This presentation introduced Volatility's new win32k suite - a set of plugins and APIs that make it possible to perform malware analysis and memory forensics based on artifacts in the Windows GUI subsystem. This subsystem plays a part in nearly everything you do and everything you see on a Windows computer, so it is rich with evidence and was largely unexplored and undocumented from a malware and forensics perspective. There are not many tools, even for live systems, that can give you the type of visibility into this exciting realm of Windows internals that Volatility can now provide.
The topics discussed were also seen during of the Month of Volatility Plugins, including sessions, clipboard data and clipboard snooping, window stations, desktops, desktop heaps, atoms and atom tables, USER handles, GDI timers, windows, message hooks, event hooks, and screenshots.
Author/presenter: Michael Ligh (@iMHLv2)
Direct link: Malware in the Windows GUI Subsystem