Enumerating Process Memory Tools

Question 1

Virtual Address Descriptors (VADs)

Answer 1

VADs are structures defined by Windows to track reserved or committed, virtually contiguous collections of pages. For example, if a page is 4KB and a process commits 10 pages at the same time, a VAD is created in kernel memory that describes the 40KB range of memory. If the region contains a memory-mapped file, the VAD also stores information about the file’s path.

Question 2

Working Set List

Answer 2

A process’ working set describes the collection of recently accessed pages in virtual memory that are present in physical memory (no swapped to disk). It can come in handy for debugging purposes or for cross-referencing with other sources of process memory. Working sets never contain references to nonpageable memory or large pages. (Not used much in forensics)

Question 3

PFN database

Answer 3

Windows uses the PFN database to track the state of each page in physical memory, which can give you a unique view of how memory is being used because page tables, VADs, and working sets all focus on virtual memory.

Question 4

VAD Tree

Answer 4

A process’ VAD tree describes the layout of its memory segments at a slightly higher level than the page tables.

Question 5

CommitCharge

Answer 5

Specifies the number of pages committed in the region described by the VAD node. The reason we care about this field is because historically when code injecting malware sets up the target process’ address space to receive the malicious code, it commits all pages up front–it doesn’t reserver them and then go back and commit them later (although it could).

Question 6

Page Tables

Answer 6

MISSING