NoSyms: A neural network approach to detecting data structures in raw memory

This data was used for a experiments with graph convolutional neural networks for memory forensics as part of a bachelor thesis (included as pdf). Abstract: This work presents a neural network based approach for data structure detection in raw memory that does not require an entirely matching description of the target data structure. Instead, it’s merely necessary to provide multiple descriptions of data structures similar to the target as training data in the form of debugging symbols. The core contribution of this work is a formal description and implementation of encoding data structure definitions as well as raw memory contents such that they can be processed by graph convolutional neural networks. A description and implementation of a neural network meant to detect data structures in the memory contents of a Linux Kernel demonstrates the practical applicability of the described approach. The Code is available on GitHub https://github.com/NiklasBeierl/nosyms. nokaslr_dump is the qemu memory snapshot used to test the model. nokaslr.raw is the "raw" form of the snapshot as produced by Volatility 3's layerwriter plugin. symbols-training-data contains the Volatility symbol JSON files from which training data was derived. nokaslr_pointers.csv lists the kernel space pointers in the snapshot and nokaslr_tasks.csv lists task structs in the snapshot. Both were extracted via a Volatility plugins that are included in the GitHub Repo. vmlinux-5.4.0-58-generic.json is the symbol file for the kernel the snapshot was taken from. other-symbols.zip contains symbol files I generated vor various other kernels but did not end up using, use at your own discretion.