Paging All Windows Geeks – Finding Evil in Windows 10 Compressed Memory

Conference:  BlackHat USA 2019



FireEye's FLARE team analyzed the Windows 10 memory compression implementation to enable access to data in the newly introduced (and undocumented) virtual store. This closes the door to malware evading detection during memory forensic analysis. We open source and present this work to help advance the state of the art in computer forensics.Traditionally, a complete Windows memory inspection only required forensic tools to parse physical memory and fill in any missing gaps from the page file. Each page in memory, whether it resided in physical memory or the pagefile, could be inspected by simply viewing the contents. The deployment of the virtual store has upended this well-understood paradigm by introducing compressed pages. To inspect pages in the virtual store, the analysis tools must be able to identify which pages are compressed, locate and decompress the contents for inspection. The results of the research are open-sourced in the form of Volatility and Rekall plugins to benefit IR investigators and forensicators.This presentation focuses on the details of the memory compression implementation in Windows 10, and explores the undocumented structures and algorithms involved in the process. The information in this presentation will enable the community to support new Windows 10 builds in their forensic tools of choice. The FLARE team is releasing a tool to automate the process of structure extraction on new Windows builds. The tool leverages the FLARE-EMU emulation framework to automatically generate the undocumented structures.