Paging All Windows Geeks – Finding Evil in Windows 10 Compressed Memory

Black Hat USA 2019

Presented by: Dimiter Andonov, Omar Sardar
Date: Thursday August 08, 2019
Time: 17:00 - 18:00
Location: Lagoon JKL

FireEye's FLARE team analyzed the Windows 10 memory compression implementation to enable access to data in the newly introduced (and undocumented) virtual store. This closes the door to malware evading detection during memory forensic analysis. We open source and present this work to help advance the state of the art in computer forensics.

Traditionally, a complete Windows memory inspection only required forensic tools to parse physical memory and fill in any missing gaps from the page file. Each page in memory, whether it resided in physical memory or the pagefile, could be inspected by simply viewing the contents. The deployment of the virtual store has upended this well-understood paradigm by introducing compressed pages. To inspect pages in the virtual store, the analysis tools must be able to identify which pages are compressed, locate and decompress the contents for inspection. The results of the research are open-sourced in the form of Volatility and Rekall plugins to benefit IR investigators and forensicators.

This presentation focuses on the details of the memory compression implementation in Windows 10, and explores the undocumented structures and algorithms involved in the process. The information in this presentation will enable the community to support new Windows 10 builds in their forensic tools of choice. The FLARE team is releasing a tool to automate the process of structure extraction on new Windows builds. The tool leverages the FLARE-EMU emulation framework to automatically generate the undocumented structures.

Omar Sardar

Omar Sardar is a reverse engineer on FireEye's FLARE team. He is responsible for analyzing the Windows 10 kernel to support FireEye product development. Prior to the FLARE team, Omar specialized in developing and reverse engineering embedded systems with a focus on the USB protocol. Omar enjoys road biking, pizza, and espresso.

Dimiter Andonov

Dimiter Andonov is a Senior Staff Reverse Engineer on the FireEye's FLARE team. He has specialized on low level malware, including bootkits and rootkits. Dimiter has over 12 years of experience as a reverse engineer and another 20 as an Assembly/C/C++ programmer. Prior to joining FLARE, Dimiter has worked in the Antivirus industry, leading the AV labs for Sunbelt Software, GFI, and ThreatTrack Security. In addition to the daily malware reversing, he currently works on reversing parts of the Windows 10 OS to provide support for the FireEye products.


KhanFu - Mobile schedules for INFOSEC conferences.
Mobile interface | Alternate Formats