{"id":"https://openalex.org/W7155355919","doi":"https://doi.org/10.48550/arxiv.2604.20378","title":"TLSCheck 2.0: An Enhanced Memory Forensics Approach to Efficiently Detect TLS Callbacks","display_name":"TLSCheck 2.0: An Enhanced Memory Forensics Approach to Efficiently Detect TLS Callbacks","publication_year":2026,"publication_date":"2026-04-22","ids":{"openalex":"https://openalex.org/W7155355919","doi":"https://doi.org/10.48550/arxiv.2604.20378"},"language":null,"primary_location":{"id":"doi:10.48550/arxiv.2604.20378","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2604.20378","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"type":"preprint","indexed_in":["datacite"],"open_access":{"is_oa":true,"oa_status":"green","oa_url":"https://doi.org/10.48550/arxiv.2604.20378","any_repository_has_fulltext":true},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5134401607","display_name":"Kartik N. Iyer","orcid":null},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Iyer, Kartik N.","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]},{"author_position":"last","author":{"id":"https://openalex.org/A5015640107","display_name":"Parag H. Rughani","orcid":"https://orcid.org/0000-0003-0243-4964"},"institutions":[],"countries":[],"is_corresponding":false,"raw_author_name":"Rughani, Parag H.","raw_affiliation_strings":[],"raw_orcid":null,"affiliations":[]}],"institutions":[],"countries_distinct_count":0,"institutions_distinct_count":2,"corresponding_author_ids":[],"corresponding_institution_ids":[],"apc_list":null,"apc_paid":null,"fwci":null,"has_fulltext":false,"cited_by_count":0,"citation_normalized_percentile":null,"cited_by_percentile_year":null,"biblio":{"volume":null,"issue":null,"first_page":null,"last_page":null},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T12034","display_name":"Digital and Cyber Forensics","score":0.7664999961853027,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T12034","display_name":"Digital and Cyber Forensics","score":0.7664999961853027,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11424","display_name":"Security and Verification in Computing","score":0.1923000067472458,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.022099999710917473,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/callback","display_name":"Callback","score":0.935699999332428},{"id":"https://openalex.org/keywords/plug-in","display_name":"Plug-in","score":0.6467000246047974},{"id":"https://openalex.org/keywords/memory-leak","display_name":"Memory leak","score":0.5839999914169312},{"id":"https://openalex.org/keywords/rootkit","display_name":"Rootkit","score":0.5753999948501587},{"id":"https://openalex.org/keywords/digital-forensics","display_name":"Digital forensics","score":0.4681999981403351},{"id":"https://openalex.org/keywords/malware-analysis","display_name":"Malware analysis","score":0.44920000433921814},{"id":"https://openalex.org/keywords/malware","display_name":"Malware","score":0.4453999996185303},{"id":"https://openalex.org/keywords/process","display_name":"Process (computing)","score":0.38960000872612}],"concepts":[{"id":"https://openalex.org/C204495577","wikidata":"https://www.wikidata.org/wiki/Q1205349","display_name":"Callback","level":2,"score":0.935699999332428},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8306999802589417},{"id":"https://openalex.org/C4924752","wikidata":"https://www.wikidata.org/wiki/Q184148","display_name":"Plug-in","level":2,"score":0.6467000246047974},{"id":"https://openalex.org/C156731835","wikidata":"https://www.wikidata.org/wiki/Q751740","display_name":"Memory leak","level":4,"score":0.5839999914169312},{"id":"https://openalex.org/C10144332","wikidata":"https://www.wikidata.org/wiki/Q14645","display_name":"Rootkit","level":3,"score":0.5753999948501587},{"id":"https://openalex.org/C84418412","wikidata":"https://www.wikidata.org/wiki/Q3246940","display_name":"Digital forensics","level":2,"score":0.4681999981403351},{"id":"https://openalex.org/C2779395397","wikidata":"https://www.wikidata.org/wiki/Q15731404","display_name":"Malware analysis","level":3,"score":0.44920000433921814},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.4453999996185303},{"id":"https://openalex.org/C111919701","wikidata":"https://www.wikidata.org/wiki/Q9135","display_name":"Operating system","level":1,"score":0.43059998750686646},{"id":"https://openalex.org/C98045186","wikidata":"https://www.wikidata.org/wiki/Q205663","display_name":"Process (computing)","level":2,"score":0.38960000872612},{"id":"https://openalex.org/C43126263","wikidata":"https://www.wikidata.org/wiki/Q128751","display_name":"Source code","level":2,"score":0.3447999954223633},{"id":"https://openalex.org/C97686452","wikidata":"https://www.wikidata.org/wiki/Q7604153","display_name":"Static analysis","level":2,"score":0.34290000796318054},{"id":"https://openalex.org/C138101251","wikidata":"https://www.wikidata.org/wiki/Q213092","display_name":"Thread (computing)","level":2,"score":0.3418999910354614},{"id":"https://openalex.org/C28180684","wikidata":"https://www.wikidata.org/wiki/Q4080983","display_name":"Memory safety","level":3,"score":0.3203999996185303},{"id":"https://openalex.org/C2781357168","wikidata":"https://www.wikidata.org/wiki/Q5276084","display_name":"Digital evidence","level":3,"score":0.31049999594688416},{"id":"https://openalex.org/C2989133298","wikidata":"https://www.wikidata.org/wiki/Q94","display_name":"Android