Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

Obtaining method of network information under Vista operating system

A technology of an operating system and an acquisition method, applied in the field of computer forensics, can solve problems such as inability to obtain network connection information, and achieve the effect of a reliable acquisition method and a wide range of applications

Inactive Publication Date: 2010-06-09
SHANDONG COMP SCI CENTNAT SUPERCOMP CENT IN JINAN
View PDF1 Cites 8 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

[0008] The method for finding the above network connection information is simple and feasible, but it is only applicable to the Windows XP version, but not applicable to all versions of the Vista operating system: in the Vista operating system, the AddrObjTable and ObjTable are no longer in tcpip.sys. Variables, network connection information cannot be obtained using the above method

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • Obtaining method of network information under Vista operating system
  • Obtaining method of network information under Vista operating system
  • Obtaining method of network information under Vista operating system

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0045] Refer to the attached Figure 4 and 12 , which shows a method for obtaining network information under the Vista operating system, the method for obtaining includes the following steps:

[0046] 1) Obtain the base address virtual address of the tcpip.sys module through physical memory analysis;

[0047] 2) according to step 1) the base address virtual address that obtains adds the address difference of this base address and data structure TcpEndpointPool under the current operating system to obtain the virtual address of TcpEndpointPool;

[0048] 3) convert the virtual address obtained in step 2) into a physical address according to the address translation rule under the current operating system, and locate the first position pointed to by the physical address in the memory image;

[0049] 4) Read the first 4 bytes at the first position pointed to by the obtained step 3) as a virtual address and convert it to a physical address, and locate the second position pointed t...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention discloses an obtaining method of network information under a Vista operating system, which comprise the following steps of: obtaining the virtual address of a base address of a tcpip.sys module through physical memory analysis, further obtaining the virtual address for obtaining a double linked list TcpEndpointPool under the base address, and obtaining network connection information through traversing the double linked list. The obtaining method has the advantages of high reliability and high speed.

Description

technical field [0001] The present invention relates to a method for obtaining network information under the Windows Vista operating system. The method searches for network connection information in Windows Vista physical memory image files to be applied to information security incidents and investigation and evidence collection of various computer network crime cases, and belongs to computer forensics. technology field. Background technique [0002] In the field of computer online forensics technology, because network connection information can describe the communication between the computer and the outside world when it is under investigation, it can be used as important evidence to judge whether the person under investigation is engaging in illegal network activities. Network connection information resides in physical memory as volatile data, and its acquisition depends on the correct physical memory analysis method. In order to promote the development of physical memory...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): G06F9/44G06F12/06
Inventor 王英龙徐丽娟王连海
Owner SHANDONG COMP SCI CENTNAT SUPERCOMP CENT IN JINAN
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products

Browse by: Latest US Patents, China's latest patents, Technical Efficacy Thesaurus, Application Domain, Technology Topic, Popular Technical Reports.

© 2024 PatSnap. All rights reserved.Legal|Privacy policy|Modern Slavery Act Transparency Statement|Sitemap|About US| Contact US: help@patsnap.com