{"title":"询问RAM映像的技术","authors":"Mark Wozar","doi":"10.1109/IMF.2009.10","DOIUrl":null,"url":null,"abstract":"Using Mr. Aaron Walters' Python script, nistpe.py, which generates hash values for sections within Microsoft Windows portable executables (PE), I will present a technique allowing industry, academia, law-enforcement, and other government bodies to create custom reference sets that detect sections within a raw bit image of random access memory. The technique identifies PE sections within a raw bit image of random access memory by comparing SHA-1 hash values from page-aligned segments to SHA-1 reference file entries. This technique expands on the “immutable sections of known executables” reported earlier. Being able to identify PEs by hash values may facilitate volatile memory analysis and warn of malicious logic.","PeriodicalId":370893,"journal":{"name":"2009 Fifth International Conference on IT Security Incident Management and IT Forensics","volume":"41 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2009-09-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"1","resultStr":"{\"title\":\"Technique to Interrogate an Image of RAM\",\"authors\":\"Mark Wozar\",\"doi\":\"10.1109/IMF.2009.10\",\"DOIUrl\":null,\"url\":null,\"abstract\":\"Using Mr. Aaron Walters' Python script, nistpe.py, which generates hash values for sections within Microsoft Windows portable executables (PE), I will present a technique allowing industry, academia, law-enforcement, and other government bodies to create custom reference sets that detect sections within a raw bit image of random access memory. The technique identifies PE sections within a raw bit image of random access memory by comparing SHA-1 hash values from page-aligned segments to SHA-1 reference file entries. This technique expands on the “immutable sections of known executables” reported earlier. Being able to identify PEs by hash values may facilitate volatile memory analysis and warn of malicious logic.\",\"PeriodicalId\":370893,\"journal\":{\"name\":\"2009 Fifth International Conference on IT Security Incident Management and IT Forensics\",\"volume\":\"41 1\",\"pages\":\"0\"},\"PeriodicalIF\":0.0000,\"publicationDate\":\"2009-09-15\",\"publicationTypes\":\"Journal Article\",\"fieldsOfStudy\":null,\"isOpenAccess\":false,\"openAccessPdf\":\"\",\"citationCount\":\"1\",\"resultStr\":null,\"platform\":\"Semanticscholar\",\"paperid\":null,\"PeriodicalName\":\"2009 Fifth International Conference on IT Security Incident Management and IT Forensics\",\"FirstCategoryId\":\"1085\",\"ListUrlMain\":\"https://doi.org/10.1109/IMF.2009.10\",\"RegionNum\":0,\"RegionCategory\":null,\"ArticlePicture\":[],\"TitleCN\":null,\"AbstractTextCN\":null,\"PMCID\":null,\"EPubDate\":\"\",\"PubModel\":\"\",\"JCR\":\"\",\"JCRName\":\"\",\"Score\":null,\"Total\":0}","platform":"Semanticscholar","paperid":null,"PeriodicalName":"2009 Fifth International Conference on IT Security Incident Management and IT Forensics","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1109/IMF.2009.10","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
Using Mr. Aaron Walters' Python script, nistpe.py, which generates hash values for sections within Microsoft Windows portable executables (PE), I will present a technique allowing industry, academia, law-enforcement, and other government bodies to create custom reference sets that detect sections within a raw bit image of random access memory. The technique identifies PE sections within a raw bit image of random access memory by comparing SHA-1 hash values from page-aligned segments to SHA-1 reference file entries. This technique expands on the “immutable sections of known executables” reported earlier. Being able to identify PEs by hash values may facilitate volatile memory analysis and warn of malicious logic.
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号
