scholarly journals Memory Layout Extraction and Verification Method for Reliable Physical Memory Acquisition

Electronics ◽  
2021 ◽  
Vol 10 (12) ◽  
pp. 1380
Author(s):  
Seungwon Jung ◽  
Seunghee Seo ◽  
Yeog Kim ◽  
Changhoon Lee
Keyword(s):  
Malware Analysis ◽  
Acquisition Process ◽  
Verification Method ◽  
Memory Forensics ◽  
Memory Acquisition ◽  
Modification Attack ◽  
The One ◽  
Memory Layout ◽  
Return Value ◽  
Acquisition Method

Physical memory acquisition is a prerequisite when performing memory forensics, referring to a set of techniques for acquiring and analyzing traces associated with user activity information, malware analysis, cyber incident response, and similar areas when the traces remain in the physical RAM. However, certain types of malware have applied anti-memory forensics techniques to evade memory analysis strategies or to make the acquisition process impossible. To disturb the acquisition process of physical memory, an attacker hooks the kernel API, which returns a map of the physical memory spaces, and modifies the return value of the API, specifically that typically used by memory acquisition tools. Moreover, an attacker modifies the kernel object referenced by the kernel API. This causes the system to crash during the memory acquisition process or causes the memory acquisition tools to incorrectly proceed with the acquisition. Even with a modification of one byte, called a one-byte modification attack, some tools fail to acquire memory. Therefore, specialized countermeasure techniques are needed for these anti-memory forensics techniques. In this paper, we propose a memory layout acquisition method which is robust to kernel API hooking and the one-byte modification attack on NumberOfRuns, the kernel object used to construct the memory layout in Windows. The proposed acquisition method directly accesses the memory, extracts the byte array, and parses it in the form of a memory layout. When we access the memory, we extract the _PHYSICAL_MEMORY_DESCRIPTOR structure, which is the basis of the memory layout without using the existing memory layout acquisition API. Furthermore, we propose a verification method that selects a reliable memory layout. We realize the verification method by comparing NumberOfRuns and the memory layout acquired via the kernel API, the registry, and the proposed method. The proposed verification method guarantees the reliability of the memory layout and helps secure memory image acquisition through a comparative verification with existing memory layout acquisition methods. We also conduct experiments to prove that the proposed method is resistant to anti-memory forensics techniques, confirming that there are no significant differences in time compared to the existing tools.

scholarly journals A Memory Acquisition Method for Android Application Forensics

2019 ◽  
Vol 1314 ◽  
pp. 012180 ◽  
Author(s):  
Bin Liu ◽  
Ying-xian Chang ◽  
Lian-ri Cong ◽  
Xia Wu ◽  
Hua Deng ◽  
...  
Keyword(s):  
Android Application ◽  
Memory Acquisition ◽  
Acquisition Method

scholarly journals An Open Source, Extensible Malware Analysis Platform

2018 ◽  
Vol 188 ◽  
pp. 05009
Author(s):  
P. Michalopoulos ◽  
V. Ieronymakis ◽  
M.T. Khan ◽  
D. Serpanos
Keyword(s):  
Open Source ◽  
Malware Detection ◽  
High Rate ◽  
Machine Learning Techniques ◽  
False Alarms ◽  
Malware Analysis ◽  
Detection Techniques ◽  
It Systems ◽  
The One ◽  
Analysis Platform

A malware (such as viruses, ransomware) is the main source of bringing serious security threats to the IT systems and their users now-adays. In order to protect the systems and their legitimate users from these threats, anti-malware applications are developed as a defense against malware. However, most of these applications detect malware based on signatures or heuristics that are still created manually and are error prune. Some recent applications employ data mining and machine learning techniques to detect malware automatically. However, such applications fail to classify them appropriately mainly because they suffer from high rate of false alarms on the one hand and being retrospective, fail to detect new unknown threats and variants of known malware on the other hand. Since anti-malware vendors receive a huge number of malware samples every day, there is an urgent need for malware analysis tools that can automatically detect malware rigorously, i.e. eliminating false alarms. To address these issues and challenges of current malware detection and analysis approaches, we propose a novel, open source and extensible platform (based on set of tools) that allows to combine various malware detection techniques to automatically detect/classify a malware more rigorously. The developed platform can be fed with malware samples from different providers and will enable the development of effective classification schemes and methods, which are not sufficiently effective without collaboration and the related sample aggregation. Furthermore, such collaborative platforms in cybersecurity enable efficient sharing of information (e.g., about new identified threats) to all collaborators and sharing of appropriate defences against them, if such defences exist.

