Abstract :
Using Mr. Aaron Walters´ Python script, nistpe.py, which generates hash values for sections within Microsoft Windows portable executables (PE), I will present a technique allowing industry, academia, law-enforcement, and other government bodies to create custom reference sets that detect sections within a raw bit image of random access memory. The technique identifies PE sections within a raw bit image of random access memory by comparing SHA-1 hash values from page aligned segments to SHA-1 reference file entries. This technique expands on the ldquoimmutable sections of known executablesrdquo reported earlier. Being able to identify PEs by hash values may facilitate volatile memory analysis and warn of malicious logic.
Keywords :
authoring languages; information storage; random-access storage; supervisory programs; Aaron Walters Python script; Microsoft Windows portable executable; RAM image; SHA-1 hash value; SHA-1 reference file entry; custom reference set; known executables immutable section; malicious logic warning; page aligned segment; random access memory; raw bit image; section detection; volatile memory analysis; Conference management; Forensics; Government; Image segmentation; Logic; Operating systems; Random access memory; Read-write memory; Security; Software standards;
