Rekall Memory Forensic Framework

2017621 RekallMemoryForensicFramework
WindowsVirtualAddressTranslationandthePagefile.
MichaelCohen
<scudette@gmail.com(mailto:scudette@gmail.com)>
TableofContents
1.Acquiringthepagefile.
2.AddingthepagefiletoRekall.
3.VirtualPageTranslationinwindows.
3.1.HardwarePTEstates
3.2.SoftwarePTEstates
3.3.PTEResolutionAlgorithm
4.Experiment
5.Analysis
6.Conclusions
Afundamentalcapabilityofanymemoryanalysisframeworkistoreconstructthevirtualaddressspacefromthememoryimage.
WhileinprinciplethistaskisdocumentedbytheIntelorAMDprogrammermanuals,inpracticeoneneedstotakeintoaccount
operatingsystemspecificinformationtofullyusealltheinformationavailable.
Rekallisthefirstopensourcememoryforensicframeworktocurrentlytakeadvantageofthepagefileduringtheanalysisof
windowssystems.TheWinPmemacquisitiontoolsinceversion1.6.2iscapableofautomaticallycapturingthepagefileduring
acquisition.
InthisblogpostweexplorehowRekalltranslatesvirtualaddressesintotheirphysicaloffsetsaprerequisitetobeingableto
readprocessandkerneladdressspaces.
IwasrecentlyattheSANSDFIRSummitandgottospeakwithmanypractitionersusingmemoryanalysistoolssuchasRekallorVolatility.Oneof
thecommentsIfoundinterestingisthatpeopleaskedwhydowenotusethepagefileforwindowsinvestigations?Apparentlymanypeoplehave
foundthatcriticalinformationwasnotrecoverablebyRekallorVolatilitybecausethepageswerenotresident(accordingtothetool).
IdecidedtoaddpagefilesupporttoRekall,andasaresultofmyresearchintohowpagingworksinWindows,Ihavediscoveredmanyinteresting
factsaboutthewaywindowsperformsvirtualaddresstranslation.ThisblogpostdiscusseswhatIfoundandhowthisanalysisisimplementedin
Rekall.Thebelowreflectsmycurrentunderstandingofhowthingswork,butsincetheexactbehaviorisnotdocumentedbyMicrosoft,theremaybe
inaccuracies.Ifyouspotanerror,pleaseletmeknowsowecantakenewinformationintoaccount.
1.Acquiringthepagefile.
Thefirststeptoanalyzingthepagefileistoactuallyacquireit.Whentheoperatingsystemisrunning,thepagefileislockedforexclusiveuseofthe
operatingsystem.Thismeansthatitisgenerallynotpossibletoopenandreadthefiledirectly(FutureversionsofWinPmemshouldhavesupport
forautomaticallyexposingthepagefilefromkernelspace.).
ThetraditionalwaytocopythepagefileoutisviatheTSKtoolset,usingforexampleacommandsuchas:
C:\>fcat.exepagefile.sys\\.\c:>pagefile.dd
ThisopenstherawdevicecorrespondingtotheCdrive,andextractsthefilepagefile.sysbyparsingtheNTFSfilesystemdirectlythereby
bypassingtheWindowsfilelocking.
Iintegratedastaticallycompiledversionof fls.exe inWinpmemandupdatedthetooltoallowfortheacquisitionofthepagefileinadditiontothe
standardELFformatmemoryimage.
C:\projects\rekall\tools\windows\winpmem>winpmem_1.6.2.exepeswapped.elf
Willwriteanelfcoredump.
ExtractingdrivertoC:\Users\mic\AppData\Local\Temp\pme6EBA.tmp
DriverUnloaded.
http://www.rekallforensic.com/posts/20141025pagefile.html 1/16
LoadedDriverC:\Users\mic\AppData\Local\Temp\pme6EBA.tmp.
DeletingC:\Users\mic\AppData\Local\Temp\pme6EBA.tmp
Willwriteanelfcoredump.
CR3:0x0000187000
2memoryranges:
Start0x00001000Length0x0009E000
Start0x00100000Length0x3FEF0000
AcquitisionmodePTERemapping
00%0x00001000.
00%0x00100000..................................................
04%0x03300000..................................................
[..snip..]
97%0x3E900000.......................
ExtractingfcattoC:\Users\mic\AppData\Local\Temp\flsA0A4.tmp
LaunchingC:\Users\mic\AppData\Local\Temp\flsA0A4.tmppagefile.sys\\.\C:
Preparingtoreadpagefile.
0Mb..................................................
50Mb..................................................
[..snip..]
1050Mb....................
DriverUnloaded.
ThepagefileisappendedtotheELFfile(soitdoesnotappearinanyprogramheaders)andashortYAMLfooterisappended.Thisallowsusto
writetheimagetoanonseekablepipe(e.g.soitcanbesentovernetcatorencrypted)whilestillappendingdatatoit.WhenRekallreadstheimage
itfollowsthe PreviousHeader pointerineachYAMLfootertotraverseallthefooters.
82DF217012120101000AE0260145710E0A0E7C07.......&.Eq...|.
82DF2180440E2107440E020E0A0E700E7C0E990ED.!.D.....p.|...
82DF2190320E700E320E990E320E020E480E320E2.p.2...2...H.2.
82DF21A0A90E210E1A0101121202120212121212..!.............
82DF21B012121212121212121212121201232050.............#P
82DF21C04D454D0A2D2D2D0A50726576696F7573MEM..Previous
82DF21D04865616465723A203078336666386530Header:0x3ff8e0
82DF21E065380A5061676566696C654F66667365e8.PagefileOffse
82DF21F0743A20307833666638653162640A5061t:0x3ff8e1bd.Pa
82DF2200676566696C6553697A653A2030783432gefileSize:0x42
82DF22106536343030300A2E2E2E0Ae64000.....
swapped.elf0x82DF221B/0x82DF221B
Rekallcanautomaticallyidentifythepagefileembeddedinthisfileandaddittotheanalysis.Itispossibletosimplyextractthepagefilefromthe
Winpmemimagebyusingdd(forexampleinordertouseitinanotherframework):
$ddif=swapped.elfof=pagefile.ddbs=1skip=$((0x3ff8e1bd))
2.AddingthepagefiletoRekall.
SonowthatWinpmemcanacquirethepagefilewecanaddthepagefileintoRekall.Butthemainproblemishow?
Rekallusesa"PagingAddressSpace"(forexamplethe AMD64PagedMemory addressspace)totranslatevirtualaddressestophysicaladdresses.
Theprocessisillustratedinthefigurebelow.TheVirtualAddressSpaceisstackedoverthephysicaladdressspace(i.e.theimage)suchthata
read() operationissuedtotheVirtualAddressSpaceistranslatedintoaspecificoffsetfromtheimage.
Figure1.Thevirtualaddressspaceisstackedoverthephysicalimage.
Unfortunatelytheexistingcodemakesfrequentuseofthephysicaladdress.Forexample,thescanninginfrastructureoptimizesphysicaladdress
spacereadoperations,scanningpluginstypicallyscanthephysicaladdressspaceforpoolsignaturesetc.Itwouldbeamajorrefractoringexercise
tomodifypluginstoalsosupportthepagefile.
Therehastobeaneasierway!ThesolutionwecameupwithinRekallistomapthepagefileintothephysicaladdressspacetoo.Afterall,the
pagefileissimplyanextensionofthephysicalmemoryWhenphysicalmemoryisexhausted,theoperatingsystemsimplymovesthepageintothe
pagefile.Similarlywecanreferenceitsnewlocationinthesamephysicaladdressspace.Thisschemeisillustratedinthefigurebelow.
Figure2.Thepagefileismappedintothephysicaladdressspace.
ThepreviousRekallimplementationusesthe AMD64PagedMemory addressspaceforalloperatingsystems,butobviouslyweneedtotreatthe

