CN101727323A - Obtaining method of network information under Vista operating system - Google Patents
Obtaining method of network information under Vista operating system Download PDFInfo
- Publication number
- CN101727323A CN101727323A CN200910231540A CN200910231540A CN101727323A CN 101727323 A CN101727323 A CN 101727323A CN 200910231540 A CN200910231540 A CN 200910231540A CN 200910231540 A CN200910231540 A CN 200910231540A CN 101727323 A CN101727323 A CN 101727323A
- Authority
- CN
- China
- Prior art keywords
- address
- place
- virtual address
- bytes
- read
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Landscapes
- Information Retrieval, Db Structures And Fs Structures Therefor (AREA)
- Memory System Of A Hierarchy Structure (AREA)
Abstract
The invention discloses an obtaining method of network information under a Vista operating system, which comprise the following steps of: obtaining the virtual address of a base address of a tcpip.sys module through physical memory analysis, further obtaining the virtual address for obtaining a double linked list TcpEndpointPool under the base address, and obtaining network connection information through traversing the double linked list. The obtaining method has the advantages of high reliability and high speed.
Description
Technical field
The present invention relates to relate to a kind of acquisition methods of Windows Vista operating system lower network information, Network Search link information in Windows Vista physical memory image file, to be applied to the investigation and evidence collection of information security events and all kinds of computer network crime cases, belong to the computer forensics technical field.
Background technology
In the online forensic technologies of computing machine field,, can be used as and judge whether the surveyee is being engaged in the important evidence of illegal network activity because network connection information can be described computing machine by when investigation and extraneous communication situation.Network connection information resides in the physical memory as volatile data, and it obtains and depends on correct physical memory analytical approach.For advancing the development of physics memory analysis technology, DFRWS (Digital Forensic Research Workshop) released the activity of " Forensics Challenge " by name in 2005, and movable theme is exactly the physical memory analysis.From then on, for the analysis of physical memory with obtain and become the research of computer forensics focus.Windows Memory Analysis Based on KPCR (the Ruichao Zhang of Zhang etc., Lianhai Wang, Shuhui Zhang, " Windows Memory Analysis Based on KPCR; " ias, vol.2, pp.677-680,2009Fifth International Conference on InformationAssurance and Security, 2009) in the physical memory analysis, has the advantage of high reliability, use this method to analyze, obtain information such as system process and system loads driving each release image file of Windows.
At present, the instrument that can obtain network connection information from the physical memory image file has the Volatility of Walters and Petroni exploitation.
Volatility 1.3_Bata version (latest edition of releasing at present) can be obtained the network connection information in the MicrosoftWindows XP memory mirror file.Now specifically describe its method as follows:
Obtain the port that Tcp, Udp agreement open by searching AddrObjTable among the tcpip.sys; Use TCBTable to obtain the network connection information of having set up.
The content of pointing to according to the address of AddrObjTable among the tcpip.sys can be determined address and the size of ObjTable.Deposited the address of some among the ObjTable, each list item among the ObjTable is pointed in these addresses, can obtain the port that Tcp, Udp agreement open by analyzing list item.
The content of the content location TCBTable that points to according to the address of TCBTable among the tcpip.sys is by analyzing each list item of TCBTable, the network information that can obtain to have set up.
The lookup method of above-mentioned network connection information is simple possible no doubt, but the only suitable WindowsXP version that is used in, inapplicable in each version of Vista operating system: in Vista operating system, do not had these two variablees of AddrObjTable and ObjTable among the tcpip.sys, can't use said method to obtain network connection information.
Summary of the invention
Therefore, development and the above-mentioned technology status that present network connection information obtains at Windows operating system the invention provides a kind of method that can obtain network connection information in Windows Vista memory mirror file.
The present invention is by the following technical solutions:
The acquisition methods of this invention Vista operating system lower network information may further comprise the steps:
1) obtains the base address virtual address of tcpip.sys module by the physical memory analysis;
2) the base address virtual address that obtains according to step 1) adds that the address difference of this base address and data structure TcpEndpointPool under the current operation system obtains the virtual address of TcpEndpointPool;
3) according to address translation rule under the current operation system with step 2) virtual address translation that obtains is physical address, and navigates to the primary importance that this physical address points in the memory mirror;
4) to read preceding 4 bytes be physical address as virtual address translation to the primary importance of pointing at the step 3) gained, and navigate to the second place that this physical address points in the memory mirror, read the virtual address that preceding 4 bytes obtain first TcpEndpoint structure head in this double linked list of TcpEndpointPool at the skew 0x1c place of this second place;
5) single linked list that to handle current strand gauge outfit be TcpEndpoint structure head:
A) virtual address of current TcpEndpoint structure head is converted into physical address, navigates to this physical address place in the memory mirror, read the virtual address that preceding 4 bytes obtain first node under this single linked list;
B) whether the virtual address of judging the single linked list present node is 0, if this single linked list processing finishes; If not, change step c);
C) virtual address of single linked list present node is converted into physical address, navigates to this physical address place in the memory mirror, 0x180 byte put into buffer before reading;
D) read the value of 4 bytes in skew 0x14 place of buffer, judge that whether this value is the pointer that points to the EPROCESS structure, if then this structure is the TcpEndpoint structure, change step f), otherwise this structure is the TCB structure, changes next step;
E) resolve the TCB structure: according to the feature of the EPROCESS structure of current operation system, find out the link information of creating the process OwningProcess that network connects, carry out next step afterwards;
F) 4 bytes that read buffer skew 0x0 place are obtained the virtual address of current single linked list next node, commentaries on classics step b);
6) according to the linking relationship of adjacent TcpEndpoint structure stored _ LIST_ENTRY structure, add 0x30, finish if the virtual address of the next one _ LIST_ENTRY equals the virtual address of first TcpEndpoint structure head; Otherwise, the virtual address of this next one _ LSIT_ENTRY is subtracted the virtual address that 0x30 obtains the next structure head of corresponding current TcpEndpoint structure head, enter next step;
7) judge according to the zone bit of the next structure head that obtains of step 6) whether this structure head is TcpEndpoint structure head, if, change step 5), if not, change step 6).
