Hi list,

I'm currently doing some memory analysis, and I'm using Notepad on Windows 7 x64 as an example.

My question is this: is there any way to link a _FILE_OBJECT back to the process that generated it, without a valid handle, or an entry in the VAD tree.

This article discusses it: http://computer.forensikblog.de/en/2009/04/linking-file-objects-to-processes.html - however, this approach only works if there is a valid handle for the open file.

Here's an example:

I open notepad, and open a simple text file that contains "This is the contents of the file".  Performing a scan over the memory dump reveals this data in two locations:

1 - 0x1448f000 - This is the contents of the file found through the _FILE_OBJECT->SectionObjectPointers->DataSectionObject.  This points to a control area, and through that I can locate the Subsection-BasePTE which shows that the page is in transition and has a PFN of 0x1448f.  So this allows me to the find the data through the _FILE_OBJECT

2 - 0x39d336b0 - This address is currently part of Notepad's private heap, which is where the data has been mapped into.

So examining the two pages through WinDbg gives me this information:


  1. lkd> !pfn 1448f
  2.     PFN 0001448F at address FFFFFA80003CDAD0
  3.     flink       00015B8F  blink / share count 00013ED5  pteaddress FFFFF8A0008AD010
  4.     reference count 0000    used entry count  0000      Cached    color 0   Priority 5
  5.     restore pte FA800325553004C0  containing page        00ABBA  Standby     P      
  6.       Shared            
  7. lkd> !pte FFFFF8A0008AD010 1
  8.                                            VA fffff8a0008ad010
  9. PXE at FFFFF8A0008AD010    PPE at FFFFF8A0008AD010    PDE at FFFFF8A0008AD010    PTE at FFFFF8A0008AD010
  10. contains 000000001448F8C0
  11. not valid
  12.  Transition: 1448f
  13.  Protect: 6 - ReadWriteExecute

As can be seen, the page containing the original data is shared, is on the standby list, and points to a prototype PTE.

  1. lkd> !pfn 39d33
  2.     PFN 00039D33 at address FFFFFA8000AD7990
  3.     flink       00039D88  blink / share count 00039D1E  pteaddress FFFFF6800001CAC8
  4.     reference count 0000    used entry count  0000      Cached    color 0   Priority 3
  5.     restore pte 1635500000080  containing page        0274B8  Standby  

  7. lkd> !pte FFFFF6800001CAC8 1
  8.                                            VA fffff6800001cac8
  9. PXE at FFFFF6800001CAC8    PPE at FFFFF6800001CAC8    PDE at FFFFF6800001CAC8    PTE at FFFFF6800001CAC8
  10. contains 0000000000000000
  11. not valid 

The PTE within Notepad's heap is marked as not valid, but also shows that the page is on the standby list.

As the page located through the FILE_OBJECT is marked as shared, and points to a prototype PTE, is there anyway of locating this prototype PTE, and using it to track back to Notepad?  So for instance, would it be possible to locate the PPTE by searching memory for the 'MmSt' tag, and then parse the PPTE to gain any information.  Or does the PPTE not track backwards in that way?

Essentially, if the page containing the data found through the _FILE_OBJECT is shared, what is it shared with, and is it possible to track this information, using either the PFN database, prototype PTE entries, or something else I haven't thought of.

Any input or advice would be appreciated.  

Thanks

Josh.