Abstract. Examining and modifying data of interest in the memory of a tar-
get program is an important capability for security applications such as memory
forensics, rootkit detection, game hacking, and virtual machine introspection. In
this paper we present a novel memory graph based approach for program data
introspection and modification, which does not require source code, debugging
symbols, or any API in the target program. It takes as input a sequence of mem-
ory snapshots taken while the program executes, and produces a path signature,
which can be used in different executions of the program to efficiently locate and
traverse the in-memory data structures where the data of interest is stored. We
have implemented our approach in a tool called SIGPATH. We have applied SIG-
PATH to game hacking, building cheats for 10 popular real-time and turn-based
games, and for memory forensics, recovering from snapshots the contacts a user
has stored in four IM applications including Skype and Yahoo Messenger.
get program is an important capability for security applications such as memory
forensics, rootkit detection, game hacking, and virtual machine introspection. In
this paper we present a novel memory graph based approach for program data
introspection and modification, which does not require source code, debugging
symbols, or any API in the target program. It takes as input a sequence of mem-
ory snapshots taken while the program executes, and produces a path signature,
which can be used in different executions of the program to efficiently locate and
traverse the in-memory data structures where the data of interest is stored. We
have implemented our approach in a tool called SIGPATH. We have applied SIG-
PATH to game hacking, building cheats for 10 popular real-time and turn-based
games, and for memory forensics, recovering from snapshots the contacts a user
has stored in four IM applications including Skype and Yahoo Messenger.
more here..........http://software.imdea.org/~juanca/papers/sigpath_esorics14.pdf