内存转储中的进程与线程研究.docx

SearchingforprocessesandthreadsinMicrosoftWindowsmemorydumpsMicrosoftWindows内存转储中的进程与线程研究Abstract摘要Current tools to analyze memory dumps of systems running Microsoft Windows usuallybuild on the concept of enumerating lists maintained by the kernel to keep track of processes,threads and other objects. Therefore they will frequently fail to detect objectsthat are already terminated or which have been hidden by Direct Kernel Object Manipulationtechniques.现在用于分析运行Microsoft Windows的内存转储系统的工具，通常建立在被内核维护的、用于跟踪进程、线程以及其它对象的枚举列表概念之上。因此，在探测那些已经被终止或者已经被直接内核对象操纵技术（DKOM）隐藏的对象时，它们经常失败。This article analyzes the in-memory structures which represent processes and threads. Itdevelops search patterns which will then be used to scan the whole memory dump fortraces of said objects, independent from the aforementioned lists. As demonstrated bya proof-of-concept implementation this approach could reveal hidden and terminated processesand threads, under some circumstances even after the system under examinationhas been rebooted.本文分析了表示进程和线程的内存储结构。本文研究的搜索模式，将会用于扫描整个内存转储，以跟踪独立于上述列表的所述对象。由一种概念证明实施的证明，该方法能够揭示隐藏或被终止的进程和线程，甚至是在检测中被重启过的系统。Keywords:Digital evidence,Forensic examination,Microsoft Windows, Volatile data, Incident postmortem关键词：数字证据，法律检查，Microsoft Windows，不稳定数据，事件检视1.Introduction引入The physical memory of a computer running MicrosoftWindows 2000 or one of its descendants contains all metainformationnecessary to manage the processes that are currentlyexecuted. As Chow, Pfaff, Garfinkel and Rosenblumshowed, such meta-information in kernelmemory can surviveperiods over 14 days and longer while the system is in use(Chow et al., 2005). Despite its volatile nature kernel memorythus is a useful information source in a forensic examination.在一台运行MicrosoftWindows 2000或其后续版本系统的计算机上，其实体存储包括所有管理正在运行进程的必要元信息。正如Pfaff, Garfinkel和Rosenblum所述，在内核存储中的这类元信息，在系统被使用时能够存留14天甚或更长。不考虑它的易挥发特性，这种内核存储是用于鉴定的实用信息源。Several methods exist to dump the physical memory’s contentsto a file. Carrier and Grand (2004)