Stack Forensics Based on Meta Data and Instruction Flow of 64-bit Windows
To solve the omission in the stack forensics built without slack frame pointers and debugging symbols and the misstatement in the stack forensics built without meta data by the existing tools for dump files containing malicious processes in 64-bit Windows environment, a method to ll-ace stacks from...
Saved in:
| Main Authors: | , , , |
|---|---|
| Format: | Article |
| Language: | zho |
| Published: |
Harbin University of Science and Technology Publications
2021-10-01
|
| Series: | Journal of Harbin University of Science and Technology |
| Subjects: | |
| Online Access: | https://hlgxb.hrbust.edu.cn/#/digest?ArticleID=2015 |
| Tags: |
Add Tag
No Tags, Be the first to tag this record!
|
| _version_ | 1850053857725382656 |
|---|---|
| author | ZHAI Ji-qiang XU Xiao CHEN Pan YANG Hai-Lu |
| author_facet | ZHAI Ji-qiang XU Xiao CHEN Pan YANG Hai-Lu |
| author_sort | ZHAI Ji-qiang |
| collection | DOAJ |
| description | To solve the omission in the stack forensics built without slack frame pointers and debugging symbols and the misstatement in the stack forensics built without meta data by the existing tools for dump files containing malicious processes in 64-bit Windows environment, a method to ll-ace stacks from memory dumps is proposed. This method retrieves the user context of the target process from the mem01-y dump, determines the starting point of the stack tracing and then expands the stack based on meta data for exception handling. If meta data is not available, it will generate equivalent data by using validation based on inslluction flow. A c01Tesponding plug-in was implemented based on the Volatility framework. Experiments show that this method can obtain more complete stack trace using meta data without stack frame pointers and debugging symbols, and instruction flow-based validation can greatly improve the precision of forensics without meta data. |
| format | Article |
| id | doaj-art-992e376abe0e45db84e3af1e359bbcfd |
| institution | DOAJ |
| issn | 1007-2683 |
| language | zho |
| publishDate | 2021-10-01 |
| publisher | Harbin University of Science and Technology Publications |
| record_format | Article |
| series | Journal of Harbin University of Science and Technology |
| spelling | doaj-art-992e376abe0e45db84e3af1e359bbcfd2025-08-20T02:52:26ZzhoHarbin University of Science and Technology PublicationsJournal of Harbin University of Science and Technology1007-26832021-10-012605515910.15938/j.jhust.2021.05.007Stack Forensics Based on Meta Data and Instruction Flow of 64-bit Windows ZHAI Ji-qiang0XU Xiao1CHEN Pan2YANG Hai-Lu3School of Computer Science and Technology, Hm·bin University of Science 出1d Technology, Harbin 150080, ChinaSchool of Computer Science and Technology, Hm·bin University of Science 出1d Technology, Harbin 150080, ChinaSchool of Computer Science and Technology, Hm·bin University of Science 出1d Technology, Harbin 150080, ChinaSchool of Computer Science and Technology, Hm·bin University of Science 出1d Technology, Harbin 150080, ChinaTo solve the omission in the stack forensics built without slack frame pointers and debugging symbols and the misstatement in the stack forensics built without meta data by the existing tools for dump files containing malicious processes in 64-bit Windows environment, a method to ll-ace stacks from memory dumps is proposed. This method retrieves the user context of the target process from the mem01-y dump, determines the starting point of the stack tracing and then expands the stack based on meta data for exception handling. If meta data is not available, it will generate equivalent data by using validation based on inslluction flow. A c01Tesponding plug-in was implemented based on the Volatility framework. Experiments show that this method can obtain more complete stack trace using meta data without stack frame pointers and debugging symbols, and instruction flow-based validation can greatly improve the precision of forensics without meta data. https://hlgxb.hrbust.edu.cn/#/digest?ArticleID=2015memory forensicswindows stackmeta datainstruction flowreturn addresses |
| spellingShingle | ZHAI Ji-qiang XU Xiao CHEN Pan YANG Hai-Lu Stack Forensics Based on Meta Data and Instruction Flow of 64-bit Windows Journal of Harbin University of Science and Technology memory forensics windows stack meta data instruction flow return addresses |
| title | Stack Forensics Based on Meta Data and Instruction Flow of 64-bit Windows |
| title_full | Stack Forensics Based on Meta Data and Instruction Flow of 64-bit Windows |
| title_fullStr | Stack Forensics Based on Meta Data and Instruction Flow of 64-bit Windows |
| title_full_unstemmed | Stack Forensics Based on Meta Data and Instruction Flow of 64-bit Windows |
| title_short | Stack Forensics Based on Meta Data and Instruction Flow of 64-bit Windows |
| title_sort | stack forensics based on meta data and instruction flow of 64 bit windows |
| topic | memory forensics windows stack meta data instruction flow return addresses |
| url | https://hlgxb.hrbust.edu.cn/#/digest?ArticleID=2015 |
| work_keys_str_mv | AT zhaijiqiang stackforensicsbasedonmetadataandinstructionflowof64bitwindows AT xuxiao stackforensicsbasedonmetadataandinstructionflowof64bitwindows AT chenpan stackforensicsbasedonmetadataandinstructionflowof64bitwindows AT yanghailu stackforensicsbasedonmetadataandinstructionflowof64bitwindows |