Stack Forensics Based on Meta Data and Instruction Flow of 64-bit Windows
To solve the omission in the stack forensics built without slack frame pointers and debugging symbols and the misstatement in the stack forensics built without meta data by the existing tools for dump files containing malicious processes in 64-bit Windows environment, a method to ll-ace stacks from...
Saved in:
| Main Authors: | , , , |
|---|---|
| Format: | Article |
| Language: | zho |
| Published: |
Harbin University of Science and Technology Publications
2021-10-01
|
| Series: | Journal of Harbin University of Science and Technology |
| Subjects: | |
| Online Access: | https://hlgxb.hrbust.edu.cn/#/digest?ArticleID=2015 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| Summary: | To solve the omission in the stack forensics built without slack frame pointers and debugging symbols and the misstatement in the stack forensics built without meta data by the existing tools for dump files containing malicious processes in 64-bit Windows environment, a method to ll-ace stacks from memory dumps is proposed. This method retrieves the user context of the target process from the mem01-y dump, determines the starting point of the stack tracing and then expands the stack based on meta data for exception handling. If meta data is not available, it will generate equivalent data by using validation based on inslluction flow. A c01Tesponding plug-in was implemented based on the Volatility framework. Experiments show that this method can obtain more complete stack trace using meta data without stack frame pointers and debugging symbols, and instruction flow-based validation can greatly improve the precision of forensics without meta data. |
|---|---|
| ISSN: | 1007-2683 |