Re: [Vol-users] 29c3 defeating windows memory forensics
9 Jan
2013
9 Jan
'13
2:49 p.m.
Hi George,
On Wed, Jan 9, 2013 at 6:29 PM, George M. Garner Jr.
<ggarner_online(a)gmgsystemsinc.com> wrote:
Moonsols Community Edition appears to support a "/s" option which will
generate a cryptographic checksum which may be compared to the actual
checksum of the output file. While it is true, as you say, that
cryptographic checksums will not detect tampering which occurred prior to
the checksum's creation, adding the "/s" option should detect all of the
kernel mode attacks which you document. It will force you to attack along
the read path (NtMapViewOfSection, MmMapIoSpace and MmMapMemoryDumpMdl) or
else to fake both the content and the checksum. I am assuming that Matthieu
is generating the checksum before writing the data to disk and not from the
output file after it has been written. +1 for Matthieu (maybe).
Unfortunately, that's not the case:(
The reason is that the checksum is calculated on the buffer *after* it
has been written to the file (basically the next call after
ZwWriteFile).
When Dementia is used, checksum of the dump created by win32dd equals
to the one printed out in the console.
Matthieu, what do you think about making the checksum before writing
the buffer to dump?
Cheers,
Luka