VAD Tools Code

0. Abstract
1. Introduction
  A. Memory images voluminous
  B. Want a good way to divide up the space
  C. Also, string searches are good, but don't give you context
  D. VAD tree can provide a map of user-space memory allocated to a
     process as it appears to the process -- shows ranges, mapped files.
2. Related Work
3. Vad Tree Structure
  [Note: explicitly mention that virt->physical mapping not covered,
  topic has been beaten to death by others]
  A. Basic Facts
    i.   Three types: Short, medium, long
    ii.  Binary tree.
    iii. Lives in kernel pool.
  B. Selected substructures
    i.  _CONTROL_AREA
    ii. _FILE_OBJECT
  C. In all tests, no portion paged out/missing if proc was still running.
4. Tools
  A. vaddump.py - Dumps memory ranges given in VAD tree
  B. vadwalk.py - Shows tree structure as ASCII art, table, and GraphViz
  C. vadinfo.py - Gives detailed info on VAD nodes, including
     ControlArea, FileObject (for mapped files)
5. Future Work
  A. Page file support (Buffalo paper)
  B. Vista / Win2k3 (AVL trees)
  C. Further methods of providing memory attribution (drivers/kernel space?)
  D. 
6. Conclusion
  A. Example? (probably can't use sysmon.exe)

Open questions:
  * Should I address the question "Why not walk all the PDEs?" ?
  * Should I include a real-world example where the VAD structure gives
    useful forensic info? If so, what? notepad.exe example with "Evil
    string" ? More real-world "bad domain" example?