributed by a certain user.
Step 4-2 retrieves the _ TEB32 structure from the offset of the _ TEB structure +0x2000, which also contains the DelllocationStack member and points to a different address than the member with the same name in the _ TEB structure, and writes the WOW64 stack allocation information into the user-allocated description when the allocated address matches the user-allocated base address.
And step 5, outputting the memory allocation start-stop address, the occupation size, the allocation protection, the memory type and the detailed information.
It can be clearly seen from the data in fig. 3 that the method for traversing the user address space of the present invention can smoothly traverse the start-stop address, the occupied size, the allocation protection, the memory type and the detailed information of the user address space. The common memory injection attack is to inject malicious codes into a stack buffer area and a mapping file area of a user process, and the method can effectively traverse the user distribution subjected to injection on the premise of ensuring that effective digital evidence is not lost.
The foregoing is described in connection with specific examples, which should not be construed as limiting the invention to the specific embodiments disclosed herein. It will be apparent to those skilled in the art that various changes and modifications can be made without departing from the spirit and scope of the invention, and it is intended to cover all modifications, equivalents, and alternatives falling within the spirit and scope of the invention.

Claims (6)

1. A method for traversing a user address space based on real-time responses, the method comprising the steps of:
step 1: a determination is made of a system version and a configuration file for the computer.
Step 2: and importing a kernel symbol according to the configuration file, matching the kernel symbol with node information in the VAD tree, and analyzing relevant metadata such as a memory mapping file, a shared memory, a stack buffer area, a reserved system structure and the like.
And step 3: the NT heap and segment heap are traversed by the PEB structure.
And 4, step 4: traversing the thread stack through the PCB.
And 5: and outputting the memory allocation start-stop address, the occupation size, the allocation protection, the memory type and the detailed information.
2. The real-time response based method for traversing user address space according to claim 1, wherein in step 1, it is determined whether the target system is a Windows10 series version and the configuration file thereof is determined.
3. The real-time response-based method for traversing user address space according to claim 1, wherein in step 2, the FileObject members of the VAD tree nodes point to the file object structure, and all VAD nodes can be traversed by a recursive method, so that all file objects maintained by a process can be obtained. The mapping file and the shared memory data obtained by the VAD tree are reliable.
4. The real-time response based method for traversing user address space according to claim 1, wherein in step 3, the segment heap is newly added on the basis of the NT heap by the Windows10 system, the heap signature of the NT heap is 0 xfeeffee, the heap signature of the segment heap is 0 xdeeddeee, and the NT heap and the segment heap are distinguished according to the heap signature.
5. The real-time response based traversal user address space method of claim 1, wherein in step 4, the WOW64 process is running a 64-bit process and a 32-bit process simultaneously on a 64-bit system, and each thread of the WOW64 process has two execution contexts, maintained by two thread context blocks structures of TEB and TEB32, respectively.
6. The real-time response based traversal user address space method of claim 1, wherein in the step 5, information of the user address space is output in a form of a list.
CN202111305378.9A 2021-11-05 2021-11-05 Method for traversing user address space based on real-time response Pending CN113987498A (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN202111305378.9A CN113987498A (en) 2021-11-05 2021-11-05 Method for traversing user address space based on real-time response

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN202111305378.9A CN113987498A (en) 2021-11-05 2021-11-05 Method for traversing user address space based on real-time response

Publications (1)

Publication Number Publication Date
CN113987498A true CN113987498A (en) 2022-01-28

Family

ID=79746726

Family Applications (1)

Application Number Title Priority Date Filing Date
CN202111305378.9A Pending CN113987498A (en) 2021-11-05 2021-11-05 Method for traversing user address space based on real-time response

Country Status (1)

Country Link
CN (1) CN113987498A (en)

Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104102881A (en) * 2014-07-07 2014-10-15 杭州电子科技大学 Kernel object link relation based memory forensics method
CN104392171A (en) * 2014-11-27 2015-03-04 南京大学 Automatic memory evidence analyzing method based on data association
CN104715201A (en) * 2015-03-31 2015-06-17 北京奇虎科技有限公司 Method and system for detecting malicious acts of virtual machine
CN110765460A (en) * 2019-10-11 2020-02-07 海南师范大学 Rootkit stealth attack memory evidence obtaining technology based on immunity

Patent Citations (4)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN104102881A (en) * 2014-07-07 2014-10-15 杭州电子科技大学 Kernel object link relation based memory forensics method
CN104392171A (en) * 2014-11-27 2015-03-04 南京大学 Automatic memory evidence analyzing method based on data association
CN104715201A (en) * 2015-03-31 2015-06-17 北京奇虎科技有限公司 Method and system for detecting malicious acts of virtual machine
CN110765460A (en) * 2019-10-11 2020-02-07 海南师范大学 Rootkit stealth attack memory evidence obtaining technology based on immunity

Similar Documents

Publication Publication Date Title
US10977370B2 (en) Method of remediating operations performed by a program and system thereof
US11507663B2 (en) Method of remediating operations performed by a program and system thereof
Bhatkar et al. Address obfuscation: An efficient approach to combat a broad range of memory error exploits
Dhurjati et al. Backwards-compatible array bounds checking for C with very low overhead
Nagarakatte et al. CETS: compiler enforced temporal safety for C
KR101201118B1 (en) System and method of aggregating the knowledge base of antivirus software applications
Sekar et al. Model-carrying code: a practical approach for safe execution of untrusted applications
CN111240689B (en) Application program construction method, device, equipment and storage medium
US20070027873A1 (en) Content-based file system security
WO2020211236A1 (en) Read-write conflict resolution method and apparatus employing b+ tree and storage medium
WO2017064710A1 (en) Method of remediating a program and system thereof by undoing operations
Wagner et al. Detecting database file tampering through page carving
Pagani et al. Back to the whiteboard: A principled approach for the assessment and design of memory forensic techniques
Fu et al. Data correlation‐based analysis methods for automatic memory forensic
Zhu et al. Scalable static detection of use-after-free vulnerabilities in binary code
US6898555B2 (en) Method for indicating the integrity of use-information of a computer program
CN113987498A (en) Method for traversing user address space based on real-time response
Newsham et al. Breaking forensics software: Weaknesses in critical evidence collection
US7634521B1 (en) Technique for scanning stealthed, locked, and encrypted files
CN102194071B (en) Time-domain-based data evidence acquisition and cross analysis method
Jiang et al. Kakute: A precise, unified information flow analysis system for big-data security
US8397295B1 (en) Method and apparatus for detecting a rootkit
KR102122968B1 (en) System and method for analyzing of application installation information
White Identifying the unknown in user space memory
Zhu et al. Towards a novel approach for hidden process detection based on physical memory scanning

Legal Events

Date Code Title Description
PB01 Publication
PB01 Publication
SE01 Entry into force of request for substantive examination
SE01 Entry into force of request for substantive examination