Extending automatic memory forensics based malware detection with page type checking

OData support
Dr. Félegyházi Márk
Department of Networked Systems and Services

There are several techniques to detect malware infection, one of them is analysing the

content of the volatile memory. (Memory forensics). A lot of different tools are available

to acquire and analyse memory dump, however finding the artifacts requires a human

analyser. Operation system attributes can be these artifacts, which can denote wether the

system compromised. In case of having a large amount of malware samples to analyse,

these tools should be automated in order to help the work of the human expert.

In my thesis I would like to present the state of the art memory forensics tools, which are

capable of malware analysis. First of all, I will present a method to automatize and further

improve the functions in a choosen memory analyser, so it can be applied to analyse great

malware campaigns. The expanded analyser will be tested in a virtual enviroment designed

especially for memory forensic, in order to evaluate the detection rate of the algorithms

for several malware families. Furthermore these tools have an essential gap, they can’t

interpret invalid pages, which limit the analysis to the physical memory. In this thesis, I’ll

extend the address translation logic, allow us to restore the entire virtual memory for each

process. Finally, I will try to detect a well known malware with checking it’s page types,

so as to present a novel method in specific malware detection.


Please sign in to download the files of this thesis.