Making Volatility 15x Faster: Lessons from Reverse Engineering Windows Internals
Quick TL;DR By using PROCESSOR_START_BLOCK instead of KDBG to locate the Windows kernel base, I reduced Volatility’s analysis time from ~15 seconds to about 1 second on a 32GB RAM sample. See the merged code in Volatility. Note: This method works only on x64 systems with no virtualization. Otherwise, Volatility gracefully falls back to KDBG scanning. Introduction Volatility and Memprocfs are both popular memory forensics tools, but they work differently under the hood. Volatility traditionally scans for a structure called KDBG (Kernel Debugger Block), which can be time-consuming for large memory captures. Meanwhile, Memprocfs uses the undocumented PROCESSOR_START_BLOCK approach, which is significantly faster on x64 systems with no virtualization. ...