In various Vista operating system versions, driving among the tcpip.sys all exists data structure TcpEndpointPool (to claim Tcp end points pond again, describe from data structure, this pond is a doubly linked list, be called for short double linked list, each node on the double linked list is again the structure head of a single linked list, sign according to the structure head of single linked list, can judge the node structure on the single linked list), this structure is all fixed in each Windows Vista version with respect to the position of tcpip.sys, and the structure among the TcpEndpointPool can not change with the variation of Vista version, so be reliable according to the acquisition methods of the Vi sta operating system lower network information of technical solution of the present invention.And go in a plurality of versions of Vista, applied widely, also solved the present situation of the acquisition methods that does not have Vista operating system lower network information at present.
According to this programme, the related operand of entire method is lower, can search fast network connection information by the memory analysis method, and search efficiency is than higher, and implements also easily by programming, and realizability is more intense.
Above-mentioned acquisition methods, the physical memory analytical approach of described step 1) adopts the Windows system physical internal memory analytical approach based on K P C R structure.
Above-mentioned acquisition methods, described step 1) comprises: at first obtain kernel variable psLoadeModuleList by the physical memory analysis, and read the virtual address of this first module of kernel variable, whether the title of judging this module is tcpip.sys, if, the base address of then getting driver module tcpip.sys; If not, then carry out the judgement of next module, circulation is carried out judge module title and subsequent step until finding driver module tcpip.sys and getting its base address.
Above-mentioned acquisition methods, described step 2) in, if current operation system is Windows Vista SP1, then the virtual address of TcpEndpointPool is base address virtual address+0xd0d5c that step 1) obtains; If current operation system is Windows Vista SP2, then the virtual address of TcpEndpointPool is base address virtual address+0xd3e9c that step 1) obtains.
Above-mentioned acquisition methods, the substep e of described step 5)) comprises 4 bytes at the skew 0x164 place that reads buffer, obtain the virtual address of EPROCESS structure, it is converted into physical address, navigate to the EPROCESS structure physical address+0x9c place of memory mirror file then, read preceding 4 bytes, obtain the pid of the network connection of present node correspondence; 8 bytes that read the skew 0x16c place of buffer afterwards obtain the creation-time that this network connects, read buffer skew 0x2c place 2 bytes and be converted into the value that 10 system numbers obtain the local port that this network connects, read 2 bytes at the skew 0x2e place of buffer, being converted into 10 system numbers promptly is the value of remote port.
Above-mentioned acquisition methods, the substep e of described step 5)) further comprising the steps of: I) the 0x10 place that navigates to buffer reads 4 byte conversion and becomes physical address and be designated as nlPathPA, navigate to the physical address nlPathPA+0x08 place of memory mirror file, read the value that 4 bytes obtain remote address; II) 4 bytes that read the skew 0x34 place of buffer change into physical address and are designated as nlLocalPA, navigate to the physical address nlLocalPA+0x0c place of memory mirror file, read 4 bytes and be designated as nlIdentifierPA, navigate to the physical address nlIdentifierPA place of memory mirror file, read 4 bytes and be converted into physical address, navigate to this place, address of memory mirror file, read the value that 4 bytes obtain local address.
Description of drawings
Below in conjunction with Figure of description technical solution of the present invention is done to describe more specifically, make those skilled in the art better understand the present invention, wherein:
Fig. 1 is TcpEndpointPool internal organizational structure figure.
Fig. 2 is the general structural drawing of each node on the double linked list.
Fig. 3 is the annexation figure of structure head.
Fig. 4 is the general description process flow diagram of the acquisition methods of embodiment of the invention Vista operating system lower network information.
Fig. 5 is the address acquiring method process flow diagram of kernel variable pcLoadedModuleList.
Fig. 6 is the address translation of the big or small 4KB of page or leaf.
Fig. 7 is the address translation of the big or small 4MB of page or leaf.
