Scanning memory with Yara |
| |
Affiliation: | 1. School of IT, Deakin University, Australia;2. Electrical and Computer Engineering Department, Bradley University, Peoria, IL, USA;3. School of Computing, Charles Sturt university, NSW, Australia;4. College of Computer and Information sciences, King Saud University, Riyadh, 11543, Saudi Arabia |
| |
Abstract: | Memory analysis has been successfully utilized to detect malware in many high profile cases. The use of signature scanning to detect malicious tools is becoming an effective triaging and first response technique. In particular, the Yara library and scanner has emerged as the defacto standard in malware signature scanning for files, and there are many open source repositories of yara rules. Previous attempts to incorporate yara scanning in memory analysis yielded mixed results. This paper examines the differences between applying Yara signatures on files and in memory and how yara signatures can be developed to effectively search for malware in memory. For the first time we document a technique to identify the process owner of a physical page using the Windows PFN database. We use this to develop a context aware Yara scanning engine which can scan all processes simultaneously using a single pass over the physical image. |
| |
Keywords: | Memory analysis Reverse engineering Windows internals Operating system Forensic analysis Malware detection Intrusion detection |
本文献已被 ScienceDirect 等数据库收录! |
|