Memory Analysis of the Python Runtime Environment

IF 2.2 4区医学 Q3 COMPUTER SCIENCE, INFORMATION SYSTEMS

Forensic Science International-Digital Investigation Pub Date : 2025-07-01 DOI:10.1016/j.fsidi.2025.301920

Hala Ali , Andrew Case , Irfan Ahmed

{"title":"Memory Analysis of the Python Runtime Environment","authors":"Hala Ali , Andrew Case , Irfan Ahmed","doi":"10.1016/j.fsidi.2025.301920","DOIUrl":null,"url":null,"abstract":"<div><div>Memory forensics has become a crucial component of digital investigations, particularly for detecting sophisticated malware that operates solely in system memory without leaving traces on the file system. Although memory forensics provides a complete view of the system state during acquisition, prior research efforts have primarily focused on analyzing kernel-level data structures for malware detection. With the propagation of kernel-level malware, operating system vendors implemented stringent kernel access restrictions, leading the malware authors to shift their focus to developing userland malware. This evolution in tactics necessitated a corresponding shift in forensic research toward analyzing userland runtime environments. While significant memory analysis capabilities have been developed for various runtime environments, including Android, Objective-C, and.NET, no effort has addressed the analysis of Python despite its growing popularity among legitimate software developers and malware authors. To address this critical gap, we present a comprehensive analysis of the Python runtime, encompassing its hierarchical memory management, garbage collection mechanism, and thread execution context management. We automated this analysis by developing a suite of new Volatility 3 plugins that provide detailed visibility into Python applications, including classes and their runtime instances, modules, functions, dynamically generated values, and execution traces across application threads. We evaluated our plugins against real-world malware samples, including cryptocurrency hijackers, ransomware variants, and remote access trojans (RATs). Results demonstrated 100% extraction accuracy of application objects within practical time constraints. The plugins recovered critical artifacts, including cryptocurrency wallet addresses, encryption keys, malicious functions, and execution paths. Through these new automated analysis capabilities, investigators of all levels of experience will be able to detect and analyze Python-based malware.</div></div>","PeriodicalId":48481,"journal":{"name":"Forensic Science International-Digital Investigation","volume":"53 ","pages":"Article 301920"},"PeriodicalIF":2.2000,"publicationDate":"2025-07-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Forensic Science International-Digital Investigation","FirstCategoryId":"3","ListUrlMain":"https://www.sciencedirect.com/science/article/pii/S2666281725000599","RegionNum":4,"RegionCategory":"医学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q3","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

Memory forensics has become a crucial component of digital investigations, particularly for detecting sophisticated malware that operates solely in system memory without leaving traces on the file system. Although memory forensics provides a complete view of the system state during acquisition, prior research efforts have primarily focused on analyzing kernel-level data structures for malware detection. With the propagation of kernel-level malware, operating system vendors implemented stringent kernel access restrictions, leading the malware authors to shift their focus to developing userland malware. This evolution in tactics necessitated a corresponding shift in forensic research toward analyzing userland runtime environments. While significant memory analysis capabilities have been developed for various runtime environments, including Android, Objective-C, and.NET, no effort has addressed the analysis of Python despite its growing popularity among legitimate software developers and malware authors. To address this critical gap, we present a comprehensive analysis of the Python runtime, encompassing its hierarchical memory management, garbage collection mechanism, and thread execution context management. We automated this analysis by developing a suite of new Volatility 3 plugins that provide detailed visibility into Python applications, including classes and their runtime instances, modules, functions, dynamically generated values, and execution traces across application threads. We evaluated our plugins against real-world malware samples, including cryptocurrency hijackers, ransomware variants, and remote access trojans (RATs). Results demonstrated 100% extraction accuracy of application objects within practical time constraints. The plugins recovered critical artifacts, including cryptocurrency wallet addresses, encryption keys, malicious functions, and execution paths. Through these new automated analysis capabilities, investigators of all levels of experience will be able to detect and analyze Python-based malware.

查看原文本刊更多论文

Python运行环境的内存分析

内存取证已经成为数字调查的重要组成部分，特别是在检测仅在系统内存中运行而不在文件系统上留下痕迹的复杂恶意软件时。尽管内存取证在获取过程中提供了系统状态的完整视图，但之前的研究工作主要集中在分析恶意软件检测的内核级数据结构上。随着内核级恶意软件的传播，操作系统供应商实施了严格的内核访问限制，导致恶意软件作者将重点转移到开发用户级恶意软件上。这种战术上的演变使得法医学研究必须相应地转向分析用户运行时环境。虽然已经为各种运行时环境开发了重要的内存分析功能，包括Android、Objective-C和。尽管Python在合法软件开发人员和恶意软件作者中越来越受欢迎，但还没有人努力解决Python的分析问题。为了解决这个关键的差距，我们对Python运行时进行了全面的分析，包括其分层内存管理、垃圾收集机制和线程执行上下文管理。我们通过开发一套新的volatile 3插件来自动化分析，这些插件提供了对Python应用程序的详细可见性，包括类及其运行时实例、模块、函数、动态生成的值以及跨应用程序线程的执行跟踪。我们针对现实世界的恶意软件样本评估了我们的插件，包括加密货币劫机者、勒索软件变体和远程访问木马（rat）。结果表明，在实际时间限制下，应用对象的提取准确率为100%。这些插件恢复了关键工件，包括加密货币钱包地址、加密密钥、恶意功能和执行路径。通过这些新的自动化分析功能，所有经验水平的调查人员都将能够检测和分析基于python的恶意软件。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