Memory Forensics
Last updated
Last updated
KDBG
Points to EPROCESS block.
EPROCESS:
Executive Block Process.
Each process has their own EPROCESS and it points to objects that were loaded by the PEB.
PEB:
VAD Tree
Kernel level. Contains DLLs mapped.
Private Memory
Sole memory domain of the target process. Only READWRITE privs should be in here, which makes sense for items being read and written into the stack, heap, and data files.
No executables like EXEs or DLLs should be in here. Nor should EXECUTE privileges.
Sharable Memory
Also known as mapped memory and is responsible for mapping all or part of shared files for use by process. Files like .dat and .mui are usually present here.
Expected privs: READONLY
Unexpected: EXECUTE privs
Image Mapped Memory
Part of sharable memory. Expected to see DLLs, EXEs, and drivers mapped here. Expected Privs: EXECUTE_WRITECOPY EXECUTE_READ
Unexpected Privs: EXECUTE_READWRITE
EPROCESS:
Name of process executable (image file name)
PID
PPID
Location in mem (offset)
Creation time
Termination time (exit)
Threads assigned to process
Handles to other OS artifacts
Link to the VAD tree
Link to the PEB block
Considerations:
.24% of Priviate Memory, .014% of sharable memory, and .01% of image memory contain RWX memory pages.
.62% Priviate, .036% sharable, 17.5% image contain RX memory pages.
Note: The base 0x100000 with InInit being "Flase" is present in all memory dumps. That is the process executable and it will not be present in the InInit list, but it should be present in the MapepdPath list. The absence of the image path in MappedPath is suspicious.
The PE_PATCHED is a false positive due to normal memory modifications caused by 32-bit code (SysWOW64) execution.
