Awesome
Note:
The current version of the ptenum plugin can be found here: https://github.com/f-block/volatility-plugins. It has been updated intensely and ported to Volatility3.
For the last (but now outdated) Rekall version see here: https://github.com/f-block/rekall-plugins.
Branch updates
contains some updates and instructions for the used tools, so they can be built easily with MinGW. Any changes are solely done in the branch updates
. The branch main
is at the same state as of writing the paper to allow a unaltered reproducability of our results.
This is the online repository for the paper "Windows Memory Forensics: Detecting (un)intentionally hidden injected Code by examining Page Table Entries" by Frank Block and Andreas Dewald (https://dfrws.org/presentation/windows-memory-forensics-detecting-unintentionally-hidden-injected-code-by-examining-page-table-entries/). It contains all material referenced in the paper, including the resulting Rekall plugin: ptenum.py
On any questions (regarding this research ;-) ) don't hesitate to contact research-codeinjections@f-block.org