Advertisements

Analyzing compressed memory in Windows 10

Memory analysis in Windows 10 very different from previous versions of Windows: new feature, called memory compression, makes a forensic tool necessary, capable of reading compressed memory pages.

Memory compression in Windows 10

Latest Windows Releases 10 enable memory compression function, which is capable of reducing memory usage by compressing some memory pages using the Xpress algorithm and storing them in a so-called compression store (these pages are decompressed back into their original form, when you need them)

Memory compression in Windows 10 represents a significant development in memory manager design: it improves system performance by using physical memory more efficiently, but is more complex, than previous Windows systems, and is currently not publicly documented.

Windows Memory Dump Analysis 10

The standard version of Volatility cannot check memory, stored on compressed pages, leaving many forensic artifacts undetected.

Fortunately, the FireEye FLARE command createdcustom volatility version with specific changes for reading Windows compressed memory 10:

To provide more comprehensive memory analysis in Windows 10, the FLARE team in FireEye analyzed the operating system memory manager, as well as algorithms and structures, used to extract compressed memory. Memory, which we are looking for, stored in virtual storage, created by the Store Manager kernel component. The store manager is responsible for data management, involved in performance optimization systems, including SuperFetch, ReadyBoost and ReadyDrive. In this case, virtual storage – this is a memory-enabled object, using memory space inMemCompression.exe for compressed process data. The results of this study were transferred both to Volatility, same in Rekall, to benefit the security community.

For that, to deal with missing data from – for compressed pages, FLARE FireEye team has created several add-ons toVolatility andRecall to support memory compression for Windows 10. First of all, we added the necessary overlays


Overlay describes internal data structures, used by the Windows memory compression algorithm 10, and makes them available in Python. For example, overlays define the layout of the structureSMKM_STORE andtrees B +, used to find compressed pages.

Undocumented Windows structures, defined in overlays, based on information, obtained by us when analyzing different versions of Windows 10. Being undocumented, these structures are subject to change across all Windows builds and even revisions. We currently support versions 1607, 1703, 1709, 1803 and 1809 as for 32-bit, and for 64-bit architectures. To support additional versions, you must analyze the design of the structures and update the overlays accordingly.

https://www.fireeye.com/blog/threat-research/2019/07/finding-evil-in-windows-ten-compressed-memory-part-one.html

You can download Volatility here: https://github.com/fireeye/win10_volatility

Based on