windowspagefiledifferentlyfromotheroperatingsystemswhenwesupportwindowsspecificpagefiles.Infactthereisasubtlebuginprevious
Rekallversions(andVolatility),whichusethiscodetodetermineifaPTEisvalid:
ThiscodeisaholdoverfromtheoldVolatilitycodebaseandwasintroducedbackwhenpeoplenoticedthatmanypagesonawindowsimagearein
Transition .Pagesinthe Transition statearewaitingtobewrittentothepagefilebutstillcontainvaliddata.Itsjustthatasfarasthehardwareis
concernedtheyarenotvalid(soCPUaccesstothesepageswillgenerateapagefault).Windowsusesthespecial Transition and Prototype
flags(bits10and11)toindicatethepageisintransition.Volatilitycansimplytreatthepageasvalidanyway(sinceitstillcontainsvaliddata).This
wasagoodideaatthetimeandgaveusaccesstomorevalidpagesonwindowsimages.
Butthiscodeisstrictlyincorrect!The AMD64PagedMemory addressspaceisusedforalloperatingsystemsandotheroperatingsystemsdonotuse
bits10and11inthisway.HenceitislikelythatthiswouldproducesubtlycorrupteddataonLinuxandOSX!
Clearlyweneedtohaveaspecializedaddressspaceforthedifferentoperatingsystems.HenceinRekallweintroducethe
WindowsAMD64PagedMemory whichisonlyactiveforwindowsprofiles.Thisaddressspaceactuallychangesthewaythatvirtualpagetranslationis
donealmostcompletelytoemulatetheWindowskernelasaccuratelyaspossible.LinuxandOSXshouldgettheirownaddressspacesinfuture
(e.g.tohandlecompressedmemory).
3.VirtualPageTranslationinwindows.
InthissectionwetrytosummarizehowvirtualpagetranslationworksonWindows.Theseminalworkonthissubjectwasactuallypublishedbackin
2007by JesseKornblum (Kornblum,JesseD."UsingeverypartofthebuffaloinWindowsmemoryanalysis."DigitalInvestigation4.1
(2007):2429).Thiswasashortbutextremelyimportantpaperonthesubject.(Iamfranklyalittleembarrassedthatwedidnotimplementthe
publishedalgorithmsuntil2014almost7yearslate!).Unfortunatelythingshavechangedortherearesomeinaccuraciesintheoriginalwork.We
thereforeneedtoreexaminepagingonwindowscurrentlyandverifythealgorithmspublished.
InthebelowIwilltrytosummarizetheimportantpointsandpointouthowtheseareimplementedinRekall.Inordertounderstandhowpaging
worksonwindows,Iwroteasampletestprogram,whichsetupsomeknownmemoryregionsmarkedwithaknownpattern(Thesourcecodecan
worksonwindows,Iwroteasampletestprogram,whichsetupsomeknownmemoryregionsmarkedwithaknownpattern(Thesourcecodecan
beseenbelow).Ithenacquiredthememoryimages(includingpagefile)andattemptedtoreproducetheknownstateoftheprogram.
WhentheCPUaddressesmemorywhilerunninginprotectedmode,theMemoryManagementUnit(MMU)isthehardwarecomponentwhichis
responsibleforfetchingthecontentfromthephysicalmemory.TheMMUusestheControlRegister3( CR3 )toreferto PageTables whichspecifya
translationbetweenthevirtualaddressandphysicalmemory.
Sincethistranslationhappensinhardwareitisveryfast,andmoreimportantlyitisoperatingsystemindependent.Theoperatingsystemsimplysets
upthepagetablesinadvanceandthenloadstheiraddressintothe CR3 registerandthehardwareimmediatelytranslatesthevirtualmemory
accordingtothis(Thisishowprocesscontextswitchingworks,theOSsimplyswitches CR3 fromoneprocesssmemorylayouttotheotherand
eachprocesshasadifferentvirtualmemorylayout).
Thepagetablesaremultilevel(e.g.on64bitarchitecturestheyhave4levels)butessentiallycontainPageTableEntries( PTE ).Iwontgointothe
specificofhowthehardwarefollowsthepagetablesthemselvesbecausethatiscoveredinmanyreferences,includingIntel64andIA32
ArchitecturesSoftwareDeveloperManuals(http://www.intel.com/content/www/us/en/processors/architecturessoftwaredevelopermanuals.html).
Mydiscussionbelowfocuseson64bitarchitectures,but32bitarchitecturesareanalogous.
The PTE isa64bitintegerwhichissplitintovariousbitfieldsandflags.ThePTEcanbeinanumberofstates,markedbyvariousflags.These
statesdeterminehowtointerpretthePTE.OnWindows,therearekernelstructswhichcanbeusedineachstate,makingiteasiertointerpretthe
PTE.BelowweillustratethestatesusingtherelevantkernelstructsandRekall.
TherearetwotypesofPTEs,whichIwillcall HardwarePTE sand SoftwarePTE s.TheHardwarePTEsareonesthatcanbeseeninresponseto
apagefaulti.e.thehardwareseesthePTE,asittraversesthepagetablesfromthePageDirectoryEntry( PDE ).HardwarePTEsaretypically
allocatedinlowphysicalmemoryaddressesandformpartofthepagetablesoftheoperatingsystem.
SoftwarePTEsareallocatedoutofpoolspace.TypicallythesePTEsareusedtomanagelargememorymappings.Forexample,whenaVAD
regionisadded,thesystemallocatesanarrayofcontinuousPTEswhichwillbeusedtocontrolthemapping.SoftwarePTEsareusuallythetarget
ofPrototypePTEs.
Althoughsimilar, SoftwarePTE and HardwarePTE donotshareexactlythesamestates.ThereforeIwilllistallthestatesthateachtypeofPTE
canhaveunderdifferentheaders.
3.1.HardwarePTEstates
Recallthata HardwarePTE islinkeddirectlyfromthePageDirectoryEntry(PDE).ThefollowingarethevalidPTEstatesforit.
3.1.1.ValidState
TheValidstateissignifiedbytheValidflagbeingset.InthiscasethehardwareisresponsibleforinterpretingthePTEaccordingtothelayoutof
_PTE_HARDWARE .NotethatsincethehardwaremustinterpretthePTEalloperatingsystemsmustusetheexactsamelayout.
[_MMPTE_HARDWARE_MMPTE_HARDWARE]@0x000000
OffsetFieldContent

