Home

Awesome

Note:

The current version of the ptenum plugin can be found here: https://github.com/f-block/volatility-plugins. It has been updated intensely and ported to Volatility3.

For the last (but now outdated) Rekall version see here: https://github.com/f-block/rekall-plugins.

Branch updates contains some updates and instructions for the used tools, so they can be built easily with MinGW. Any changes are solely done in the branch updates. The branch main is at the same state as of writing the paper to allow a unaltered reproducability of our results.


This is the online repository for the paper "Windows Memory Forensics: Detecting (un)intentionally hidden injected Code by examining Page Table Entries" by Frank Block and Andreas Dewald (https://dfrws.org/presentation/windows-memory-forensics-detecting-unintentionally-hidden-injected-code-by-examining-page-table-entries/). It contains all material referenced in the paper, including the resulting Rekall plugin: ptenum.py

On any questions (regarding this research ;-) ) don't hesitate to contact research-codeinjections@f-block.org