000131578 001__ 131578
000131578 005__ 20241125101137.0
000131578 0247_ $$2doi$$a10.1016/j.fsidi.2023.301505
000131578 0248_ $$2sideral$$a136962
000131578 037__ $$aART-2023-136962
000131578 041__ $$aeng
000131578 100__ $$aFernández-Álvarez, Pedro
000131578 245__ $$aModule extraction and DLL hijacking detection via single or multiple memory dumps
000131578 260__ $$c2023
000131578 5060_ $$aAccess copy available to the general public$$fUnrestricted
000131578 5203_ $$aA memory dump contains the current state of a system's physical memory at the time of its acquisition. Among other things, it contains the processes that were running at the time of acquisition. These processes can share certain functionalities provided by shared object files, which are internally represented by modules in Windows. However, each process only maps in its address space the functionalities it needs, and not the entire shared object file. In this way, the current tools for extracting modules from existing processes in a memory dump from a Windows system obtain the partial content of a shared object file instead of the entire file. In this paper we present two tools, dubbed Modex and Intermodex, which are built on top of the Volatility 3 framework. These tools allow a forensic analyst to extract a 64-bit module from one or more Windows memory dumps as completely as possible. To achieve this, they aggregate the contents of the same module loaded by multiple processes that were running in the same memory dump or in different dumps (we called it intradump and interdump, respectively). Additionally, we also show how our developed tools are useful to detect dynamic-link library (DLL) hijacking attacks, a widely used attack on Windows where attackers trick processes into loading a malicious DLL instead of the benign one.
000131578 536__ $$9info:eu-repo/grantAgreement/ES/DGA/T21-20R-DISCO$$9info:eu-repo/grantAgreement/EUR/MICINN/TED2021-131115A-I00
000131578 540__ $$9info:eu-repo/semantics/openAccess$$aby-nc-nd$$uhttp://creativecommons.org/licenses/by-nc-nd/3.0/es/
000131578 590__ $$a2.0$$b2023
000131578 592__ $$a0.808$$b2023
000131578 591__ $$aCOMPUTER SCIENCE, INTERDISCIPLINARY APPLICATIONS$$b106 / 170 = 0.624$$c2023$$dQ3$$eT2
000131578 593__ $$aLaw$$c2023$$dQ1
000131578 591__ $$aCOMPUTER SCIENCE, INFORMATION SYSTEMS$$b152 / 250 = 0.608$$c2023$$dQ3$$eT2
000131578 593__ $$aMedical Laboratory Technology$$c2023$$dQ1
000131578 593__ $$aPathology and Forensic Medicine$$c2023$$dQ1
000131578 593__ $$aInformation Systems$$c2023$$dQ2
000131578 593__ $$aComputer Science Applications$$c2023$$dQ2
000131578 594__ $$a5.9$$b2023
000131578 655_4 $$ainfo:eu-repo/semantics/article$$vinfo:eu-repo/semantics/publishedVersion
000131578 700__ $$0(orcid)0000-0001-7982-0359$$aRodríguez, Ricardo J.$$uUniversidad de Zaragoza
000131578 7102_ $$15007$$2570$$aUniversidad de Zaragoza$$bDpto. Informát.Ingenie.Sistms.$$cÁrea Lenguajes y Sistemas Inf.
000131578 773__ $$g44 Supplement (2023), 301505 [8 pp.]$$pForensic sci. int. digital invest.$$tForensic science international. Digital investigation$$x2666-2825
000131578 8564_ $$s955852$$uhttps://zaguan.unizar.es/record/131578/files/texto_completo.pdf$$yVersión publicada
000131578 8564_ $$s2851787$$uhttps://zaguan.unizar.es/record/131578/files/texto_completo.jpg?subformat=icon$$xicon$$yVersión publicada
000131578 909CO $$ooai:zaguan.unizar.es:131578$$particulos$$pdriver
000131578 951__ $$a2024-11-22-12:01:29
000131578 980__ $$aARTICLE