0x0Accessed[BitField(56):Accessed]:0X000000
0x0CacheDisable[BitField(45):CacheDisable]:0X000000
0x0CopyOnWrite[BitField(910):CopyOnWrite]:0X000000
0x0Dirty[BitField(67):Dirty]:0X000000
0x0Dirty1[BitField(12):Dirty1]:0X000000
0x0Global[BitField(89):Global]:0X000000
0x0LargePage[BitField(78):LargePage]:0X000000
0x0NoExecute[BitField(6364):NoExecute]:0X000000
0x0Owner[BitField(23):Owner]:0X000000
0x0PageFrameNumber[BitField(1248):PageFrameNumber]:0X000000
0x0SoftwareWsIndex[BitField(5263):SoftwareWsIndex]:0X000000
0x0Unused[BitField(1011):Unused]:0X000000
=1>0x0Valid[BitField(01):Valid]:0X000000
0x0Write[BitField(1112):Write]:0X000000
0x0WriteThrough[BitField(34):WriteThrough]:0X000000
0x0reserved1[BitField(4852):reserved1]:0X000000
IftheValidflagisnotset,thehardwaredoesnotcareaboutanyoftheotherflags,itwillsimplygenerateapagefaultintotheoperatingsystems
pagefaulthandlerandpassthePTEtoit.ThismeansthatforalltheotherstatesofthePTE,theOSisfreetointerpretthePTEasitwishes,i.e.we
musthaveoperatingsystemspecificcodetohandleinvalidPTEs.
3.1.2.TransitionState
WindowshasaWorkingSetTrimmer`acomponentwhichremovespagesfromprocessesworkingset(TheWorkingSetisbetterknownasthe
ResidentSetinPOSIX,butisessentiallythesetofallpagesthatcanbeaccessedbytheprocesswithoutfaulting.).Thetrimmertriestoremove
pagesintothepagefiletoincreasethetotalnumberofavailablephysicalpagesinthesystem.However,ratherthanimmediatelywritingthepages
tothepagefile,thepageisfirstputintothetransitionstate.Thisallowsthepagetobewrittenintothepagefilelater,whilestillcontainingvaliddata
inmemory,incasetheprocessneedsthatpagelater(itcanquicklybefaultedbackintotheworkingset).
Soapageintransitioncontainsvaliddata,butwhenaprocessaccessesit,thehardwarewillpagefaultintotheOShandlerwhichwillsimplymark
thepageasvalid.
PagesareintheTransitionstateiftheTransitionflagison,andthePrototypeflagisoff:
[_MMPTE_TRANSITION_MMPTE_TRANSITION]@0x000000
OffsetFieldContent

0x0CacheDisable[BitField(45):CacheDisable]:0X000000
0x0Owner[BitField(23):Owner]:0X000000
0x0PageFrameNumber[BitField(1248):PageFrameNumber]:0X000000
0x0Protection[BitField(510):Protection]:0X000000
=0>0x0Prototype[BitField(1011):Prototype]:0X000000
=1>0x0Transition[BitField(1112):Transition]:0X000000
0x0Unused[BitField(4864):Unused]:0X000000
0x0Write[BitField(12):Write]:0X000000
0x0WriteThrough[BitField(34):WriteThrough]:0X000000
RekallcanmakeimmediateuseofpagesinTransitionsincetheirdataisstillvalid.
3.1.3.PrototypeState
Thesamephysicalpagesmaybesharedbetweenmanydifferentprocesses.ThisiseasytodosinceyoucanjusthavemultiplePTEsreferringto
thesamephysicalpage.TheproblemfortheOSishowtocoordinatetrimmingofsharedpages.Sincetherearemanyreferencestothesame
physicalpage,iftheOSneedstoe.g.relocatethephysicalpageintothepagefile,itwillneedtosearchandupdateallthesereferences.Sincethis
isveryinefficient,theWindowssolutionistouseakindof"symlink"PTEtodirectsharedpagestoanotherPTEcalleda PrototypePTE .Thuswe
onlyneedtoupdatethePrototypePTEandallPTEsthatrefertothesharedmemorywillbecomeautomaticallyupdated.
SothebestwaytothinkofaPrototypePTEisthatitisa symlink tosomethingelse.HereisthewindowsstructforthePrototypePTE:
[_MMPTE_PROTOTYPE_MMPTE_PROTOTYPE]@0x000000
OffsetFieldContent

0x0ProtoAddress[BitField(1664):ProtoAddress]:0X000000
0x0ReadOnly[BitField(89):ReadOnly]:0X000000
0x0Unused0[BitField(18):Unused0]:0X000000
The ProtoAddress fieldcontainstheaddresstotheprototypePTE(whichisallocatedfromsystempool).ThetargetofthePrototypePTEiswhatI

refertoasa SoftwarePTE ,andcanonlytakeonthestatesappropriatefortheSoftwarePTE(seebelow).
TheprototypePTEisallocatedbythesystem,henceitisaVirtualAddressinthekernelsvirtualaddressspace.Contrastthis
withthe PageFrameNumber fieldfromotherstateswhichrefertothephysicaladdressspace.
3.1.4.VADPrototypePTE
Ifthe HardwarePTE lookslikeaPrototypePTE(i.e.hasValid=0,Prototype=1),andthe ProtoAddress isequaltothespecialvalue
0xFFFFFFFF0000 thismarksaVADPrototype.InthiscasewemustfindtheVADregionwhichcorrespondswiththevirtualaddressinquestion.The
MMVAD structthencontainsarangeofPTEswhichcorrespondswiththeentireVADrange.Wethencalculatetherelativeoffsetoftheoriginalvirtual
addressintotheVADregiontofinditscorrespondingPTE.
Forexamplesaywetrytoresolveaddress0x10000:
1.TraversingthepagetablesweidentifyaVADPrototypePTE(i.e. ProtoAddress =0xFFFFFFFF0000).
2.WesearchtheprocessVADsfortheregionofinterest.Saywefindaregionfrom0x8000to0x20000.
3.The_MMVADobjectforthisregionhasa FirstPrototypePte member(sayitpointsto0xFFFF1000000).
4.ThePTEwewantisthereforelocatedat(0x100000x8000)/0x1000+0xFFFF1000000
5.WeresolvethephysicaladdressfromthatPTE.
3.1.5.VadHardwarePTE
IfthePTEiscompletely0,thismeansthattheVADshouldbeconsulted.ThisconditionseemstoalsobethecaseforwhenthePDEpointingtothe
PTEisinvalid(I.e.theentirepagetableisnotvalid).InthiscaseweneedtoexaminetheVADinanidenticalwaytothe VADPrototypePTE above.
Thisstateseemstobeidenticaltotheoneabove.
3.1.6.SoftwareState
Ifboththe Prototype and Transition flagsareunset,thePTEreferstoaSoftwarePTE:
[_MMPTE_SOFTWARE_MMPTE_SOFTWARE]@0x000000
OffsetFieldContent

0x0InStore[BitField(2223):InStore]:0X000000
0x0PageFileHigh[BitField(3264):PageFileHigh]:0X000000
0x0PageFileLow[BitField(15):PageFileLow]:0X000000
0x0Reserved[BitField(2332):Reserved]:0X000000
=0>0x0Transition[BitField(1112):Transition]:0X000000
0x0UsedPageTableEntries[BitField(1222):UsedPageTableEntries]:0X000000
TheSoftwarePTEreferstoapagedoutpage.The PageFileHigh memberistheframenumberinthepagefile(i.e.itmustbemultipliesby0x1000

togetthefileoffset).The PageFileLow memberisthenumberofpagefile(Windowssupportsupto16pagefiles).
Windowsactuallykeepsdatastructuresoftheavailablepagefiles,theirlocationandstats.Iwrotethe pagefiles plugintoshowthisinformation:
[1]Defaultsession12:25:54>pagefiles
_MMPAGING_FILENumberSize(b)Filename