malware","level":3,"score":0.2978000044822693},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.295199990272522},{"id":"https://openalex.org/C183560197","wikidata":"https://www.wikidata.org/wiki/Q7247302","display_name":"Process state","level":3,"score":0.2888999879360199},{"id":"https://openalex.org/C63116202","wikidata":"https://www.wikidata.org/wiki/Q7676227","display_name":"Taint checking","level":3,"score":0.2800000011920929},{"id":"https://openalex.org/C77088390","wikidata":"https://www.wikidata.org/wiki/Q8513","display_name":"Database","level":1,"score":0.27880001068115234},{"id":"https://openalex.org/C2780940931","wikidata":"https://www.wikidata.org/wiki/Q174989","display_name":"File system","level":2,"score":0.2644999921321869},{"id":"https://openalex.org/C168065819","wikidata":"https://www.wikidata.org/wiki/Q845566","display_name":"Debugging","level":2,"score":0.257999986410141},{"id":"https://openalex.org/C149635348","wikidata":"https://www.wikidata.org/wiki/Q193040","display_name":"Embedded system","level":1,"score":0.25369998812675476},{"id":"https://openalex.org/C556601545","wikidata":"https://www.wikidata.org/wiki/Q878553","display_name":"Computer forensics","level":3,"score":0.251800000667572},{"id":"https://openalex.org/C199360897","wikidata":"https://www.wikidata.org/wiki/Q9143","display_name":"Programming language","level":1,"score":0.25029999017715454}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.48550/arxiv.2604.20378","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2604.20378","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":null,"raw_source_name":null,"raw_type":"article"}],"best_oa_location":{"id":"doi:10.48550/arxiv.2604.20378","is_oa":true,"landing_page_url":"https://doi.org/10.48550/arxiv.2604.20378","pdf_url":null,"source":{"id":"https://openalex.org/S4306400194","display_name":"arXiv (Cornell University)","issn_l":null,"issn":null,"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I205783295","host_organization_name":"Cornell University","host_organization_lineage":["https://openalex.org/I205783295"],"host_organization_lineage_names":[],"type":"repository"},"license":"cc-by","license_id":"https://openalex.org/licenses/cc-by","version":null,"is_accepted":false,"is_published":false,"raw_source_name":null,"raw_type":"article"},"sustainable_development_goals":[{"display_name":"Peace, Justice and strong institutions","score":0.7338895201683044,"id":"https://metadata.un.org/sdg/16"}],"awards":[],"funders":[],"has_content":{"grobid_xml":false,"pdf":false},"content_urls":null,"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Memory":[0],"analysis":[1,36,108,175,210],"is":[2],"a":[3,18],"crucial":[4],"technique":[5],"in":[6,30,70,96],"digital":[7],"forensics":[8],"that":[9],"enables":[10],"investigators":[11,131],"to":[12,46,90,176,181,197],"examine":[13],"the":[14,33,65,71],"runtime":[15],"state":[16],"of":[17,37,64,84,103,109,118,141],"system":[19],"through":[20,107],"physical":[21],"memory":[22,31,113,204],"dumps.":[23],"While":[24],"significant":[25],"advances":[26],"have":[27],"been":[28],"made":[29],"forensics,":[32,205],"detection":[34,102],"and":[35,55,92,112,127,138,155,188,199,211],"Thread":[38],"Local":[39],"Storage":[40],"(TLS)":[41],"callbacks":[42,95],"remain":[43],"challenging":[44],"due":[45],"their":[47],"dual":[48],"nature":[49],"as":[50,184],"both":[51,125],"legitimate":[52],"Windows":[53],"constructs":[54,166],"potential":[56,139],"vectors":[57],"for":[58,86],"malware":[59,209],"execution.":[60],"An":[61],"early":[62],"version":[63,83],"TlsCheck":[66,85],"plugin":[67,123],"received":[68],"recognition":[69],"Volatility":[72,87],"Plugin":[73],"Contest":[74],"2024.":[75],"In":[76],"this":[77],"paper,":[78],"we":[79,147],"present":[80],"an":[81],"enhanced":[82],"3,":[88],"designed":[89],"detect":[91,198],"analyze":[93],"TLS":[94,104,168],"process":[97,189],"memory.":[98],"It":[99],"implements":[100],"precise":[101],"callback":[105,120,134],"tables":[106],"PE":[110],"headers":[111],"structures,":[114],"combined":[115],"with":[116],"disassembly":[117],"identified":[119],"routines.":[121],"The":[122,170],"supports":[124],"32-bit":[126],"64-bit":[128],"architectures,":[129],"offering":[130],"insights":[132],"into":[133],"locations,":[135],"assembly":[136],"behavior,":[137],"signs":[140],"suspicious":[142,165],"activity.":[143],"To":[144],"enhance":[145],"detection,":[146],"incorporate":[148],"pattern":[149],"matching":[150],"using":[151],"custom":[152],"regular":[153],"expressions":[154],"YARA":[156],"rules,":[157],"helping":[158],"analysts":[159],"identify":[160],"specific":[161],"code":[162,186],"patterns":[163],"or":[164],"within":[167],"callbacks.":[169],"framework":[171],"also":[172],"includes":[173],"instruction-level":[174],"highlight":[177],"behavior":[178],"often":[179],"linked":[180],"malware,":[182],"such":[183],"anti-debugging,":[185],"injection,":[187],"manipulation.":[190],"This":[191],"implementation":[192],"significantly":[193],"improves":[194],"defenders'":[195],"ability":[196],"investigate":[200],"TLS-based":[201],"threats":[202],"during":[203],"supporting":[206],"more":[207],"effective":[208],"incident":[212],"response":[213],"operations.":[214]},"counts_by_year":[],"updated_date":"2026-06-11T09:08:48.828518","created_date":"2026-04-24T00:00:00"}