Fig. 8 is that the machine-processed nextpage size of PAE (Physical Address Extension) is the address translation of 4KB.
Fig. 9 is that PAE mechanism nextpage size is the address translation of 2MB.
Figure 10 is the address translation under PSE (Page Size Extension)-36 mechanism.
Figure 11 is for obtaining tcpip.sys base address process flow diagram.
Figure 12 is for handling the single linked list process flow diagram of TcpEndpoint structure head guiding.
Embodiment
With reference to Figure of description 4 and 12, it shows a kind of acquisition methods of Vista operating system lower network information, and this acquisition methods may further comprise the steps:
1) obtains the base address virtual address of tcpip.sys module by the physical memory analysis;
2) the base address virtual address that obtains according to step 1) adds that the address difference of this base address and data structure TcpEndpointPool under the current operation system obtains the virtual address of TcpEndpointPool;
3) according to address translation rule under the current operation system with step 2) virtual address translation that obtains is physical address, and navigates to the primary importance that this physical address points in the memory mirror;
4) to read preceding 4 bytes be physical address as virtual address translation to the primary importance of pointing at the step 3) gained, and navigate to the second place that this physical address points in the memory mirror, read the virtual address that preceding 4 bytes obtain first TcpEndpoint structure head in this double linked list of TcpEndpointPool at the skew 0x1c place of this second place;
5) single linked list that to handle current strand gauge outfit be TcpEndpoint structure head:
A) virtual address of current TcpEndpoint structure head is converted into physical address, navigates to this physical address place in the memory mirror, read the virtual address that preceding 4 bytes obtain first node under this single linked list;
B) whether the virtual address of judging the single linked list present node is 0, if this single linked list processing finishes; If not, change step c);
C) virtual address of single linked list present node is converted into physical address, navigates to this physical address place in the memory mirror, 0x180 byte put into buffer before reading;
D) read the value of 4 bytes in skew 0x14 place of buffer, judge that whether this value is the pointer that points to the EPROCESS structure, if then this structure is the TcpEndpoint structure, change step f), otherwise this structure is the TCB structure, changes next step;
E) resolve the TCB structure: according to the feature of the EPROCESS structure of current operation system, find out the link information of creating the process OwningProcess that network connects, carry out next step afterwards;
F) 4 bytes that read buffer skew 0x0 place are obtained the virtual address of current single linked list next node, commentaries on classics step b);
6) according to the linking relationship of adjacent TcpEndpoint structure stored _ LIST_ENTRY structure, add 0x30, finish if the virtual address of the next one _ LIST_ENTRY equals the virtual address of first TcpEndpoint structure head; Otherwise, the virtual address of this next one _ LSIT_ENTRY is subtracted the virtual address that 0x30 obtains the next structure head of corresponding current TcpEndpoint structure head, enter next step;
7) judge according to the zone bit of the next structure head that obtains of step 6) whether this structure head is TcpEndpoint structure head, if, change step 5), if not, change step 6).
Figure of description 1 shows the internal organizational structure of TcpEndpointPool, circular representative structure head, and the sign of this structure head represented in circular interior character; Rectangle is represented the node of single linked list, and the structure type of this node represented in the character in the rectangle.About the judgement of node structure on the single linked list, an example: if the structure zone bit " TcpE " of single linked list, then zone bit is that the single linked list of structure head is made up of TcpEndPoint structure or TCB structure according to this.TcpEndPoint structure and TCB structrual description the network connection information set up of tcpip.Therefore, this programme is exactly to have used the mode of searching TcpEndPoint structure and TCB structure to obtain the network connection information of having set up.
Preferably, with reference to Figure of description 5, the physical memory analytical approach of described step 1) adopts the Windows system physical internal memory analytical approach based on the KPCR structure, this method by the applicant on November 27th, 2008 application, and it is disclosed in disclosed Chinese No. 200810159260 application for a patent for invention on April 22nd, 2009, use this programme can realize virtual address exactly, and can accurately search system process, system module information to the physical memory addresses conversion.
