Based On Memory Analysis Kernel Structure Detection In Windows

The diversity of Windows versions presents a great challenge to windows-based memory analysis,which is of great value in security research and digital forensics,and kernel data structures are essential information in the process of memory forensics.The existing solution mainly obtains this information by analyzing debugging information or by decompile the kernel functions.This paper presents a general scheme for analyzing the kernel structure of memory recognition in Windows system.Binary data in Windows memory has no obvious semantic or grammatical characteristics,so it is difficult to extract the characteristics of kernel structure.To solve this problem,this paper presents the data type confidence table as the feature model of kernel structure,and the probability of 4 kinds of data type distribution in the structure instance region,and constructs the confidence degree table of the data type.According to the difference degree of the distribution of the data inside and outside the structure,the boundary recognition algorithm of the structure body is proposed,which can solve the approximate boundary of the structure instance.In addition,this paper proposes a scheme to apply the structural body boundary recognition algorithm to hidden process recognition,and recognize the hidden process in memory without relying on system version and structure information.The experimental results show that the algorithm can solve the approximate boundary of the eprocess structure accurately,the error of the structure body size is low in 20 offset range,and the algorithm shows the same performance in different versions of 32-bit and 64-bit Windows operating system.is not affected by the system version and the number of digits.By applying the structure boundary recognition algorithm to hidden process detection,the hidden process in memory can be identified accurately,the method proposed in this paper does not need to know the source code of kernel structure or acquire the features of kernel structure by hand,and is suitable for different versions of 32-bit and 64-bit Windows operating systems..