Re: [Vol-users] 29c3 defeating windows memory forensics

Bonjour Matthieu! On 1/7/2013 10:15 AM, Matthieu Suiche wrote:> win32dd/win64dd has an option (/d) to generate Microsoft Crash Dumps Yes, but how does the change in format alter the function of Luka's NtWriteFile hook, except to give him less information to scrub? Of course you could roll your own IRP_MJ_WRITE and bypass NtWriteFile. But then Luka could use his file system filter driver, or ask Peter Kleissner for a copy of the open source Stoned bootkit and adapt his lower disk/ACPI/ATAPI filter driver for the task. The format of the output isn't the problem. Regards, George.