Re: [Vol-users] 29c3 defeating windows memory forensics
7 Jan
2013
7 Jan
'13
10:29 a.m.
I thought Luka was pointing out the Microsoft crash dump format because
it's easier to analyze with WinDbg etc. Not for acquisition reason, if it's
for acquisition reason that's exactly the same. That's why one of the
reason Microsoft is encouraging people to use 64-bits, even though of
course PatchGuard can still be bypassed. No security mechanism is perfect.
That's the cat and mouse game we all know very well. :)
On Mon, Jan 7, 2013 at 3:20 PM, George M. Garner Jr. <
ggarner_online(a)gmgsystemsinc.com> wrote:
Bonjour Matthieu!
On 1/7/2013 10:15 AM, Matthieu Suiche wrote:> win32dd/win64dd has an
option (/d) to generate Microsoft Crash Dumps
without using the crashdump! or KeBugCheck()
functions.
Yes, but how does the change in format alter the function of Luka's
NtWriteFile hook, except to give him less information to scrub? Of course
you could roll your own IRP_MJ_WRITE and bypass NtWriteFile. But then Luka
could use his file system filter driver, or ask Peter Kleissner for a copy
of the open source Stoned bootkit and adapt his lower disk/ACPI/ATAPI
filter driver for the task.
The format of the output isn't the problem.
Regards,
George.
______________________________**_________________
Vol-users mailing list
Vol-users(a)volatilityfoundation.org
http://lists.volatilesystems.**com/mailman/listinfo/vol-users<http://lis…
Attachments:
- attachment.html (text/html — 1.9 KB)