Applying user-mode memory scanning on Windows NT
Eric Uday Kumar Authentium
download slides (PDF)
Memory-resident malware and malware persistent over reboots have since long
been the most challenging to detect and deactivate. Such types of malware
can conceal their presence (defensive techniques), thwart termination or
removal (armouring techniques), lower system security, and terminate or
suspend security applications (offensive techniques). Memory scanning plays
a vital role in detecting and deactivating these types of malware.
Implementing a memory scanner for Windows NT-based systems is particularly
challenging due to the complexity of the executing environment. While
memory scanning can be implemented in both kernel mode and user mode, this
content is confined to user-mode memory scanning, for 32-bit and 64-bit
Windows NT-based systems. This essentially means scanning the virtual
address space of each process in memory, as well as its associated objects
in memory and on physical disk, as seen from user mode. Here, we will
discuss examples from real-world malware scenarios that demonstrate a few
anti-detection and anti-disinfection techniques, and find how memory
scanning can be applied to overcome some of them. Certain techniques to
detect hidden processes from user mode will also be presented. The
limitations of user-mode memory scanning will also be discussed.