scholarly journals PMCAP: A Threat Model of Process Memory Data on the Windows Operating System

2017 ◽  
Vol 2017 ◽  
pp. 1-15 ◽  
Author(s):  
Jiaye Pan ◽  
Yi Zhuang
Keyword(s):  
Operating System ◽  
Lower Cost ◽  
Data Extraction ◽  
Web Browsers ◽  
Malware Analysis ◽  
Dynamic Data ◽  
Valuable Data ◽  
Threat Model ◽  
Memory Forensics ◽  
Process Memory

Research on endpoint security involves both traditional PC platform and prevalent mobile platform, among which the analysis of software vulnerability and malware is one of the important contents. For researchers, it is necessary to carry out nonstop exploration of the insecure factors in order to better protect the endpoints. Driven by this motivation, we propose a new threat model named Process Memory Captor (PMCAP) on the Windows operating system which threatens the live process volatile memory data. Compared with other threats, PMCAP aims at dynamic data in the process memory and uses a noninvasive approach for data extraction. In this paper we describe and analyze the model and then give a detailed implementation taking four popular web browsers IE, Edge, Chrome, and Firefox as examples. Finally, the model is verified through real experiments and case studies. Compared with existing technologies, PMCAP can extract valuable data at a lower cost; some techniques in the model are also suitable for memory forensics and malware analysis.

scholarly journals Pengaruh Likuiditas, Solvabilitas dan Nilai Pasar Terhadap Return Saham

2019 ◽  
Vol 1 (1) ◽  
pp. 43
Author(s):  
Dede Hertina ◽  
Mohamad Bayu Herdiawan Hidayat
Keyword(s):  
Stock Return ◽  
Agricultural Sector ◽  
Stock Exchange ◽  
Market Value ◽  
Quantitative Approach ◽  
Research Results ◽  
Verification Method ◽  
Return Value

The purpose of this study was to determine the information, solvability, and value of shares of the Agricultural Sector Companies listed on the Indonesia Stock Exchange for the 2012-2016 period. The method used in this research is descriptive and verification method with a quantitative approach. Research Results The company with the highest liquidity in 2012 was PT Bumi Teknokultura Unggul Tbk with liquidity of 6747.74, and the company with the lowest liquidity in 2013 was PT Bumi Teknokultura Unggul Tbk with liquidity of 14.33. The highest solvency value is PT. Central Proteinaprima Tbk amounted to 64.05, while the lowest solvency value in 2015 was owned by PT Inti Agri Resources Tbk at 0.04. The highest Market Value in 2012 was PT. Central Proteinaprima Tbk amounted to 38.72, while the lowest average market value in 2016 was PT Gozco Plantation Tbk of 0.19. The highest Stock Return Value in 2014 was PT. Central Proteinaprima Tbk at 1.06, while the lowest stock return value in 2015 was owned by PT Eagle High Plantations Tbk at -0.66.

Automatic Data Layout Transformations in the ExaStencils Code Generator

2018 ◽  
Vol 28 (03) ◽  
pp. 1850009 ◽  
Author(s):  
Stefan Kronawitter ◽  
Sebastian Kuckuk ◽  
Harald Köstler ◽  
Christian Lengauer
Keyword(s):  
Complex Data ◽  
Affine Transformations ◽  
Data Layout ◽  
Code Generator ◽  
Automatic Data ◽  
Domain Specific ◽  
Performance Optimizations ◽  
The One ◽  
Memory Layout ◽  
Arbitrary Affine

Performance optimizations should focus not only on the computations of an application, but also on the internal data layout. A well-known problem is whether a struct of arrays or an array of structs results in a higher performance for a particular application. Even though the switch from the one to the other is fairly simple to implement, testing both transformations can become laborious and error-prone. Additionally, there are more complex data layout transformations, such as a color splitting for multi-color kernels in the domain of stencil codes, that are manually difficult. As a remedy, we propose new flexible layout transformation statements for our domain-specific language ExaSlang that support arbitrary affine transformations. Since our code generator applies them automatically to the generated code, these statements enable the simple adaptation of the data layout without the need for any other modifications of the application code. This constitutes a big advance in the ease of testing and evaluating different memory layout schemes in order to identify the best.

Sign in / Sign up

Export Citation Format

Share Document