0xfa8001cae01001207721984\??\C:\pagefile.sys
0xfa8001cae01001207721984\??\C:\pagefile.sys
[1]Defaultsession12:25:57>printsession.profile._MMPAGING_FILE(0xfa8001cae010)
[_MMPAGING_FILE_MMPAGING_FILE]@0xFA8001CAE010
0x00Size[unsignedlonglong:Size]:0x00047FC6
0x08MaximumSize[unsignedlonglong:MaximumSize]:0x0005DC00
0x10MinimumSize[unsignedlonglong:MinimumSize]:0x0003E800
0x18FreeSpace[unsignedlonglong:FreeSpace]:0x0000EF68
0x20PeakUsage[unsignedlonglong:PeakUsage]:0x00043DF3
0x28HighestPage[unsignedlonglong:HighestPage]:0x00000000
0x30File<_FILE_OBJECTPointerto[0xFA8001D15070](File)>
0x38Entry<Array2xPointer@0xFA8001CAE048>
0x48PageFileName[_UNICODE_STRINGPageFileName]@0xFA8001CAE058(\??\C:\pagefile.sys)
0x58Bitmap<_RTL_BITMAPPointerto[0xFA8001D40000](Bitmap)>
0x60EvictStoreBitmap<_RTL_BITMAPPointerto[0x00000000](EvictStoreBitmap)>
0x68BitmapHint[unsignedlong:BitmapHint]:0x0001220C
0x6CLastAllocationSize[unsignedlong:LastAllocationSize]:0x00000012
0x70ToBeEvictedCount[unsignedlong:ToBeEvictedCount]:0x00000000
0x74BootPartition[BitField(45):BootPartition]:0x00000001
0x74PageFileNumber[BitField(04):PageFileNumber]:0x00000000
0x74Spare0[BitField(516):Spare0]:0x00000000
0x76AdriftMdls[BitField(01):AdriftMdls]:0x00000000
0x76Spare1[BitField(116):Spare1]:0x00000000
0x78FileHandle<VoidPointerto[0xFFFF80000204](FileHandle)>
0x80Lock[unsignedlonglong:Lock]:0x00000000
0x88LockOwner<_ETHREADPointerto[0xFA8002D93061](LockOwner)>
Youcanseethesizeofthepagefile,andalsotheallocationbitmap(whichpagesinthepagefilearecurrentlyused.).Notethatthe PageFileNumber
associatesthe PageFileLow memberofthe _MMPTE_SOFTWARE structwiththepagefilepath.
Ifwehavethepagefileavailable,wecanresolvethePTEimmediatelyandreadthedatafromthepagefile.
3.2.SoftwarePTEstates
Forsomeofthestatesabove,whentheHardwarePTEisresolved,itmightresultinreferringtoaSoftwarePTE(e.g.inVadPTEsorPrototype
PTEs).DecodingtheSoftwarePTErequiresthefollowingstates.
3.2.1.Valid
SameasHardwarePTEs.Canberesolvedimmediately.
3.2.2.Transition
SameasHardwarePTEs.Canberesolvedimmediately.
3.2.3.SubsectionPrototypePTE
IfthePTEhasthePrototypebitset,andValidbitunset(P=1,V=0)itisaSubsectionPTE.
ASubsectionPTEreferstoaninstanceofa _SUBSECTION objectandisusedtodenoteaFileMapping:
[_MMPTE_SUBSECTION_MMPTE_SUBSECTION]@0x000000
OffsetFieldContent

0x0Prototype[BitField(1011):Prototype]:0X000000
0x0SubsectionAddress[BitField(1664):SubsectionAddress]:0X000000
0x0Valid[BitField(01):Valid]:0X000000
[_SUBSECTION_SUBSECTION]@0x000000
OffsetFieldContent

0x0ControlArea<_CONTROL_AREAPointerto[0x00000000]>
0x8SubsectionBase<_MMPTEPointerto[0x00000000]>
0x10NextSubsection<_SUBSECTIONPointerto[0x00000000]>
0x18PtesInSubsection[unsignedlong:PtesInSubsection]:0x00000000
0x20GlobalPerSessionHead<_MM_AVL_TABLEPointerto[0x00000000]>
0x20UnusedPtes[unsignedlong:UnusedPtes]:0x00000000
0x28u[<unnamed7983>u]@0x00000028
0x2cStartingSector[unsignedlong:StartingSector]:0x00000000
0x30NumberOfFullSectors[unsignedlong:NumberOfFullSectors]:0x00000000
SubsectionPTEsareusedtorefertomemorymappingsofafileondisk.Whenafileismappedintomemory(e.g.anexecutablefileorDLL),the
filemaybesharedbymanyprocesses.Undermemorypressure,theWindowsKernelneedstoevictpagesfrommemory,possiblyintothepagefile.
However,itdoesnotreallymakesensetocopymappedexecutablepagesintothepagefile,sincetheyoriginallycamefromafilemapping(e.g.
However,itdoesnotreallymakesensetocopymappedexecutablepagesintothepagefile,sincetheyoriginallycamefromafilemapping(e.g.
fromdiskanyway).Soitmakesmoresensetoreadthefileagainfromdiskifneededinfuture,ratherthanwastepreciouspagefilespaceon
mappedfiles.
Unfortunately,ifwedonothaveaccesstothediskimageanymore,wecannotrecoverthedatainthepageanymore.Wecanhowever,determine
directlywhichfilethepagecamefrombyinspectingthe ControlArea fieldofthe _SUBSECTION (Soforexample
_SUBSECTION.ControlArea.FilePointer.FileName).WecanalsodeterminetheoffsetinthatfilebysubtractingtheprototypePTEfrom
_SUBSECTION.SubsectionBase andaddingthe _SUBSECTION.StartingSector :
[_SUBSECTION_SUBSECTION]@0x000000
OffsetFieldContent

0x0ControlArea<_CONTROL_AREAPointerto[0x00000000]>
0x8SubsectionBase<_MMPTEPointerto[0x00000000]>
0x10NextSubsection<_SUBSECTIONPointerto[0x00000000]>
0x18PtesInSubsection[unsignedlong:PtesInSubsection]:0x00000000
0x20GlobalPerSessionHead<_MM_AVL_TABLEPointerto[0x00000000]>
0x20UnusedPtes[unsignedlong:UnusedPtes]:0x00000000
0x28u[<unnamed7983>u]@0x00000028
0x2cStartingSector[unsignedlong:StartingSector]:0x00000000
0x30NumberOfFullSectors[unsignedlong:NumberOfFullSectors]:0x00000000
[_CONTROL_AREA_CONTROL_AREA]@0x000000
OffsetFieldContent

0x0Segment<_SEGMENTPointerto[0x00000000]>
0x8DereferenceList[_LIST_ENTRYDereferenceList]@0x00000008
0x18NumberOfSectionReferences[unsignedlonglong]:0x00000000
0x20NumberOfPfnReferences[unsignedlonglong]:0x00000000
0x28NumberOfMappedViews[unsignedlonglong]:0x00000000
0x30NumberOfUserReferences[unsignedlonglong]:0x00000000
0x38u[<unnamed5495>u]@0x00000038
0x3cFlushInProgressCount[unsignedlong]:0x00000000
0x40FilePointer[_EX_FAST_REFFilePointer]@0x00000040
0x48ControlAreaLock[long]:0x00000000
0x4cModifiedWriteCount[unsignedlong]:0x00000000
0x4cStartingFrame[unsignedlong]:0x00000000
0x50WaitingForDeletion<_MI_SECTION_CREATION_GATEPointerto[0x00000000]>
0x58u2[<unnamed5507>u2]@0x00000058
0x68LockedPages[longlong]:0x00000000
0x68LockedPages[longlong]:0x00000000
0x70ViewList[_LIST_ENTRYViewList]@0x00000070
[_FILE_OBJECT_FILE_OBJECT]@0x000000
OffsetFieldContent

