Pools

Question 1

Kernel Pool

Answer 1

A range of memory that can be divided up into smaller blocks for storing any type of data that a kernel-mode component (the NT module, third-party device driver, etc.) requests. Similar to the heap, each allocated block has a header (_POOL_HEADER) that contains accounting and debugging information. You can use this extra data to attribute memory blocks back to the driver that owns them–and to an extent make inferences about the type of structures or objects contained within the allocation.

Question 2

PoolType

Answer 2

Specifies the type of system memory to use for the allocation. NonPagedPool(0) and PagedPool(1) are the enumeration values for nonpageable and pageable memory.

Question 3

ObCreateObject

Answer 3

A function in the kernel that is the central point from which all executive objects are created.

Question 4

Tag (Pool Tag argument)

Answer 4

specifies a four-byte value, typically composed of ASCII characters that should uniquely identify the code path taken to produce the allocation.

Question 5

ExAllocatePoolWithTag

Answer 5

Argument is called with the appropriate size, memory type, and tag.

Question 6

Pool Tag Scanning

Answer 6

Refers to finding allocations based on the four-byte tag. When you perform a scan, the tag is just your starting point.

Question 7

Custom Constraints on Pool Tag Scanning

Answer 7

Volatility allows you to add custom constraints per object type. For example, if a process’ creation timestamp should never be zero, you can configure the scanner based on that knowledge.

Question 8

CM25 & CM31 tag

Answer 8

The CM in these tag names stands for configuration manager, which is the kernel component that maintains the Windows Registry.

Question 9

PoolTrackTable

Answer 9

Member of _KDDEBUGGER_DATA64 data block that points to an array of _POOL_TRACKER_TABLE structures–one for each unique pool tag in use.