Concrete, owing to need to support a plurality of CPU, defined a cover in the Windows kernel is the data structure of hinge with processor control zone KPCR for this reason, make all corresponding KPCR structure of each CPU, be used to preserve with thread and switch relevant global information, the position of KPCR in linear space generally can not change with the version of window change.The KPCR structure is as follows:
lkd>dt_kpcr
nt!_KPCR
+0x000NtTib :_NT_TIB
+0x0lc?SelfPcr :Ptr32_KPCR
+0x020Prcb :Ptr32_KPRCB
+0x024Irql :UChar
+0x028IRR :Uint4B
+0x02c?IrrActive :Uint4B
+0x030IDR :Uint4B
+0x034KdVersionBlock :Ptr32Void
+0x038IDT :Ptr32_KIDTENTRY
+0x03c?GDT :Ptr32_KGDTENTRY
+0x040TSS :Ptr32_KTSS
+0x044MajorVersion :Uint2B
+0x046MinorVersion :Uint2B
+0x048S?etMember :Uint4B
+0x04c?StallScaleFactor:Uint4B
+0x050DebugActive :UChar
+0x051Number :UChar
+0x052Spare0 :UChar
+0x053SecondLevelCacheAssociativity:UChar
+0x054VdmAlert :Uint4B
+0x058KernelReserved :[14]Uint4B
+0x090SecondLevelCacheSize?:Uint4B
+0x094HalReserved :[16]Uint4B
+0x0d4InterruptMode :Uint4B
+0x0d8Spare1 :UChar
+0x0dc?KernelReserved2 :[17]Uint4B
+0x120PrcbData :_KPRCB
From the KPCR structure, can see, be the pointer of sensing self at the 0x1c place, the 0x20 place is for pointing to the pointer of KPRCB, the difference of these two pointers is 0x120, can seek KPCR according to this feature, use physical memory analytical approach based on the KPCR structure obtain kernel variable psLoadedModuleList the address analysis process as shown in Figure 5:
The specific algorithm that obtains the PsLoadedMoudleList address is described below:
Step1 seeks two neighbors greater than 0x80000000 in the memory mirror file, and satisfies this two conditions that value difference is 0x120, and this address deducts the value that 0x1c is kpcr;
Searching of content in the Step2CR3 register:
The 0x1c place is ProcessorSate member in _ KPRCB structure, is one _ KPROCESSOR_STATE structure.The 0x2cc place is SpecialRegister member in the _ KPROCESSOR_STATE structure, is that the 0x08 place is the CR3 register at the SpecialRegister offset address.By analyzing the page directory information of the system process of this place preserving always, when the forbidding physical address is expanded, preservation be exactly the base address of system process page directory.To sum up analyze, the physical address of KPCR adds that the address of gained is pointed to behind the 0x410 content is the content in the CR3 register.
Step3 realizes address translation according to content in the CR3 register:
Address stored all is a virtual address generally in internal memory, and in the physical memory address location be physical address, therefore calculating virtual address (linear address) is the key of memory analysis to the mapping relations of physical address.
Figure of description 6-10 has represented the several frequently seen address translation mode of Intel processor, according to intel 64and IA-32Architectures Software Developer ' s Manual
[3], the size of paging mode and page or leaf is mainly by PAE zone bit, the PSE zone bit of CR4 register, and decision such as the PS zone bit of page directory.But Windows does not but implement by these in implementation procedure fully: for example under the PAE pattern, the content of CR4 register still is 0, and under the same catalogue, and the size of the physical memory page that points to or point to by page table also may be different.Find can determine the size of paging mode and page or leaf by studying us by following algorithm:
Step 3.1 finds the physical address of its sensing according to the content of CR3 register.
Step 3.2 judges first byte at this place, address, if not 0x01, then forwards step3 to.If 01, show then and use the PAE mode that 8 bytes that begin from this address are page directory pointers.Page directory pointer (mode by Fig. 5 or Fig. 6 converts) is selected in 31-30 position according to virtual address to be converted, if address for example to be converted is 0x8054c2b8, then page or leaf object pointer table the 3rd (every 8 bytes) find the page directory base address for pointing to the pointer of page directory according to this pointer.
Determine the page directory item of virtual address correspondence to be converted according to the 29-21 position of page directory base address and virtual address.If address for example to be converted is 0x8054c2b8, then the 29-21 position is 000000010 (0x02), and then 8 bytes that begin from page directory base address+8*2 are exactly the page directory item of being looked for.
Judge the high position of this first byte of page directory item, if " 1 ", then by the address translation of carrying out like that shown in Figure 6.
Step 3.3 judges first byte most significant digit at this place, address, how to be " 1 ", then shows the big page mode of use, carries out address translation by Fig. 4, if " 0 " then shows its sensing page table, can carry out address translation by Fig. 3
The 0x34 place is KdVersionBlock member in the KPCR structure, is the pointer of a sensing _ DBGKD_GET_VERSION64 structure, and the structure of KdVersionBlock is as follows:
lkd>dt_DBGKD_GET_VERSION64
nt!_DBGKD_GET_VERSION64
+0x000MajorVersion :Uint2B
+0x002MinorVersion :Uint2B
+0x004ProtocolVersion :Uint2B
+0x006Flags :Uint2B
+0x008MachineType :Uint2B
+0x00a?MaxPacketType :UChar
+0x00b?MaxStateChange :UChar
+0x00c?MaxManipulate :UChar
+0x00d?Simulation :UChar
+0x00e?Unused :[1]Uint2B
+0x010KernBase :Uint8B
+0x018PsLoadedModuleList:Uint8B
+0x020DebuggerDataList:Uint8B
The pointer address of KdVersionBlock is converted to physical address according to the method described above, navigates to this place, address of mirror position and can obtain system version information.
