Object Scanning of Windows Kernel Driver Based on Pool Tag Quick Scanning

Object Scanning of Windows Kernel Driver Based on Pool Tag Quick Scanning

In the memory forensics, the Pool Tag Scanning based on the memory pool tag requires a detailed search of the physical memory when scanning the kernel driver object, which is very inefficient. The object scanning of Windows kernel driver by using the pool tag quick scanning is proposed. The method u...

Full description

Bibliographic Details
Format: Article
Language:zho
Published: The Northwestern Polytechnical University 2019-10-01
Series:Xibei Gongye Daxue Xuebao
Subjects:
memory forensics
pool tag
pool tag quick scanning
kernel driver object
Online Access:https://www.jnwpu.org/articles/jnwpu/full_html/2019/05/jnwpu2019375p1044/jnwpu2019375p1044.html
id doaj-be9e12ba2a1a45e3b8dda674082ff4d8
record_format Article
spelling doaj-be9e12ba2a1a45e3b8dda674082ff4d82021-05-02T19:21:54ZzhoThe Northwestern Polytechnical UniversityXibei Gongye Daxue Xuebao1000-27582609-71252019-10-013751044105210.1051/jnwpu/20193751044jnwpu2019375p1044Object Scanning of Windows Kernel Driver Based on Pool Tag Quick Scanning0123School of Computer Science and Technology, Harbin University of Science and TechnologySchool of Computer Science and Technology, Harbin University of Science and TechnologySchool of Computer Science and Technology, Harbin University of Science and TechnologySchool of Computer Science and Technology, Harbin University of Science and TechnologyIn the memory forensics, the Pool Tag Scanning based on the memory pool tag requires a detailed search of the physical memory when scanning the kernel driver object, which is very inefficient. The object scanning of Windows kernel driver by using the pool tag quick scanning is proposed. The method uses the quick pool tag scanning to reduce the memory range of the scan, and then scan the driver object according to the characteristics of the kernel driver object quickly, to help investigator to determine whether the driver is normal. Experimental results shows that the scanning efficiency for object scanning of kernel driver is improved greatly by using the quick pool tag scanning technology and the time spent in the scanning step is reduced while ensuring the false alarm rate is same.https://www.jnwpu.org/articles/jnwpu/full_html/2019/05/jnwpu2019375p1044/jnwpu2019375p1044.htmlmemory forensicspool tagpool tag quick scanningkernel driver object
collection DOAJ
language zho
format Article
sources DOAJ
title Object Scanning of Windows Kernel Driver Based on Pool Tag Quick Scanning
spellingShingle Object Scanning of Windows Kernel Driver Based on Pool Tag Quick Scanning
Xibei Gongye Daxue Xuebao
memory forensics
pool tag
pool tag quick scanning
kernel driver object
title_short Object Scanning of Windows Kernel Driver Based on Pool Tag Quick Scanning
title_full Object Scanning of Windows Kernel Driver Based on Pool Tag Quick Scanning
title_fullStr Object Scanning of Windows Kernel Driver Based on Pool Tag Quick Scanning
title_full_unstemmed Object Scanning of Windows Kernel Driver Based on Pool Tag Quick Scanning
title_sort object scanning of windows kernel driver based on pool tag quick scanning
publisher The Northwestern Polytechnical University
series Xibei Gongye Daxue Xuebao
issn 1000-2758
2609-7125
publishDate 2019-10-01
description In the memory forensics, the Pool Tag Scanning based on the memory pool tag requires a detailed search of the physical memory when scanning the kernel driver object, which is very inefficient. The object scanning of Windows kernel driver by using the pool tag quick scanning is proposed. The method uses the quick pool tag scanning to reduce the memory range of the scan, and then scan the driver object according to the characteristics of the kernel driver object quickly, to help investigator to determine whether the driver is normal. Experimental results shows that the scanning efficiency for object scanning of kernel driver is improved greatly by using the quick pool tag scanning technology and the time spent in the scanning step is reduced while ensuring the false alarm rate is same.
topic memory forensics
pool tag
pool tag quick scanning
kernel driver object
url https://www.jnwpu.org/articles/jnwpu/full_html/2019/05/jnwpu2019375p1044/jnwpu2019375p1044.html
_version_ 1721488456455028736

Similar Items