[Vol-users] FW: Memory-mapped file and shared pages

Hi list, I'm currently doing some memory analysis, and I'm using Notepad on Windows 7 x64 as an example. My question is this: is there any way to link a _FILE_OBJECT back to the process that generated it, without a valid handle, or an entry in the VAD tree. This article discusses it: http://computer.forensikblog.de/en/2009/04/linking-file-objects-to-processe… - however, this approach only works if there is a valid handle for the open file. Here's an example: I open notepad, and open a simple text file that contains "This is the contents of the file". Performing a scan over the memory dump reveals this data in two locations: 1 - 0x1448f000 - This is the contents of the file found through the _FILE_OBJECT->SectionObjectPointers->DataSectionObject. This points to a control area, and through that I can locate the Subsection-BasePTE which shows that the page is in transition and has a PFN of 0x1448f. So this allows me to the find the data through the _FILE_OBJECT 2 - 0x39d336b0 - This address is currently part of Notepad's private heap, which is where the data has been mapped into. So examining the two pages through WinDbg gives me this information: lkd> !pfn 1448f PFN 0001448F at address FFFFFA80003CDAD0 flink 00015B8F blink / share count 00013ED5 pteaddress FFFFF8A0008AD010 reference count 0000 used entry count 0000 Cached color 0 Priority 5 restore pte FA800325553004C0 containing page 00ABBA Standby P Shared lkd> !pte FFFFF8A0008AD010 1 VA fffff8a0008ad010PXE at FFFFF8A0008AD010 PPE at FFFFF8A0008AD010 PDE at FFFFF8A0008AD010 PTE at FFFFF8A0008AD010contains 000000001448F8C0not valid Transition: 1448f Protect: 6 - ReadWriteExecute As can be seen, the page containing the original data is shared, is on the standby list, and points to a prototype PTE. lkd> !pfn 39d33 PFN 00039D33 at address FFFFFA8000AD7990 flink 00039D88 blink / share count 00039D1E pteaddress FFFFF6800001CAC8 reference count 0000 used entry count 0000 Cached color 0 Priority 3 restore pte 1635500000080 containing page 0274B8 Standby lkd> !pte FFFFF6800001CAC8 1 VA fffff6800001cac8PXE at FFFFF6800001CAC8 PPE at FFFFF6800001CAC8 PDE at FFFFF6800001CAC8 PTE at FFFFF6800001CAC8contains 0000000000000000not valid The PTE within Notepad's heap is marked as not valid, but also shows that the page is on the standby list. As the page located through the FILE_OBJECT is marked as shared, and points to a prototype PTE, is there anyway of locating this prototype PTE, and using it to track back to Notepad? So for instance, would it be possible to locate the PPTE by searching memory for the 'MmSt' tag, and then parse the PPTE to gain any information. Or does the PPTE not track backwards in that way? Essentially, if the page containing the data found through the _FILE_OBJECT is shared, what is it shared with, and is it possible to track this information, using either the PFN database, prototype PTE entries, or something else I haven't thought of. Any input or advice would be appreciated. Thanks Josh.