Scanning memory with Yara. (March 2017)
- Record Type:
- Journal Article
- Title:
- Scanning memory with Yara. (March 2017)
- Main Title:
- Scanning memory with Yara
- Authors:
- Cohen, Michael
- Abstract:
- Abstract: Memory analysis has been successfully utilized to detect malware in many high profile cases. The use of signature scanning to detect malicious tools is becoming an effective triaging and first response technique. In particular, the Yara library and scanner has emerged as the defacto standard in malware signature scanning for files, and there are many open source repositories of yara rules. Previous attempts to incorporate yara scanning in memory analysis yielded mixed results. This paper examines the differences between applying Yara signatures on files and in memory and how yara signatures can be developed to effectively search for malware in memory. For the first time we document a technique to identify the process owner of a physical page using the Windows PFN database. We use this to develop a context aware Yara scanning engine which can scan all processes simultaneously using a single pass over the physical image.
- Is Part Of:
- Digital investigation. Volume 20(2016)
- Journal:
- Digital investigation
- Issue:
- Volume 20(2016)
- Issue Display:
- Volume 20, Issue 2016 (2016)
- Year:
- 2016
- Volume:
- 20
- Issue:
- 2016
- Issue Sort Value:
- 2016-0020-2016-0000
- Page Start:
- 34
- Page End:
- 43
- Publication Date:
- 2017-03
- Subjects:
- Memory analysis -- Reverse engineering -- Windows internals -- Operating system -- Forensic analysis -- Malware detection -- Intrusion detection
Forensic sciences -- Data processing -- Periodicals
Criminal investigation -- Data processing -- Periodicals
363.250285 - Journal URLs:
- http://www.sciencedirect.com/science/journal/17422876 ↗
http://www.elsevier.com/journals ↗ - DOI:
- 10.1016/j.diin.2017.02.005 ↗
- Languages:
- English
- ISSNs:
- 1742-2876
- Deposit Type:
- Legaldeposit
- View Content:
- Available online (eLD content is only available in our Reading Rooms) ↗
- Physical Locations:
- British Library DSC - 3588.396620
British Library DSC - BLDSS-3PM
British Library STI - ELD Digital store - Ingest File:
- 166.xml