Hi developers and enthusiasts,
A while ago I introduced myself here, as I am doing a study into user
space memory forensics.
My goal is to develop a general method to extract information from
user space, from any process. The past few months I have worked on
some proof of concepts, and some basic experimentation. This has all
been fairly easy, but I want to do something more complex. Today I am
mailing you to ask for some ideas and suggestions.
To give you an idea of what I have done so far (and the level I'm
working on), here's a short list:
- Extract register contents from the process kernel stack
- Determine the exact locations of stack frames
- Make a list of all process threads and access their stacks
- Walk a list of pointers and do heuristic search on small structs,
such as common networking structs
(NOTE: All using a linux dump)
All of this worked fairly well, and it was fun, but not exactly
groundbreaking. I thought it would be best to ask the advice from
professionals before I continue.
The direction I would like to take is doing something more foolproof
than a heuristic search, I would rather derive the location of
structures using information in memory.
One idea I had was to identify the whole stack trace (i.e. including
function names) and use this to find struct locations. Since there is
always the issue of missing symbols, I would somehow have to
reintroduce these, and also figure out how dynamic symbols work. I am
especially interested in common libraries with this approach, since
something I can apply to libraries, I can apply to many processes.
Another idea I had would be to use the source/headers of the
application, maybe similar to the way volatility uses the symbols for
the kernel.
Now I don't really have a question about this, I am just looking for
ideas. Please tell me if you think my ideas are good, or bad. If you
read this and wonder why I don't do X instead of Y, please ask me.
Feel free to mention any problems you see coming. I am really looking
for a discussion here. The only requirements I have at this moment are
that it stays roughly the same topic and it is academically relevant.
That last part also means that if you know about somebody doing
exactly this, do let me know, so I can do something else.
If you know of any technical documentation or scientific research in
the area, I'm also interested in that. The most relevant paper (in the
whole topic of user space memory forensics) I have read so far is
"Digging for Data Structures", Cozzie et al (thanks emdel for showing
me that one).
I permanently reside on IRC, Freenode/#volatility, if anyone cares to
chat some more about the topic.
Cheers,
Edwin
_______________________________________________
Vol-dev mailing list
Vol-dev@volatilityfoundation.org
http://lists.volatilityfoundation.org/mailman/listinfo/vol-dev