首页 | 本学科首页   官方微博 | 高级检索  
     


Obtaining forensic value from the cbWndExtra structures as used by Windows Common Controls,specifically for the Editbox control
Affiliation:1. Department of Computer Science, Friedrich-Alexander-Universität Erlangen-Nürnberg (FAU), Erlangen, Germany;2. Department of Computer Science, Technische Hochschule Nürnberg Georg Simon Ohm, Nürnberg, Germany
Abstract:The Windows Common Controls is a library which facilitates the construction of GUI controls commonly used by Windows applications. Each control is an extension of the basic ‘window’ class. The difference in the extension results in one control over another; for example, an Edit control as opposed to a Button control. The basic window class is documented by Microsoft and the generic information about a Window can be extracted, but this is of very limited use. There is no documentation and very little research into how these extensions are laid out in memory. This paper demonstrates how the extension bytes for the Edit control can be parsed leading to identification of previously unobtainable data which reveal information about the state of the control at runtime. Most notably, the undo buffer, that is, text that was previously present in the control can be recovered – an aspect which traditional disk forensics would simply not provide. The paper explains why previous attempts to achieve similar goals have failed, and how the technique could be applied to any control from the Windows Common Controls library.
Keywords:Windows Common Controls  Digital forensics  Microsoft windows  Volatile memory  Memory forensics  cbwndextra  Editbox  wndclassex
本文献已被 ScienceDirect 等数据库收录!
设为首页 | 免责声明 | 关于勤云 | 加入收藏

Copyright©北京勤云科技发展有限公司  京ICP备09084417号