According to summary, the minor release/point release of the windows vista of distribution is 6000 or 6001, and the minor release/point release of windowsxp is 2600, and the minor release/point release of windows 2003 is 3790, and the minor release/point release of windows 2000 is 2195.If the minor release/point release that said method obtains is one of above-mentioned minor release/point release, correct kpcr and the cr3 that be that tries to achieve is described.Otherwise, continue to retrieve according to the KPCR architectural feature with moving the 0x100 position behind the file pointer.
Searching of the physical address of Step5 kernel variable PsLoadedModuleList
By the structure of KdVersionBlock as can be known, the pointer address of KdVersionBlock is added that 0x18 promptly obtains the virtual address of kernel variable PsLoadedModuleList, be converted to physical address according to the method described above, navigate to this address of mirror position and locate to obtain the virtual address of PsLoadedModuleList, carry out the physical address that the primary address conversion promptly obtains PsLoadedModuleList again.
PsLoadedModuleList structure pointed is _ MODULE_ENTRY.This structure is defined as follows:
Typedef?struct_MOUDLE_ENTRY{
LIST_ENTRY?le_mod;
DWORD?unknown[4];
DWORD?base;
DWORD?driver_start;
DWORD?Size;
UNICODE_STRING?driver_Path;
UNICODE_STRING?driver_Name;
}MODULE_ENTRY,*PMODULE_ENTRY;
In this programme, all physical addresss and the conversion of virtual address, and the version of the Vsita that relates to is determined all can adopt above scheme.Just at present, those skilled in the art can also adopt other memory analysis method, such as physical memory mirror image analytical approach commonly used at present.
With reference to Figure of description 11, described step 1) comprises: at first obtain kernel variable psLoadeModuleList by the physical memory analysis, and read the virtual address of this first module of kernel variable, whether the title of judging this module is tcpip.sys, if, the base address of then getting driver module tcpip.sys; If not, then carry out the judgement of next module, circulation is carried out judge module title and subsequent step until finding driver module tcpip.sys and getting its base address.Thereby can obtain driver module tcpip.sys easily by name-matches, and obtain according to this programme to obtain the base address of tcpip.sys easily according to the scheme of obtaining shown in the accompanying drawing 11 under the situation of psLoadeModuleList address.
About obtaining the method for tcpip.sys base address, description more specifically is:
Step1 ' navigates to the position that the physical address of psLoadedModuleList in the memory mirror points to, and reads 4 bytes, be first driver module _ the initial virtual address of MOUDLE_ENTRY structure, be translated into physical address, carry out next step;
Step2 ' navigates in the memory mirror position that this physical address points to, and reads 52 bytes that this position begins to locate in buffer, carries out next step;
Step3 ' begins structure elucidation: navigate to the title that buffer skew 0x2c place reads driver module, whether interpretation is tcpip.sys.If then carry out next step; Otherwise carry out Step5 ';
Step4 ' navigates to buffer skew 0x18 place and reads 4 bytes, and this value promptly is the virtual address of the base address of driver module tcpip.sys.Withdraw from.
The LIST_ENTRY structure has been deposited at the 0x0 place of Step5 ' buffer, uses this structure can obtain the virtual address of next driver module and the virtual address of a last driver module.Navigate to buffer skew 0x00 place and read 4 bytes, the initial virtual address of next driver module _ MOUDLE_ENTRY structure has been deposited at this place, judge first module that whether this address equals among the Step1 ' to be obtained _ the initial virtual address of MOUDLE_ENTRY structure, if, then explanation has traveled through whole doubly linked list, do not find this driver module of tcpip.sys, withdraw from; Otherwise be converted into physical address, and change Step2 '.
Above content can be the LIST_ENTRY structure at the 0x30 place of this structure head wherein according to the general structure of the structure head shown in the Figure of description 2 and the annexation of the structure head shown in the Figure of description 3 also, and the structure of _ LIST_ENTRY is:
+0x000Flink :Ptr32_LIST_ENTRY
+0x004Blink :Ptr32_LIST_ENTRY
In order to carry out address translation, described step 2 efficiently) in, if current operation system is Windows Vista SP1, then the virtual address of TcpEndpointPool is base address virtual address+0xd0d5c that step 1) obtains; If current operation system is Windows Vista SP2, then the virtual address of TcpEndpointPool is base address virtual address+0xd3e9c that step 1) obtains.The foundation of this method is: use Windbg to analyze as can be known: in Windows Vista SP1 version, the address of TcpEndpointPool is 0xd0d5c with respect to the skew of the base address of tcpip.sys, i.e. virtual address+the 0xd0d5c of the base address of virtual address=tcpip.sys of TcpEndpointPool.In Windows Vista SP2 version, the virtual address+0xd3e9c of the base address of virtual address=tcpip.sys of TcpEndpointPool.Windbg is writing a Chinese character in simplified form of Debugging tool for windows, is a free debugging acid of Microsoft's exploitation, can obtain from following address: http://www.microsoft.com/whdc/devtools/debugging/installx86.msp x
This debugging acid is mainly used to debug driver, application program, service and the operating system of windows operating system itself.