0x0Type[short]:0x00000000
0x2Size[short]:0x00000000
0x8DeviceObject<_DEVICE_OBJECTPointerto[0x00000000]>
0x10Vpb<_VPBPointerto[0x00000000]>
0x18FsContext<VoidPointerto[0x00000000]>
0x20FsContext2<VoidPointerto[0x00000000]>
0x28SectionObjectPointer<_SECTION_OBJECT_POINTERSPointerto[0x00000000]>
0x30PrivateCacheMap<VoidPointerto[0x00000000]>
0x38FinalStatus[long]:0x00000000
0x40RelatedFileObject<_FILE_OBJECTPointerto[0x00000000]>
0x48LockOperation[unsignedchar]:0x00000000
0x49DeletePending[unsignedchar]:0x00000000
0x4aReadAccess[unsignedchar]:0x00000000
0x4bWriteAccess[unsignedchar]:0x00000000
0x4cDeleteAccess[unsignedchar]:0x00000000
0x4dSharedRead[unsignedchar]:0x00000000
0x4eSharedWrite[unsignedchar]:0x00000000
0x4fSharedDelete[unsignedchar]:0x00000000
0x50Flags[unsignedlong]:0x00000000
0x58FileName[_UNICODE_STRINGFileName]@0x00000058()
0x68CurrentByteOffset[_LARGE_INTEGERCurrentByteOffset]@0x00000068
0x70Waiters[unsignedlong:Waiters]:0x00000000
0x74Busy[unsignedlong:Busy]:0x00000000
0x78LastLock<VoidPointerto[0x00000000]>
0x80Lock[_KEVENTLock]@0x00000080
0x98Event[_KEVENTEvent]@0x00000098
0xb0CompletionContext<_IO_COMPLETION_CONTEXTPointerto[0x00000000]>
0xb8IrpListLock[unsignedlonglong]:0x00000000
0xc0IrpList[_LIST_ENTRYIrpList]@0x000000C0
0xd0FileObjectExtension<VoidPointerto[0x00000000]>
3.2.4.DemandZeroPTE
IfthePTEstargethas(Valid=0,Prototype=0,Transition=0)anditalsohas PageFileHigh =0,thenthispageisademandzeropage.Thepagefault
handlerwillsimplyassignazeropageinresponsetothepagefault.Oftenthispagewillalsohavenonzero Protection bitswhichshouldreflect
theVADsoriginalprotections.
3.3.PTEResolutionAlgorithm
InordertoresolvethePTEwefollowapossiblytwostepalgorithm.FirstresolvetheHardwarePTEtoreceiveaSoftwarePTE,thenresolvethe
softwarePTEifneeded.
Figure3.ResolvingaHardwarePTE
1.IftheValidflagisset,thePTEisvalidandcanberesolvedimmediately.
2.IftheTransitionflagisset,butthePrototypeflagisunset,thePTEisintheTransitionstateandcanalsoberesolvedimmediately.
3.IfthePrototypeflagisset,butthe ProtoAddress fieldisequalto0xFFFFFFFF0000,thisisaVadPTEandwemustconsulttheVADto
recovertheSoftwarePTE.
4.AlternativelyifthePTEhasalltheTransition,PrototypeandValidflagsunset,butthePageFileHighfieldiszero,thisisalsoaVADPTEand
wemustconsulttheVAD.
5.IfthePTEhasalltheTransition,PrototypeandValidflagsunset,butthePageFileHighfieldisnotzero,thisisaPageFilePTEandwecan
recoverthepagefromthepagefile.
6.FinallyifthePrototypebitison,thenthisisaPrototypePTEandwecanreadthe SoftwarePTE fromthe ProtoAddress field.
WhenweobtaintheSoftwarePTEwecandecodeitusingasimilarbutslightlydifferentalgorithm.NotethatPrototypestatesarenotallowedfor
SoftwarePTEs(i.e.youcanthaveasymlinktoasymlinkessentially).
Figure4.ResolvingaSoftwarePTE
1.IfPTEhasValidflagitisavalidPTEandcanberesolvedimmediately.
2.IfPTEhasTransitionflagsetbutPrototypeflagunset,itisaTransitionPTEandcanberesolvedimmediately.
3.IfthePrototypeflagisset,thenthisisaFileMappingPTEwhichpointstoa_SUBSECTIONobject.
4.IfallValid,PrototypeandTransitionflagsareunset,and PageFileHigh isalsozero,thenthisisaDemandZeromapping.ReturnaZeropage.
5.IfallValid,PrototypeandTransitionflagsareunset,but PageFileHigh isnotzero,thenthisisaPageFilePTEandwecanreturnthepage
fromthepagefile.
4.Experiment
Inordertostudytheeffectsofthenewpagetranslationcode,Iwroteasmallprogramwhichallocatesalargememoryblock(using VirtualAlloc ),
fillsthememorywithapatternandthenjustSleeps.AdditionallyImappedafileandalsomappedalargeregionwhichisnevertouched(Demand
Zeroregion):
Irantheprogram( swapper.exe )onasmallWindows7VMwithonly1GBoframallocated.Ialsoenabledafewmorecolumnsin TaskManager to

observememoryusage.Wecanseethattheprogramallocatedover800mb(CommitSize)butonly347Mbiscurrentlyresidentinmemory.
Figure5.Runningaprogramwhichallocatedalotofvirtualmemory.
IthenranWinPmemtoacquirethephysicalmemoryandthepagefile( winpmem1.6.2.exepeswapper.elf ).
Figure6.AcquiringmemorywithWinPmem.
Theadditionalsystemactivitycausedtheworkingsetofthe swapper.exe programtobetrimmeddownto118Mbwithinafewseconds.Thisis

actuallyaproblembecausetheimagerstartswritingtheimagefromphysicaladdress0.Thepagetablesaretypicallyfoundatverylowphysical
addresses.Forexampleinthisimage,the CR3 valueis0x187000(About1.6Mb)intothephysicalimage.
Sinceittakesafinitetimetowritetheimagetodisk,andtheadditionalsystemactivitycausesprocessestobeaggressivelytrimmed,itisverylikely
thatthepagetablesthatarewrittenwithinafractionofasecondfromthestartofacquisitionwouldcontainsPTEreferencestopageswhich,
althoughwerevalidatthestartofacquisition,afewsecondslaterwouldbepagedtodiskandrepurposed.TheoveralleffectactuallycausesRekall
tothinkthatpagescontainvaliddatabutinrealitytheydonot(i.e.adatacorruptionproblem).Moreresearchisrequiredonthemostoptimalorder
ofimageacquisition.
5.Analysis
IloadedthefileintoRekallasnormalandinspectedtheVADregionsofthe swapper.exe processusingthe vad plugin:
swapped.elf17:24:32>vadproc_regex="swapper.exe"
**************************************************
Pid:656swapper.exe
VADlevStartAddrEndAddrcomProtectFilename

