Uninformed: Informative Information for the Uninformed

Vol 4» 2006.Jun


So far the memory signatures discussed have been fairly straight forward and for the most part are simply a binary comparison with a specific value. Later in this paper ([*]), a technique called N-depth pointer validation will be discussed as a method of developing a more effective signature in situations where pointer based memory signatures are attempted to be evaded.

Another way of considering an object field as a signature is to validate it in terms of its characteristics instead of by its value. A common example of this would be to validate an object field LIST_ENTRY. Validating a LIST_ENTRY structure can be done as follows:

Entry == Entry->Flink->Blink == Entry->Blink->Flink.

A pointer to any object or memory allocation can also be checked using the function shown previously, named ValidatePoolBlock. Even a UNICODE_STRING.Buffer can be validated this way provided the allocation is less then PAGE_SIZE.