By analysis, obtain in TcpEndPoint and the TCB structure resolving each useful Field Definition of network connection information as follows:
Be defined as follows with each field of network join dependency and the skew in structure in the TcpEndPoint structure:
typedef?struct_TCP_ENDPOINT{
PEPROCESS?OwningProcess; +0x14
PETHREAD?OwningThread; +0x18
LARGE_INTEGER?CreationTime; +0x20
CONST?NL_LOCAL_ADDRESS*LocalAddress;?+0x34
USHORT?LocalPort; +0x3e
}TCP_ENDPOINT,*PTCP_ENDPOINT;
As can be seen, skew 0x14 place is the pointer that points to the process OwningProcess that creates the network connection in this structure from above structure; Skew 0x18 place is the pointer that points to the thread OwningThread that creates the network connection; Skew 0x20 place is creation-time CreationTime; Skew 0x34 place is the structure NL_LOCAL_ADDRESS that comprises local address LocalAddress; Skew 0x3e place is network connection informations such as local port LocalPort.
Be defined as follows with each field of network join dependency and the skew in structure in the Tcb structure:
typedef?struct_TCB{
CONST?NL_PATH*Path; +0x10
USHORT?LocalPort; +0x2c
USHORT?RemotePort; +0x2e
PEPROCESS?OwningProcess; +0x164
LARGE_INTEGER?CreationTime; +0x16c
As can be seen, this structure skew 0x10 place is the pointer that comprises the NL_PATH structure of local address and remote address from above; Skew 0x2c place is local port LocalPort; Skew 0x2e place is (what information that also comprises other) information such as remote port RemotePort; Skew 0x164 place is the pointer that points to the EPROCESS structure of the process OwningProcess that creates the network connection; Skew 0x16c place is creation-time CreationTime.
Therefore, the substep e of described step 5)) step comprises 4 bytes at the skew 0x164 place that reads buffer more specifically, obtain the virtual address of EPROCESS structure, it is converted into physical address, navigate to the EPROCESS structure physical address+0x9c place of memory mirror file then, read preceding 4 bytes, obtain the pid of the network connection of present node correspondence; 8 bytes that read the skew 0x16c place of buffer afterwards obtain the creation-time that this network connects, read buffer skew 0x2c place 2 bytes and be converted into the value that 10 system numbers obtain the local port that this network connects, read 2 bytes at the skew 0x2e place of buffer, being converted into 10 system numbers promptly is the value of remote port.In view of the above can be accurately and the network connection information that obtains efficiently.
The substep e of described step 5)) further comprising the steps of: I) the 0x10 place that navigates to buffer reads 4 byte conversion and becomes physical address and be designated as nlPathPA, navigate to the physical address nlPathPA+0x08 place of memory mirror file, read the value that 4 bytes obtain remote address; II) 4 bytes that read the skew 0x34 place of buffer change into physical address and are designated as nlLocalPA, navigate to the physical address nlLocalPA+0x0c place of memory mirror file, read 4 bytes and be designated as nlIdentifierPA, navigate to the physical address nlIdentifierPA place of memory mirror file, read 4 bytes and be converted into physical address, navigate to this place, address of memory mirror file, read the value that 4 bytes obtain local address.
In addition, the pointer of the NL_PATH structure that relates to is related to the judgement of TcpEndpoint structure and TCB structure, and its structure is defined as follows:
typedef?struct_NL_PATH{
CONST?NL_LOCAL_ADDRESS*SourceAddress; +0x00
CONST?UCHAR*DestinationAddress; +0x08
}NL_PATH,*PNL_PATH;
typedef?struct_NL_LOCAL_ADDRESS{
CONST?NL_ADDRESS_IDENTIFIER*Identifier; +0x0c
}NL_LOCAL_ADDRESS,*PNL_LOCAL_ADDRESS;
typedef?struct_NL_ADDRESS_IDENTIFIER{
CONST?UCHAR*Address; +0x00
}NL_ADDRESS_IDENTIFIER,*PNL_ADDRESS_IDENTIFIER;
Contrast as can be known through analysis TCP_ENDPOINT structure and TCB structure, at the skew 0x14 place of TCP_ENDPOINT structure is the pointer that points to the EPROCESS structure, the 0x18 place is the pointer that points to the ETHREAD structure, and in the TCB structure, skew 0x14 place is not the pointer that points to the EPROCESS structure.Therefore, we can be whether skew 0x14 place in the structure of sign is that the pointer of direction structure EPROCESS (for vista operating system, preceding 4 bytes of EPROCESS structure are 0x03002000) determines that this structure is TCP_ENDPOINT structure or TCB structure by judging with TcpE.These contents can help above-mentioned steps 5) substep d) realization.