0xfa8000ed58a010x000000b100000x000000b2afff21MappedExeEXECUTE_WRITECOPY\Users\mic\Documents\VisualStudio2010\Projects\swapper\Debug\swapper.exe
0xfa8002e5698020x0000000600000x00000015ffff6PrivateREADWRITE
0xfa800277eb7030x0000000400000x000000040fff0MappedExeEXECUTE_WRITECOPY\Windows\System32\apisetschema.dll
0xfa8001b38a4040x0000000200000x00000002ffff0MappedREADWRITEPagefilebackedsection
0xfa800141c3b050x0000000100000x00000001ffff0MappedREADWRITEPagefilebackedsection
0xfa80017f90b050x0000000300000x000000035fff0MappedREADONLYPagefilebackedsection
0xfa8000ff91c040x0000000500000x000000053fff0MappedREADONLYPagefilebackedsection
0xfa8001c0616030x0000001900000x0000001cffff7PrivateREADWRITE
0xfa80025de79040x0000001700000x000000170fff1PrivateREADWRITE
0xfa80019bc30050x0000001600000x000000160fff0MappedREADONLYPagefilebackedsection
0xfa8000d382f050x0000001800000x000000180fff0MappedREADWRITEPagefilebackedsection
0xfa800277eae040x0000002700000x00000032ffff192MappedWRITECOPY\Windows\SysWOW64\enUS\KernelBase.dll.mui
0xfa80027cc09050x0000002600000x00000026ffff8PrivateREADWRITE
0xfa8001a4492060x0000001d00000x000000236fff0MappedREADONLY\Windows\System32\locale.nls
0xfa800261aa3050x0000003a00000x00000041ffff6PrivateREADWRITE
0xfa8000e3121060x0000003300000x00000035ffff0MappedREADONLY\Windows\notepad.exe
0xfa8002a6097060x0000005f00000x0000006effff6PrivateREADWRITE
0xfa800198bc2020x00007efb00000x00007efd2fff0MappedREADONLYPagefilebackedsection
0xfa8002b432b030x0000753400000x000075347fff2MappedExeEXECUTE_WRITECOPY\Windows\System32\wow64cpu.dll
0xfa800110ac1040x0000752700000x0000752cbfff6MappedExeEXECUTE_WRITECOPY\Windows\System32\wow64win.dll
0xfa800108f5f050x0000321d00000x000032b2ffff2400PrivateREADWRITE
0xfa8002bc0ac060x000000b300000x0000321cffff202400PrivateREADWRITE
0xfa800110ab8060x000063f600000x0000640d2fff8MappedExeEXECUTE_WRITECOPY\Windows\SysWOW64\msvcr100d.dll
0xfa8000fb565050x0000752d00000x00007530efff3MappedExeEXECUTE_WRITECOPY\Windows\System32\wow64.dll
0xfa80011a890040x0000775900000x0000776aefff0PrivateExeEXECUTE_READWRITE
0xfa8000f582f050x0000765200000x00007662ffff3MappedExeEXECUTE_WRITECOPY\Windows\SysWOW64\kernel32.dll
0xfa800101f38060x0000775400000x000077586fff3MappedExeEXECUTE_WRITECOPY\Windows\SysWOW64\KernelBase.dll
0xfa80013c083050x0000777b00000x000077958fff12MappedExeEXECUTE_WRITECOPY\Windows\System32\ntdll.dll
0xfa8002edcd3060x0000776b00000x0000777a9fff0PrivateExeEXECUTE_READWRITE
0xfa8002db133060x0000779900000x000077b0ffff9MappedExeEXECUTE_WRITECOPY\Windows\SysWOW64\ntdll.dll
0xfa8000f784e030x00007f0e00000x00007ffdffff0PrivateREADONLY
0xfa8000db6a8040x00007efde0000x00007efdefff1PrivateREADWRITE\Windows\System32\user32.dll
0xfa8000db6a8040x00007efde0000x00007efdefff1PrivateREADWRITE\Windows\System32\user32.dll
0xfa8001034eb050x00007efdb0000x00007efddfff3PrivateREADWRITE
0xfa8000fc165050x00007efdf0000x00007efdffff1PrivateREADWRITEPagefilebackedsection
0xfa80010e4ce060x00007efe00000x00007f0dffff0MappedREADONLYPagefilebackedsection
0xfa80026f82c040x00007ffe00000x00007ffeffff1PrivateREADONLY
0xfa8000dee01050x00007fff00000x07fffffeffff1PrivateREADONLY
Imodifiedtheplugin vtop toperformthefullanalysismentionedinthispaperanddescribeeachintermediatestep.Wecanthereforeuseitto

examinesomeinterestingaddressesinthe swapper.exe addressspace.
Istartedoffexaminingsomeofthepagesallocatedby swapper.exe inthelarge VirtualAlloc region.Thesepagesaremarkedbytheirpage
numbersotheyshouldbeeasytoidentify(Firstwechangetheprocesscontexttothe swapper.exe usingthe cc plugin):
swapped.elf18:20:49>ccproc_regex="swapper.exe"
Switchingtoprocesscontext:swapper.exe(Pid656@0xfa8000fb5060)
swapped.elf18:20:55>vtop0x000000b30000+4*0x1000
Virtual0xb34000PageDirectory0x323ef000
pml4e@0x323ef000=0x940000031ac0867
pdpte@0x31ac0000=0xb0000007f84867
pde@0x7f84028=0xc0000025785847
pte@0x257859a0=0x296a200000080
PTEContains0x296a200000080
PTEType:Pagefile
[_MMPTE_SOFTWARESoft]@0x257859A0
0x00InStore[BitField(2223):InStore]:0x00000000
0x00PageFileHigh[BitField(3264):PageFileHigh]:0x000296A2
0x00PageFileLow[BitField(15):PageFileLow]:0x00000000
0x00Protection[Enumeration:Enumeration]:0x00000004(MM_READWRITE)
0x00Prototype[BitField(1011):Prototype]:0x00000000
0x00Reserved[BitField(2332):Reserved]:0x00000000
0x00Transition[BitField(1112):Transition]:0x00000000
0x00UsedPageTableEntries[BitField(1222):UsedPageTableEntries]:0x00000000
0x00Valid[BitField(01):Valid]:0x00000000
PTEmappedat0x696A2000
PhysicalAddress0x296a2000@Pagefile
Weexaminethe4thallocatedpage.The vtop pluginfindstherelevantPTEandtellsusthatitisasoftwarePTE.Wethereforeknowthatthe

relevantoffsetintothepagefileisfoundinthe PageFileHigh field.Letsseeifthisproducesthecorrectdata:
swapped.elf18:20:55>dump0x000000b30000+4*0x1000
OffsetHexDataComment

0xb3400004000000000000000400000000000000................
0xb3401004000000000000000400000000000000................
0xb3402004000000000000000400000000000000................
0xb3403004000000000000000400000000000000................
0xb3404004000000000000000400000000000000................
0xb3405004000000000000000400000000000000................
0xb3406004000000000000000400000000000000................
Yes!Thepageismarkedwiththeinteger4.
Forthenextexamplewewanttoreadthebinaryitselffor swapper.exe .Thisisaverycommonrequirementwhendumpingmalwarefrommemory.
Weseefromthevadoutputthat swapper.exe ismappedfromaddress0x000001330000:
swapped.elf18:22:01>vtop0x000000b10000
Virtual0xb10000PageDirectory0x323ef000
pml4e@0x323ef000=0x940000031ac0867
pdpte@0x31ac0000=0xb0000007f84867
pde@0x7f84028=0xc0000025785847
pte@0x25785880=0xf8a002bd2ed80400
PTEContains0xf8a002bd2ed80400
PTEType:Prototype
[_MMPTE_PROTOTYPEProto]@0x25785880
0x00Protection[Enumeration:Enumeration]:0x00000000(MM_ZERO_ACCESS)
0x00ProtoAddress[BitField(1664):ProtoAddress]:0xF8A002BD2ED8
0x00ReadOnly[BitField(89):ReadOnly]:0x00000000
0x00Unused0[BitField(18):Unused0]:0x00000000
PrototypePTEbackedbyfile.
[_MMPTE_SUBSECTIONSubsect]@0xF8A002BD2ED8
0x00Protection[Enumeration:Enumeration]:0x00000001(MM_READONLY)
0x00SubsectionAddress[BitField(1664):SubsectionAddress]:0xFA8001A17A70
Filename:\Users\mic\Documents\VisualStudio2010\Projects\swapper\Debug\swapper.exe
FileOffset:0(0x0)
InvalidPTE
PhysicalAddressInvalid
ThisisaPrototypePTEwhichpointstoaSubsectionPTE,backedbyafile.Wecantellthenameofthefileandthe _FILE_OBJECT responsiblefor

