Memory analysis is a crucial technique in digital forensics that enables investigators to examine the runtime state of a system through physical memory dumps. While significant advances have been made in memory forensics, the detection and analysis of Thread Local Storage (TLS) callbacks remain challenging due to their dual nature as both legitimate Windows constructs and potential vectors for malware execution. An early version of the TlsCheck plugin received recognition in the Volatility Plugin Contest 2024. In this paper, we present an enhanced version of TlsCheck for Volatility 3, designed to detect and analyze TLS callbacks in process memory. It implements precise detection of TLS callback tables through analysis of PE headers and memory structures, combined with disassembly of identified callback routines. The plugin supports both 32-bit and 64-bit architectures, offering investigators insights into callback locations, assembly behavior, and potential signs of suspicious activity. To enhance detection, we incorporate pattern matching using custom regular expressions and YARA rules, helping analysts identify specific code patterns or suspicious constructs within TLS callbacks. The framework also includes instruction-level analysis to highlight behavior often linked to malware, such as anti-debugging, code injection, and process manipulation. This implementation significantly improves defenders' ability to detect and investigate TLS-based threats during memory forensics, supporting more effective malware analysis and incident response operations.

翻译：内存分析是数字取证中的一项关键技术，它使调查人员能够通过物理内存转储检查系统的运行时状态。尽管内存取证已取得显著进展，但由于线程本地存储（TLS）回调兼具合法Windows构造和恶意软件执行潜在向量的双重特性，其检测与分析仍面临挑战。早期版本的TlsCheck插件在Volatility插件大赛2024中获得认可。本文提出适用于Volatility 3的增强版TlsCheck，旨在检测和分析进程内存中的TLS回调。该插件通过解析PE头与内存结构，结合识别到的回调例程反汇编，实现对TLS回调表的精确检测。该插件支持32位和64位架构，为调查人员提供回调位置、汇编行为及可疑活动迹象的洞察。为增强检测能力，我们融合了基于自定义正则表达式与YARA规则的模式匹配，帮助分析人员识别TLS回调中的特定代码模式或可疑构造。该框架还包含指令级分析，以突出反调试、代码注入和进程操纵等常与恶意软件关联的行为。本实现显著提升了防御者在内存取证中检测和调查基于TLS的威胁的能力，支持更有效的恶意软件分析与应急响应操作。