Windows内核变量定位与应用研究

Windows内核变量是内存分析过程中经常需要使用到的数据,但是由于Windows操作系统的封闭性,定位到Windows内核变量的位置非常困难.前人提出了一些内核变量定位的方法,但是在实验后发现,结果并不尽人意.针对这一现状,在前人的算法上进行了改进,提出一种基于虚拟地址转换的算法,使得可以准确定位内核变量位置.另外,也提出了一个基于Windows XP全新的内核变量快速定位方法.最后,以内核变量MmPhysicalMemoryBlock的应用为例,提出了基于MmPhysicalMemoryBlock的内存数据快速导出算法.实验结果表明,2个内核变量定位算法能准确的定位内核变量,内存数据快速导出算法也能准确完整的导出需要的内存数据.

Researches on Windows kernel variable locating and application

The data of Windows kernel variables was used frequently on the analysis of memory. But locating these kernel variables was limited by the operating system. Former scholars have proposed some algorithms of Windows kernel variables locating. But after experiments, the result was not satisfactory. With an improvement on precedent algorithms, an algorithm based on virtual address translation was proposed for accurately locating kernel variables. It could improve the accuracy of locating the kernel variables. And, an innovative fast locating algorithm based on the Windows XP kernel variables was proposed. At last, a fast memory data export algorithm based on MmPhysicalMemoryBlock was suggested with the example of kernel variable MmPhysicalMemoryBlock application. The experiments showed that, these two kernel variables locating algorithm are able to locate kernel variables preciesly, the fast memory data export algorithm is able to export wanted memory data with accuracy and integrity.