it,butalasthispageisnotfoundinthepagefilenorinmemory.Wewouldhavetoretrieveitfromthefilesystem.
Forthenextexamplewetrytodumpthefirstpageofthemapped ntdll.dll .ThisDLLismappedintoeveryprocesssoitisanexampleofshared
memory.TheVADtellsusthatitismappedat0x0000777b0000forthisprocess:
swapped.elf18:22:06>vtop0x0000777b0000
Virtual0x777b0000PageDirectory0x323ef000
pml4e@0x323ef000=0x940000031ac0867
pdpte@0x31ac0008=0x8000002a801867
pde@0x2a801dd8=0x10a000002f996847
pte@0x2f996d80=0xf8a0003850580400
PTEContains0xf8a0003850580400
PTEType:Prototype
[_MMPTE_PROTOTYPEProto]@0x2F996D80
0x00ProtoAddress[BitField(1664):ProtoAddress]:0xF8A000385058
PTEContains0x800000002318e121
PTEType:Valid
[_MMPTE_HARDWAREHard]@0xF8A000385058
0x00Accessed[BitField(56):Accessed]:0x00000001
0x00CacheDisable[BitField(45):CacheDisable]:0x00000000
0x00CopyOnWrite[BitField(910):CopyOnWrite]:0x00000000
0x00Dirty[BitField(67):Dirty]:0x00000000
0x00Dirty1[BitField(12):Dirty1]:0x00000000
0x00Global[BitField(89):Global]:0x00000001
0x00LargePage[BitField(78):LargePage]:0x00000000
0x00NoExecute[BitField(6364):NoExecute]:0x00000001
0x00Owner[BitField(23):Owner]:0x00000000
0x00PageFrameNumber[BitField(1248):PageFrameNumber]:0x0002318E
0x00SoftwareWsIndex[BitField(5263):SoftwareWsIndex]:0x00000000
0x00Unused[BitField(1011):Unused]:0x00000000
0x00Write[BitField(1112):Write]:0x00000000
0x00WriteThrough[BitField(34):WriteThrough]:0x00000000
0x00reserved1[BitField(4852):reserved1]:0x00000000
PTEmappedat0x2318E000
PhysicalAddress0x2318e000
WeseethatthePTEisaPrototypePTEpointingtoavalidpage.WecandumpitouttoseethefamiliarMZheader(Notethatwithoutinterpreting
thePrototypePTEwewouldnotbeabletoreadthispageatalleventhoughitisstillValidandpresentinthememoryimage!):
swapped.elf20:50:35>dump0x0000777b0000

0x777b00004d5a90000300000004000000ffff0000MZ..............
0x777b0010b8000000000000004000000000000000........@.......
0x777b002000000000000000000000000000000000................
0x777b0030000000000000000000000000e0000000................
0x777b00400e1fba0e00b409cd21b8014ccd215468........!..L.!Th
0x777b005069732070726f6772616d2063616e6e6fis.program.canno
0x777b0060742062652072756e20696e20444f5320t.be.run.in.DOS.
0x777b00706d6f64652e0d0d0a2400000000000000mode....$.......
Thenextexamplewetrytoreadfrom locale.nls whichismappedfrom0x0000001d0000:
swapped.elf18:24:07>vtop0x0000001d0000
Virtual0x1d0000PageDirectory0x323ef000
pml4e@0x323ef000=0x940000031ac0867
pdpte@0x31ac0000=0xb0000007f84867
pde@0x7f84000=0x1580000030908847
pte@0x30908e80=0xffffffff00000420
PTEContains0xffffffff00000420
PTEType:Vad
[_MMPTE_PROTOTYPEProto]@0x30908E80
0x00ProtoAddress[BitField(1664):ProtoAddress]:0xFFFFFFFF0000
PrototypePTEisfoundinVAD
**************************************************
Pid:656swapper.exe
VADlevStartAddrEndAddrcomProtectFilename

0xfa8001a4492060x0000001d00000x000000236fff0MappedREADONLY\Windows\System32\locale.nls
_MMVAD.FirstPrototypePte:0xf8a005027cc0
PTEisat0xf8a005027cc0
PTEContains0x4d91921
PTEType:Valid
[_MMPTE_HARDWAREHard]@0xF8A005027CC0
0x00Accessed[BitField(56):Accessed]:0x00000001
0x00CacheDisable[BitField(45):CacheDisable]:0x00000000
0x00CopyOnWrite[BitField(910):CopyOnWrite]:0x00000000
0x00Dirty[BitField(67):Dirty]:0x00000000
0x00Dirty1[BitField(12):Dirty1]:0x00000000
0x00Global[BitField(89):Global]:0x00000001
0x00LargePage[BitField(78):LargePage]:0x00000000
0x00NoExecute[BitField(6364):NoExecute]:0x00000000
0x00Owner[BitField(23):Owner]:0x00000000
0x00PageFrameNumber[BitField(1248):PageFrameNumber]:0x00004D91
0x00SoftwareWsIndex[BitField(5263):SoftwareWsIndex]:0x00000000
0x00Unused[BitField(1011):Unused]:0x00000000
0x00Write[BitField(1112):Write]:0x00000001
0x00WriteThrough[BitField(34):WriteThrough]:0x00000000
0x00reserved1[BitField(4852):reserved1]:0x00000000
PTEmappedat0x04D91000
PhysicalAddress0x4d91000
Inthisspecialcase,weseethatthePrototypePTEhasa ProtoAddress fieldof0XFFFFFFFF0000themagicsignaturefortheVADPrototype

PTE.RekallthereforemustsearchforthecontainingVADregionforthevirtualaddress0x000000110000.Theoutputofthe vad pluginisshown
next,andtherelevant _MMVAD addressisshownat0xfa8001a44920.InthiscaseweneedtoreadthefirstPTE,whichisfoundtobevalid.Hence
wecanreadthispagedirectlyfromthememoryimage:
swapped.elf18:24:21>dump0x0000001d0000

0x1d000020000000000000000000000000000000................
0x1d0010b029000098cd0400f8cb0500502e0600.)..........P...
0x1d00208a296803000000000000200200000000.)h.............
0x1d003068020900080028020800080028020900h.....(.....(...
0x1d0040080028020a0008002002080000002002..(.............
0x1d00500900000048020a00480010020b004800....H...H.....H.
0x1d006010020b00480410020500480010020500....H.....H.....
0x1d0070480410020b0040041002040048001002H.....@.....H...
0x1d008007004800100204004004100207004804..H.....@.....H.
Ithenusedahexeditortoconfirmthatthisdataisindeedthesameasinthe locale.nls file.