Claims (6)
1. the acquisition methods of a Vista operating system lower network information may further comprise the steps:
1) obtains the base address virtual address of tcpip.sys module by the physical memory analysis;
2) the base address virtual address that obtains according to step 1) adds that the address difference of this base address and data structure TcpEndpointPool under the current operation system obtains the virtual address of TcpEndpointPool;
3) according to address translation rule under the current operation system with step 2) virtual address translation that obtains is physical address, and navigates to the primary importance that this physical address points in the memory mirror;
4) to read preceding 4 bytes be physical address as virtual address translation to the primary importance of pointing at the step 3) gained, and navigate to the second place that this physical address points in the memory mirror, read the virtual address that preceding 4 bytes obtain first TcpEndpoint structure head in this double linked list of TcpEndpointPool at the skew 0x1c place of this second place;
5) single linked list that to handle current strand gauge outfit be TcpEndpoint structure head:
A) virtual address of current TcpEndpoint structure head is converted into physical address, navigates to this physical address place in the memory mirror, read the virtual address that preceding 4 bytes obtain first node under this single linked list;
B) whether the virtual address of judging the single linked list present node is 0, if this single linked list processing finishes; If not, change step c);
C) virtual address of single linked list present node is converted into physical address, navigates to this physical address place in the memory mirror, 0x180 byte put into buffer before reading;
D) read the value of 4 bytes in skew 0x14 place of buffer, judge that whether this value is the pointer that points to the EPROCESS structure, if then this structure is the TcpEndpoint structure, change step f), otherwise this structure is the TCB structure, changes next step;
E) resolve the TCB structure: according to the feature of the EPROCESS structure of current operation system, find out the link information of creating the process OwningProcess that network connects, carry out next step afterwards;
F) 4 bytes that read buffer skew 0x0 place are obtained the virtual address of current single linked list next node, commentaries on classics step b);
6) according to the linking relationship of adjacent TcpEndpoint structure stored _ LIST_ENTRY structure, add 0x30, finish if the virtual address of the next one _ LIST_ENTRY equals the virtual address of first TcpEndpoint structure head; Otherwise, the virtual address of this next one _ LSIT_ENTRY is subtracted the virtual address that 0x30 obtains the next structure head of corresponding current TcpEndpoint structure head, enter next step;
7) judge according to the zone bit of the next structure head that obtains of step 6) whether this structure head is TcpEndpoint structure head, if, change step 5), if not, change step 6).
2. acquisition methods according to claim 1 is characterized in that: the physical memory analytical approach of described step 1) adopts the Windows system physical internal memory analytical approach based on the KPCR structure.
3. acquisition methods according to claim 2, it is characterized in that: described step 1) comprises: at first obtain kernel variable psLoadeModuleList by the physical memory analysis, and read the virtual address of this first module of kernel variable, whether the title of judging this module is tcpip.sys, if, the base address of then getting driver module tcpip.sys; If not, then carry out the judgement of next module, circulation is carried out judge module title and subsequent step until finding driver module tcpip.sys and getting its base address.
4. acquisition methods according to claim 1 is characterized in that: described step 2), if current operation system is Windows Vista SP1, then the virtual address of TcpEndpointPool is base address virtual address+0xd0d5c that step 1) obtains; If current operation system is Windows Vista SP2, then the virtual address of TcpEndpointPool is base address virtual address+0xd3e9c that step 1) obtains.
5. acquisition methods according to claim 1, it is characterized in that: 4 bytes that the substep e of described step 5)) comprise the skew 0x164 place that reads buffer, obtain the virtual address of EPROCESS structure, it is converted into physical address, navigate to the EPROCESS structure physical address+0x9c place of memory mirror file then, read preceding 4 bytes, obtain the pid of the network connection of present node correspondence; 8 bytes that read the skew 0x16c place of buffer afterwards obtain the creation-time that this network connects, read buffer skew 0x2c place 2 bytes and be converted into the value that 10 system numbers obtain the local port that this network connects, read 2 bytes at the skew 0x2e place of buffer, being converted into 10 system numbers promptly is the value of remote port.
