VirMA: Windows NT pagefile.sys Virtual Memory Analysis

Abstract

As hard disk encryption, RAM disks, persistent data avoidance technology and memory resident malware become more widespread, memory analysis becomes more important.
In order to provide more virtual memory than is actually physical present on a system, an operating system may transfer frames of memory
to a pagefile on persistent storage. Current memory analysis software does not incorporate such pagefiles and thus misses important information. We therefore present a detailed analysis of Windows NT paging. We use dynamic gray-box analysis, in which we place known data into virtual memory and examine where it is mapped to, in either the physical memory or the pagefile,  and cross-reference these findings with the Windows NT Research Kernel source code. We demonstrate how to decode the non-present page table entries, and accurately reconstruct the  complete virtual memory space, including non-present memory pages on Windows NT systems using 32-bit, PAE or IA32e paging.
Our analysis approach can be used to analyze other operating systems as well.

Source Code

The source code of tools used in the IMF 2015 paper “Windows NT pagefile.sys Virtual Memory Analysis”: VirMA 2015-02-18

Presentation

Presentation from IMF 2015: “Windows NT pagefile.sys Virtual Memory Analysis”