Itsactuallykindoffuntolookattheoutputofthe vad pluginandcallthe vtop plugininrandomaddressestoseehowtheyaremapped.Ithought
itwouldbeusefultoseehowtheentireregionismapped.Iwrotethe vadmap pluginwhichoutputsamapofalladdressesinthevadofaprocess
andhowtheyaremapped.NotethatvadmapresolvesthePrototypePTEstransparently,soifthereisaPrototypePTEthatpointstoaValidPTE,
vadmapwillsayitisValid.
swapped.elf18:25:32>vadmapproc_regex="swapper.exe"
**************************************************
Pid:656swapper.exe
VirtAddrLengthTypeComments

DEBUG:root:Switchingtoprocesscontext:swapper.exe(Pid656@0xfa8000fb5060)
0x0000000100000x1000Transition
0x0000000110000xf000DemandZero
0x0000000200000x10000Transition
0x0000000300000x6000Pagefilenumber:0
0x0000000400000x1000Valid
0x0000000500000x2000Valid
0x0000000600000xfb000DemandZero
0x00000015b0000x5000Valid
0x0000001900000x3c000DemandZero
0x0000001cc0000x1000Pagefilenumber:0
0x0000001cd0000xb000Valid
0x0000001d80000x8000FileMappingfilename:\Windows\System32\locale.nls
0x0000001e00000x8000Valid
0x0000001e80000x6000FileMappingfilename:\Windows\System32\locale.nls
0x0000001ee0000x9000Valid
0x0000001f70000x25000FileMappingfilename:\Windows\System32\locale.nls
0x00000021c0000x8000Valid
0x0000002240000x8000FileMappingfilename:\Windows\System32\locale.nls
0x00000022c0000x8000Valid
0x0000002340000x3000FileMappingfilename:\Windows\System32\locale.nls
0x0000002600000x1000Valid
0x0000002650000x1000Valid
0x0000002680000x8000DemandZero
0x0000002700000xc0000FileMappingfilename:\Windows\SysWOW64\enUS\KernelBase.dll.mui
0x0000003300000x30000FileMappingfilename:\Windows\notepad.exe
0x0000003a00000x6000Pagefilenumber:0
0x0000003a60000x7a000DemandZero
0x0000005f00000x1000Pagefilenumber:0
0x0000005f10000x1000Valid
0x0000005f30000x1000Valid
0x0000005f60000xfa000DemandZero
0x000000b100000x1000FileMappingfilename:\Users\mic\Documents\VisualStudio2010\Projects\swapper\Debug\swapper.exe
0x000000b110000x10000DemandZero
0x000000b210000x1000Valid
0x000000b230000x1000Valid
0x000000b250000x1000Valid
0x000000b270000x1000Pagefilenumber:0
0x000000b280000x1000Valid
0x000000b300000xd0000Pagefilenumber:0
0x000000c000000x400000DemandZero
0x0000018000000x200000DemandZero
.....
0x000031c3e0000x592000Valid
0x0000321d00000x1000Pagefilenumber:0
0x0000321d10000x95f000DemandZero
0x000063f600000x1000FileMappingfilename:\Windows\SysWOW64\msvcr100d.dll
0x000063f610000x1000Valid
0x000063f620000x15000FileMappingfilename:\Windows\SysWOW64\msvcr100d.dll
Wecanseesomeinterestingpoints:
1.Theexecutable swapper.exe ismappedfrom0x000000b10000,butsomepagesaremarkedasfilemappings,someasdemandpaging(for
thespacesbetweenthePEsections),whilesomearevalid(i.e.containcodeloadedintomemory).WecanseethatifwedumptheVAD
regionwewillonlybeabletorecoversomeofthepages.
2.Wealsoseethatsignificantnumberofpagesexistinthepagefile.Notethat vadmap canidentifypagesinthepagefile,regardlessifwe
actuallyhavethepagefile.Thiscansometimesbeusefulinordertoassesshowimportantitistoacquirethepagefileaswell.
3.Theentireregionmappedfor notepad.exe containssubsectionPTEsnoneofthedatawaseverreadhencenopageswerereadfromthe
file.
4.Thesecondallocatedregion(UsingVirtualAllocataddress0x0000321d0000)wasonlyreadonceatoffset0,buttherestoftheregionwas
nevertouched.Thiscausesthefirstpagetobebackedbymemory,andsubsequentlyendupinthepagefile.Therestoftheregionremainsat
DemandZerostatebecausewenevertouchedit.
6.Conclusions
AlloftheexamplesshownyieldinvalidpagesinpreviousversionsofRekall.Howevernow,afterproperlyinterpretingthevariousPTEsina
windowsspecificway,Rekallisabletorecoverusefuldatainallthesecases.Itisquiteinterestinghowmuchdatawehavebeenmissinginthe
past.Evenwithoutusingthepagefile,westillmissedalotofdatabecausewedidnotproperlysupportPrototypePTEs,andVADPTEs.These
couldoftenpointatasoftwarePTEwhichmightstillcontaindatainsidethememoryimageitself.
Howimportantthisdataisdependsreallyonhowyouusememoryanalysisifyoujustwanttoanalyzemalwareinacontrolledenvironment(e.g.
asinCuckoobox(http://www.cuckoosandbox.org/))itisprobablypossibletocreatefavorableconditionse.g.addlotsofmemorysotheOSdoes
notswap.
Inanincidentresponsesituation,however,onehasmuchlesscontrolovertheenvironment.Oftenrespondersarefacedwithbusysystems,with
potentiallysignificantmemorypressures,causingalotoflessfrequentlyuseddatatobepagedtodisk.Inthiscaseweneedtomakeasmuchas
wecanfromthedatawedohave,orasJesseKornblumsaid"UseEveryPartoftheBuffalo".
Wearecurrentlyworkingonfurthertestingandimplementingpagefilesupportforotheroperatingsystems(e.g.LinuxandOSX).Althoughthis
featureisreallynewandnotwelltestedyet,Iwantedtowriteaboutitheresopeopleknowwhatweareworkingonforthenextreleaseandhavea
chancetotryitout.PleasefeelfreetotestandcontributetoRekall,andfileissuesongithubifyoufindanybugs.
2015GoogleInc.RekallislicensedundertheTheGPLLicense.PmemislicensedundertheApachelicense. Backtotop

Rekall Memory Forensic Framework

Caricato da

Informazioni sul documento

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

Rekall Memory Forensic Framework

Caricato da

Copyright:

Formati disponibili

2017621 RekallMemoryForensicFramework

ThepreviousRekallimplementationusesthe AMD64PagedMemory addressspaceforalloperatingsystems,butobviouslyweneedtotreatthe

The ProtoAddress fieldcontainstheaddresstotheprototypePTE(whichisallocatedfromsystempool).ThetargetofthePrototypePTEiswhatI

TheSoftwarePTEreferstoapagedoutpage.The PageFileHigh memberistheframenumberinthepagefile(i.e.itmustbemultipliesby0x1000

Irantheprogram( swapper.exe )onasmallWindows7VMwithonly1GBoframallocated.Ialsoenabledafewmorecolumnsin TaskManager to

Theadditionalsystemactivitycausedtheworkingsetofthe swapper.exe programtobetrimmeddownto118Mbwithinafewseconds.Thisis

Imodifiedtheplugin vtop toperformthefullanalysismentionedinthispaperanddescribeeachintermediatestep.Wecanthereforeuseitto

Weexaminethe4thallocatedpage.The vtop pluginfindstherelevantPTEandtellsusthatitisasoftwarePTE.Wethereforeknowthatthe

ThisisaPrototypePTEwhichpointstoaSubsectionPTE,backedbyafile.Wecantellthenameofthefileandthe _FILE_OBJECT responsiblefor

Thenextexamplewetrytoreadfrom locale.nls whichismappedfrom0x0000001d0000:

Inthisspecialcase,weseethatthePrototypePTEhasa ProtoAddress fieldof0XFFFFFFFF0000themagicsignaturefortheVADPrototype

Ithenusedahexeditortoconfirmthatthisdataisindeedthesameasinthe locale.nls file.

Potrebbero piacerti anche