Module extraction and DLL hijacking detection via single or multiple memory dumps
Fernández-Álvarez, Pedro ; Rodríguez, Ricardo J. (Universidad de Zaragoza)
Resumen: A memory dump contains the current state of a system's physical memory at the time of its acquisition. Among other things, it contains the processes that were running at the time of acquisition. These processes can share certain functionalities provided by shared object files, which are internally represented by modules in Windows. However, each process only maps in its address space the functionalities it needs, and not the entire shared object file. In this way, the current tools for extracting modules from existing processes in a memory dump from a Windows system obtain the partial content of a shared object file instead of the entire file. In this paper we present two tools, dubbed Modex and Intermodex, which are built on top of the Volatility 3 framework. These tools allow a forensic analyst to extract a 64-bit module from one or more Windows memory dumps as completely as possible. To achieve this, they aggregate the contents of the same module loaded by multiple processes that were running in the same memory dump or in different dumps (we called it intradump and interdump, respectively). Additionally, we also show how our developed tools are useful to detect dynamic-link library (DLL) hijacking attacks, a widely used attack on Windows where attackers trick processes into loading a malicious DLL instead of the benign one.
Idioma: Inglés
DOI: 10.1016/j.fsidi.2023.301505
Año: 2023
Publicado en: Forensic science international. Digital investigation 44 Supplement (2023), 301505 [8 pp.]
ISSN: 2666-2825
Factor impacto JCR: 2.0 (2023)
Categ. JCR: COMPUTER SCIENCE, INTERDISCIPLINARY APPLICATIONS rank: 106 / 170 = 0.624 (2023) - Q3 - T2
Categ. JCR: COMPUTER SCIENCE, INFORMATION SYSTEMS rank: 152 / 250 = 0.608 (2023) - Q3 - T2
Factor impacto CITESCORE: 5.9 - Pathology and Forensic Medicine (Q1) - Law (Q1) - Medical Laboratory Technology (Q1) - Information Systems (Q2) - Computer Science Applications (Q2)
Factor impacto SCIMAGO: 0.808 - Law (Q1) - Medical Laboratory Technology (Q1) - Pathology and Forensic Medicine (Q1) - Information Systems (Q2) - Computer Science Applications (Q2)
Financiación: info:eu-repo/grantAgreement/ES/DGA/T21-20R-DISCO
Financiación: info:eu-repo/grantAgreement/EUR/MICINN/TED2021-131115A-I00
Tipo y forma: Article (Published version)
Área (Departamento): Área Lenguajes y Sistemas Inf. (Dpto. Informát.Ingenie.Sistms.)
Exportado de SIDERAL (2024-11-22-12:01:29)
Visitas y descargas
Idioma: Inglés
DOI: 10.1016/j.fsidi.2023.301505
Año: 2023
Publicado en: Forensic science international. Digital investigation 44 Supplement (2023), 301505 [8 pp.]
ISSN: 2666-2825
Factor impacto JCR: 2.0 (2023)
Categ. JCR: COMPUTER SCIENCE, INTERDISCIPLINARY APPLICATIONS rank: 106 / 170 = 0.624 (2023) - Q3 - T2
Categ. JCR: COMPUTER SCIENCE, INFORMATION SYSTEMS rank: 152 / 250 = 0.608 (2023) - Q3 - T2
Factor impacto CITESCORE: 5.9 - Pathology and Forensic Medicine (Q1) - Law (Q1) - Medical Laboratory Technology (Q1) - Information Systems (Q2) - Computer Science Applications (Q2)
Factor impacto SCIMAGO: 0.808 - Law (Q1) - Medical Laboratory Technology (Q1) - Pathology and Forensic Medicine (Q1) - Information Systems (Q2) - Computer Science Applications (Q2)
Financiación: info:eu-repo/grantAgreement/ES/DGA/T21-20R-DISCO
Financiación: info:eu-repo/grantAgreement/EUR/MICINN/TED2021-131115A-I00
Tipo y forma: Article (Published version)
Área (Departamento): Área Lenguajes y Sistemas Inf. (Dpto. Informát.Ingenie.Sistms.)
Exportado de SIDERAL (2024-11-22-12:01:29)
Permalink:
Visitas y descargas
Este artículo se encuentra en las siguientes colecciones:
articulos > articulos-por-area > lenguajes_y_sistemas_informaticos
Notice créée le 2024-02-12, modifiée le 2024-11-25