To research the existing techniques of scanning process space in Windows, new methods different from traditional technology using structure scanning to unearth process space deeply was brought forth. These methods use of the inherent characteristics of process based on the important data structures in RAM, especially VAD binary tree and stack for specific function, then realize the extraction of key information. Experiments show that these methods are of higher reliability and efficiency.%文章对现有的Windows环境下进程空间扫描技术进行了研究,提出了与传统的结构体扫描技术截然不同的进程空间深度挖掘方法。该方法利用进程的固有特征,通过内存中重要的数据结构,特别是实现特定功能所必需的VAD二叉树及栈,实现了关键信息的抽取。实验表明,所述方法具有较好的可靠性及检测效率。
展开▼
