O'Reilly logo

Learning Malware Analysis by Monnappa K A

Stay ahead with the world's most comprehensive technology and business learning platform.

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, tutorials, and more.

Start Free Trial

No credit card required

4.1.1 Examining the _EPROCESS Structure

To examine the _EPROCESS structure and the kind of information it contains, you can use a kernel debugger such as WinDbg. WinDbg helps in exploring and understanding the operating system data structures, which is often an important aspect of Memory forensics. To install WinDbg, you need to install the "Debugging Tools for Windows" package, which is included as part of Microsoft SDK (refer to https://docs.microsoft.com/en-us/windows-hardware/drivers/debugger/index for different installation types). Once the installation is complete, you can find WinDbg.exe in the installation directory (in my case, it is located in C:\Program Files (x86)\Windows Kits\8.1\Debuggers\x64). Next, download the LiveKD utility ...

With Safari, you learn the way you learn best. Get unlimited access to videos, live online training, learning paths, books, interactive tutorials, and more.

Start Free Trial

No credit card required