Memory Analysis - VAD Tags and Code Entry

Question

Memory Analysis - VAD Tags and Code Entry

I am doing research in the field of forensics in memory, and currently I need to learn how to find code injections in memory in several ways. One way is to use VAD tags to enter the code.

I tried to figure out what VAD is and what VAD tags are, but I just could not find a simple simple explanation. The only thing I understand is that VAD is some kind of win32 structure, and it has something to do with the process address space. But I don’t understand what exactly VAD does, how you use it to enter code, and how you can detect code injections in RAM that use VAD tags.

I would be grateful if you could guide me through this. Thanks:)

+4

memory-management windows memory code-injection

user3134477 Dec 25 '13 at 12:33

source share

2 answers

antiduh · Answer 1 · 2013-12-25T18:25:56+0000

VAD stands for virtual address descriptor. It would seem that the Windows kernel organizes the memory allocated by the process (or the kernel?) By the tree of allocated VAD distributions.

I found a project that apparently implements the criminalization of memory and references a document that seems to describe VAD pretty well. Now I am on my mobile phone, so I have not read it completely, but it looks like a promising resource.

The project is called volatility .

They cite an article entitled "VAD Tree: A Look Overlooking Physical Memory" by Brendan Dolan-Gavitta .

ram619 · Answer 2 · 2016-10-08T13:05:09+0000

, VAD. .

VAD , .

* . PTE, , .

VAD , AVL, , Sysnative. *

Memory Analysis - VAD Tags and Code Entry

More articles: