Netinfo Security ›› 2021, Vol. 21 ›› Issue (12): 38-43.doi: 10.3969/j.issn.1671-1122.2021.12.006

Previous Articles     Next Articles

Research on Forensics Technology of Malicious Code Based on Deleted PE File Header

LI Pengchao1,2(), LIU Yanfei1,3   

  1. 1. Chongqing Police College, Chongqing 401331, China
    2. Southwest University, Chongqing 400715, China
    3. Tianjin University, Tianjin 300072, China
  • Received:2021-10-20 Online:2021-12-10 Published:2022-01-11
  • Contact: LI Pengchao E-mail:lipengchao61@qq.com

Abstract:

In particular, malware removes the headers of executable file and copy them to the memory pages which have the execute protection to prevent code exposure during the memory forensic analysis. This paper proposed a method to detect executable files without headers by searching the Section table in the memory dump. Therefore, this paper explore the Section header signatures and check whether the offset intervals among them are a multiple of the Section header size to detect Section tables. We select the non-private pages with execute protection in Virtual Address Descriptor (VAD) which are highly likely to be hidden by malicious code and scan the Section Tables. In addition, this paper verified the detection performance by implementing the proposal as a plug-in that can be executed in Volatility 3 Framework and analyzing the memory of the system infected with Ursnif.

Key words: memory forensics, virtual address descriptor, volatility3, malicious code

CLC Number: