期刊论文、会议论文

Che, S. B.

中文

电子测量技术

1002-7300

2015

38

5

27-32

International Conference on Advanced Educational Technology and Information Engineering (AETIE)

MAY 17-18, 2015

Beijing, PEOPLES R CHINA

[Che, S. B.;Yi, W.] Cent South Univ Forestry & Technol, Coll Comp & Informat Engn, Changsha, Hunan, Peoples R China.

439 DUKE STREET, LANCASTER, PA 17602-4967 USA

DESTECH PUBLICATIONS, INC

978-1-60595-245-1

10.3969/j.issn.1002-7300.2015.05.007

本校为第一且通讯机构

Windows内核变量是内存分析过程中经常需要使用到的数据,但是由于Windows操作系统的封闭性,定位到Windows内核变量的位置非常困难.前人提出了一些内核变量定位的方法,但是在实验后发现,结果并不尽人意.针对这一现状,在前人的算法上进行了改进,提出一种基于虚拟地址转换的算法,使得可以准确定位内核变量位置.另外,也提出了一个基于Windows XP全新的内核变量快速定位方法.最后,以内核变量MmPhysicalMemoryBlock的应用为例,提出了基于MmPhysicalMemoryBlock的内存数据快速导出算法.实验结果表明,2个内核变量定位算法能准确的定位内核变量,内存数据快速导出算法也能准确完整的导出需要的内存数据.

The data of Windows kernel variables was used frequently on the analysis of memory. But locating these kernel variables was limited by the operating system. Former scholars have proposed some algorithms of Windows kernel variables locating. But after experiments, the result was not satisfactory. With an improvement on precedent algorithms, an algorithm based on virtual address translation was proposed for accurately locating kernel variables. It could improve the accuracy of locating the kernel variables. And, an innovative fast locating algorithm based on the Windows XP kernel variables was p...