Windows NT pagefile.sys Virtual Memory Analysis


As hard disk encryption, RAM disks, persistent data avoidance technology and memory resident malware become morewidespread, memory analysis becomes more important. In order to provide more virtual memory than is actually physicalpresent on a system, an operating system may transfer frames of memory to a pagefile on persistent storage. Current memoryanalysis software does not incorporate such pagefiles and thus misses important information.

We therefore present a detailedanalysis of Windows NT paging. We use dynamic gray-box analysis, in which we place known data into virtual memory andexamine where it is mapped to, in either the physical memory or the pagefile, and cross-reference these findings with theWindows NT Research Kernel source code. We demonstrate how to decode the non-present page table entries, and accuratelyreconstruct the complete virtual memory space, including non-present memory pages on Windows NT systems using 32-bit,PAE or IA32e paging. Our analysis approach can be used to analyze other operating systems as well.