Applying user-mode memory scanning on Windows NT

Eric Uday Kumar Authentium

  download slides (PDF)

Memory-resident malware and malware persistent over reboots have since long been the most challenging to detect and deactivate. Such types of malware can conceal their presence (defensive techniques), thwart termination or removal (armouring techniques), lower system security, and terminate or suspend security applications (offensive techniques). Memory scanning plays a vital role in detecting and deactivating these types of malware.

Implementing a memory scanner for Windows NT-based systems is particularly challenging due to the complexity of the executing environment. While memory scanning can be implemented in both kernel mode and user mode, this content is confined to user-mode memory scanning, for 32-bit and 64-bit Windows NT-based systems. This essentially means scanning the virtual address space of each process in memory, as well as its associated objects in memory and on physical disk, as seen from user mode. Here, we will discuss examples from real-world malware scenarios that demonstrate a few anti-detection and anti-disinfection techniques, and find how memory scanning can be applied to overcome some of them. Certain techniques to detect hidden processes from user mode will also be presented. The limitations of user-mode memory scanning will also be discussed.


We have placed cookies on your device in order to improve the functionality of this site, as outlined in our cookies policy. However, you may delete and block all cookies from this site and your use of the site will be unaffected. By continuing to browse this site, you are agreeing to Virus Bulletin's use of data as outlined in our privacy policy.