Content area
The Internet Information Services (IIS) is a Microsoft-developed web server designed with a modular architecture to foster extensibility. Its worker process loads all IIS modules when the server receives a request, and native modules operate with the same level of access as the worker process. The built-in persistence and resource access make malicious modules powerful tools post-compromise. This thesis focuses on identifying all native modules in the system by analyzing volatile memory. Through binary analysis of the worker process, we identify critical data structures containing information about system modules. We developed two Volatility plugins to assist in detecting these modules and extracting critical information, offering valuable tools for memory forensics of IIS web servers.