6. acquisition methods according to claim 5, it is characterized in that: the substep e of described step 5)) further comprising the steps of: the 0x10 place that I) navigates to buffer reads 4 byte conversion and becomes physical address and be designated as nlPathPA, navigate to the physical address nlPathPA+0x08 place of memory mirror file, read the value that 4 bytes obtain remote address; II) 4 bytes that read the skew 0x34 place of buffer change into physical address and are designated as nlLocalPA, navigate to the physical address nlLocalPA+0x0c place of memory mirror file, read 4 bytes and be designated as nlIdentifierPA, navigate to the physical address nlIdentifierPA place of memory mirror file, read 4 bytes and be converted into physical address, navigate to this place, address of memory mirror file, read the value that 4 bytes obtain local address.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910231540XA CN101727323B (en) | 2009-12-04 | 2009-12-04 | Obtaining method of network information under Vista operating system |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200910231540XA CN101727323B (en) | 2009-12-04 | 2009-12-04 | Obtaining method of network information under Vista operating system |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101727323A true CN101727323A (en) | 2010-06-09 |
| CN101727323B CN101727323B (en) | 2012-08-01 |
Family
ID=42448258
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200910231540XA Expired - Fee Related CN101727323B (en) | 2009-12-04 | 2009-12-04 | Obtaining method of network information under Vista operating system |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101727323B (en) |
Cited By (5)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2014131319A1 (en) * | 2013-02-27 | 2014-09-04 | 华为技术有限公司 | Methods and apparatuses for identifying and tracking process of operating system, and for obtaining information |
| CN104732145A (en) * | 2015-03-31 | 2015-06-24 | 北京奇虎科技有限公司 | Parasitic course detection method and device in virtual machine |
| CN105824761A (en) * | 2016-03-10 | 2016-08-03 | 北京金山安全软件有限公司 | Physical memory information acquisition method and device |
| CN107247579A (en) * | 2016-08-19 | 2017-10-13 | 北京金山安全管理***技术有限公司 | The computational methods and device of a kind of ELF file maps base address |
| CN108292261A (en) * | 2015-04-22 | 2018-07-17 | 色彩象征有限公司 | Object memories administrative unit |
Family Cites Families (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN100477643C (en) * | 2006-09-22 | 2009-04-08 | 中国科学院计算技术研究所 | Method for realizing data packet catching based on sharing internal memory |
| CN101315602B (en) * | 2008-05-09 | 2011-01-26 | 浙江大学 | Method for hardware realization of process internal memory management nucleus |
| CN101414304B (en) * | 2008-11-27 | 2010-12-15 | 山东省计算中心 | Method for analyzing Windows system physical internal memory based on K P C R structure |
-
2009
- 2009-12-04 CN CN200910231540XA patent/CN101727323B/en not_active Expired - Fee Related
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| WO2014131319A1 (en) * | 2013-02-27 | 2014-09-04 | 华为技术有限公司 | Methods and apparatuses for identifying and tracking process of operating system, and for obtaining information |
| CN104732145A (en) * | 2015-03-31 | 2015-06-24 | 北京奇虎科技有限公司 | Parasitic course detection method and device in virtual machine |
| CN104732145B (en) * | 2015-03-31 | 2018-04-13 | 北京奇虎科技有限公司 | A kind of parasitic process detection method and apparatus in virtual machine |
| CN108292261A (en) * | 2015-04-22 | 2018-07-17 | 色彩象征有限公司 | Object memories administrative unit |
| CN105824761A (en) * | 2016-03-10 | 2016-08-03 | 北京金山安全软件有限公司 | Physical memory information acquisition method and device |
| CN105824761B (en) * | 2016-03-10 | 2019-01-08 | 珠海豹趣科技有限公司 | A kind of physical memory information acquisition methods and device |
| CN107247579A (en) * | 2016-08-19 | 2017-10-13 | 北京金山安全管理***技术有限公司 | The computational methods and device of a kind of ELF file maps base address |
| CN107247579B (en) * | 2016-08-19 | 2020-09-11 | 北京金山安全管理***技术有限公司 | Method and device for calculating ELF file mapping base address |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101727323B (en) | 2012-08-01 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN101727323B (en) | Obtaining method of network information under Vista operating system | |
| Caballero et al. | Polyglot: Automatic extraction of protocol message format using dynamic binary analysis | |
| Roussev et al. | Content triage with similarity digests: The M57 case study | |
| US6324689B1 (en) | Mechanism for re-writing an executable having mixed code and data | |
| US7930686B2 (en) | Defining memory indifferent trace handles | |
| Case et al. | Dynamic recreation of kernel data structures for live forensics | |
| TW201331779A (en) | Program analysis/verification service providing system, method for controlling system, control program, control program for causing computer to operate, program analysis/verification device and program analysis/verification tool management device | |
| KR100968126B1 (en) | System for Detecting Webshell and Method Thereof | |
| Hejazi et al. | Extraction of forensically sensitive information from windows physical memory | |
| Thomas et al. | Extraction of memory forensic artifacts from windows 7 ram image | |
| CN105893107B (en) | A method of obtaining logged-in user decodement from the memory mirror file of 64 Windows operating systems | |
| CN103886229A (en) | Method and device for extracting PE file features | |
| Haruyama et al. | One-byte modification for breaking memory forensic analysis | |
| CN102279877A (en) | Physical memory mirror image file analyzing method of Mac OS system | |
| Zhang et al. | Windows memory analysis based on kpcr | |
| CN101414304B (en) | Method for analyzing Windows system physical internal memory based on K P C R structure | |
| CN101673302A (en) | Method for improving scanning speed of antivirus engine | |
| KR101954512B1 (en) | Method and system for patent search | |
| Mohanta et al. | Memory forensics with volatility | |
| US20070150853A1 (en) | Method for processing assembly of data blocks using associated control application | |
| Guo | Research on web data mining based on topic crawler | |
| CN110457046B (en) | Disassembles method, disassembles device, storage medium and disassembles terminal for hybrid instruction set programs | |
| KR100348365B1 (en) | Apparatus and method for executing application program by using fingerprint | |
| Zhang et al. | Research on linux kernel version diversity for precise memory analysis | |
| Suma et al. | A novel methodology for windows 7× 64 memory forensics |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| C17 | Cessation of patent right | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20120801 Termination date: 20131204 |