I thought Luka was pointing out the Microsoft crash dump format because it&#39;s easier to analyze with WinDbg etc. Not for acquisition reason, if it&#39;s for acquisition reason that&#39;s exactly the same. That&#39;s why one of the reason Microsoft is encouraging people to use 64-bits, even though of course PatchGuard can still be bypassed. No security mechanism is perfect. That&#39;s the cat and mouse game we all know very well. :)<br>
<br><div class="gmail_quote">On Mon, Jan 7, 2013 at 3:20 PM, George M. Garner Jr. <span dir="ltr">&lt;<a href="mailto:ggarner_online@gmgsystemsinc.com" target="_blank">ggarner_online@gmgsystemsinc.com</a>&gt;</span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Bonjour Matthieu!<br>
<br>
On 1/7/2013 10:15 AM, Matthieu Suiche wrote:&gt; win32dd/win64dd has an option (/d) to generate Microsoft Crash Dumps<div class="im"><br>
&gt; without using the crashdump! or KeBugCheck() functions.<br>
&gt;<br>
<br></div>
Yes, but how does the change in format alter the function of Luka&#39;s NtWriteFile hook, except to give him less information to scrub?  Of course you could roll your own IRP_MJ_WRITE and bypass NtWriteFile.  But then Luka could use his file system filter driver, or ask Peter Kleissner for a copy of the open source Stoned bootkit and adapt his lower disk/ACPI/ATAPI filter driver for the task.<br>

<br>
The format of the output isn&#39;t the problem.<br>
<br>
Regards,<br>
<br>
George.<div class="HOEnZb"><div class="h5"><br>
______________________________<u></u>_________________<br>
Vol-users mailing list<br>
<a href="mailto:Vol-users@volatilityfoundation.org" target="_blank">Vol-users@volatilityfoundation.org</a><br>
<a href="http://lists.volatilityfoundation.org/mailman/listinfo/vol-users" target="_blank">http://lists.volatilesystems.<u></u>com/mailman/listinfo/vol-users</a><br>
</div></div></blockquote></div><br>