VAD
VAD
- "The Virtual Address Descriptor, commonly known as the "VAD", is a fundamental component in the memory management system of the Windows operating system. Primarily it is responsible for managing and tracking the memory allocations within a process's virtual address space."[1]
- TBH, still a little little over my head, but the key here is that there are certain expected VAD values, and specific tags can be an indication of compromise, and is used by Volatility's
malfindto identify code and DLLs.- e.g., Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
- Memory sections should be designated as either "READ" or "WRITE", not both
- By using dynamic memory spaces, it can make finding static analysis more difficult because the code can change.
- e.g., Vad Tag: VadS Protection: PAGE_EXECUTE_READWRITE
Metadata
Sources
BSODTutorials: Virtual Address Descriptors (VADs) - !vad
The VAD tree: A process-eye view of physical memory - ScienceDirect
Understanding the VAD tree
APT Memory and Malware Challenge Solution | SANS Institute