![]() |
Informative Information for the Uninformed | ![]() |
||||||||||||
![]() |
![]() |
|||||||||||||
![]() ![]() |
![]() |
|
||||||||||||
![]() |
Miscellaneous
So far the memory signatures discussed have been fairly straight
forward and for the most part are simply a binary comparison with a
specific value. Later in this paper ( Another way of considering an object field as a signature is to validate it in terms of its characteristics instead of by its value. A common example of this would be to validate an object field LIST_ENTRY. Validating a LIST_ENTRY structure can be done as follows:
Entry == Entry->Flink->Blink == Entry->Blink->Flink.
A pointer to any object or memory allocation can also be checked using the function shown previously, named ValidatePoolBlock. Even a UNICODE_STRING.Buffer can be validated this way provided the allocation is less then PAGE_SIZE.
|