Skip to main content
SpringerLink
Log in

User-mode memory scanning on 32-bit & 64-bit windows

  • EICAR 2008 Extended Version
  • Published:
Journal in Computer Virology Aims and scope Submit manuscript

Abstract

Memory scanning is an essential component in detecting and deactivating malware while the malware is still active in memory. The content here is confined to user-mode memory scanning for malware on 32-bit and 64-bit Windows NT based systems that are memory resident and/or persistent over reboots. Malware targeting 32-bit Windows are being created and deployed at an alarming rate today. While there are not many malware targeting 64-bit Windows yet, many of the existing Win32 malware for 32-bit Windows will work fine on 64-bit Windows due to the underlying WoW64 subsystem. Here, we will present an approach to implement user-mode memory scanning for Windows. This essentially means scanning the virtual address space of all processes in memory. In case of an infection, while the malware is still active in memory, it can significantly limit detection and disinfection. The real challenge hence actually lies in fully disinfecting the machine and restoring back to its clean state. Today’s malware apply complex anti-disinfection techniques making the task of restoring the machine to a clean state extremely difficult. Here, we will discuss some of these techniques with examples from real-world malware scenarios. Practical approaches for user-mode disinfection will be presented. By leveraging the abundance of redundant information available via various Win32 and Native API from user-mode, certain techniques to detect hidden processes will also be presented. Certain challenges in porting the memory scanner to 64-bit Windows and Vista will be discussed. The advantages and disadvantages of implementing a memory scanner in user-mode (rather than kernel-mode) will also be discussed.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  1. 90210: Process Hide. http://vx.netlux.org/vx.php?id=ep12 (2004)

  2. Barwise, M.: Quantity of malware booms. http://www.heise-security.co.uk/news/101764 (2008)

  3. Bassov, A.: Entering the kernel without a driver and getting interrupt information from APIC. http://www.codeproject.com/KB/system/soviet_kernel_hack.aspx?df=100&forumid=209018&exp=0&select=1480766&tid=1480766 (2005)

  4. Crazylord: Playing with Windows /dev/(k)mem. http://www.fsl.cs.sunysb.edu/~dquigley/files/vista_security/p59-0x10_Playing_with_Windows_dev(k)mem.txt (2002)

  5. Diamond CS: Advanced Process Termination. http://www.diamondcs.com.au/advancedseries/processkilltechniques.php (2005)

  6. Evers, J.: Microsoft coughs up Vista APIs. http://news.zdnet.co.uk/security/0,1000000189,39285232,00.htm (2006)

  7. Evers, J.: Windows PatchGuard hindering security. http://news.zdnet.co.uk/software/0,1000000121,39280753,00.htm (2006)

  8. Fedotov, A.: Enumerating Windows Processes. http://www.alexfedotov.com/articles/enumproc.asp (2006)

  9. Fedotov, A.: Processes and Threads Sample. http://www.alexfedotov.com/samples/threads.asp (2006)

  10. Silberman, P., C.H.A.O.S.: FUTo. http://www.uninformed.org/?v=3&a=7&t=sumry (2005)

  11. Ionescu, A.: Subverting Windows 2003 SP1 Kernel Integrity Protection. http://www.alex-ionescu.com/recon2k6.pdf (2006)

  12. Ionescu, A.: Why protected processes are a bad idea. http://www.alex-ionescu.com/?p=34 (2007)

  13. Kath, R.: The Virtual-Memory Manager in Windows NT. http://msdn2.microsoft.com/en-us/library/ms810616.aspx (1992)

  14. Kerbs, B.: Microsoft releases Windows Malware stats. Retrieved 16 February, 2008, from http://blog.washingtonpost.com/securityfix/2006/06/microsoft_releases_malware_sta.html (2006)

  15. Kumar, E.: Battle with the Unseen—Understanding Rootkits on Windows. http://ericuday.googlepages.com/EKumar_Rootkits.pdf (2006)

  16. Microsoft MSDN documentation: Memory Limits for Windows Releases. http://msdn2.microsoft.com/en-us/library/aa366778.aspx (2008)

  17. Microsoft KB Article: How to Obtain a Handle to Any Process with SeDebugPrivilege, Q131065. http://support.microsoft.com/kb/131065 (2006)

  18. Microsoft KB Article: Comparison of 32-bit and 64-bit memory architecture. http://support.microsoft.com/?kbid=294418 (2007)

  19. Nebbet, G.: Read kernel memory from user-mode using Kmem. http://catch22.net/source/ (2004)

  20. Restrepo, T.: Enumerating 16-bit Processes under WinNT. http://www.winterdom.com/dev/ptk/16bitproc.html (1998)

  21. Russinovich, M. (2006). NT’s “\dev\kmem\”. http://technet.microsoft.com/en-us/sysinternals/bb897446.aspx

  22. Russinovich, M., Solomon, D.: Virtual to Physical address translation 32-bit and 64-bit (IA64 & x64), http://book.itzero.com/read/microsoft/0507/microsoft.press.microsoft.windows.internals.fourth.edition.dec.2004.internal.fixed.ebook-ddu_html/0735619174/ch07lev1sec5.html (2004)

  23. Sanders, B.: Address space implementations in various 64 bit processors from Intel and AMD. http://members.shaw.ca/bsanders/WindowsGeneralWeb/RAMVirtualMemoryPageFileEtc.htm (2007)

  24. Schreiber, S.: Interfacing the native API in Windows 2000. http://www.informit.com/articles/article.aspx?p=22442&seqNum=5 (2001)

  25. Skoudis, E.: 10 emerging malware trends for 2007. http://searchfinancialsecurity.techtarget.com/tip/0,289483,sid185_gci1294544,00.html (2007)

  26. Solomon, D., Russinovich, M.: Microsoft ® Windows® Internals. Fourth Edition: Microsoft Windows ServerTM 2003, Windows XP, and Windows 2000, pp. 420–428. Microsoft Press. ISBN: 0735619174 (2004)

  27. Ször, P.: Memory scanning under WinNT. http://www.peterszor.com/memscannt.pdf (1999)

  28. Talekar, N.: Faster Method to Enumerate Heaps on Windows. http://securityxploded.com/enumheaps.php (2007)

  29. Tan, C.: Defeating kernel native API hookers by direct Service Dispatch Table restoration. http://www.security.org.sg/code/sdtrestore.html (2004)

  30. Viscarola, P.: Nt vs. Zw—Clearing confusion on the native API. http://www.osronline.com/article.cfm?id=257 (2003)

  31. Vizjereij, X.: Module walker. http://www.runeforge.net/node/142 (2007)

Download references

Author information

Authors and Affiliations

  1. Authentium Inc., 7121 Fairway Drive, Suite 102, Palm Beach Gardens, FL, 33418, USA

    Eric Uday Kumar

Authors
  1. Eric Uday Kumar
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Eric Uday Kumar.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Kumar, E.U. User-mode memory scanning on 32-bit & 64-bit windows. J Comput Virol 6, 123–141 (2010). https://doi.org/10.1007/s11416-008-0091-3

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11416-008-0091-3

Keywords

Search

Navigation